SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Platform LSF Vendors:   Platform Computing Inc.
Platform LSF 'eauth' Buffer Overflow Lets Local and Remote Cluster Users Gain Root Privileges
SecurityTracker Alert ID:  1009178
SecurityTracker URL:  http://securitytracker.com/id/1009178
CVE Reference:   CVE-2004-0317   (Links to External Site)
Updated:  Mar 23 2004
Original Entry Date:  Feb 23 2004
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.x, 5.x, 6.x
Description:   A vulnerability was reported in Platform Load Sharing Facility (LSF) in the 'eauth' component. A local or remote user can gain root access.

Tomasz Grabowski reported that a local user can invoke eauth in '-s' mode and supply specially crafted data strings to cause arbitrary code to be executed on the target system. The 'eauth' binary is configured with set user id (setuid) root privileges, so code will run with root privileges, the report said.

It is also reported that 'eauth -s' is used by the 'mbatchd' daemon and other daemons, so a user on a host within an LSF cluster can trigger the flaw on another host within the same LSF cluster.

The vendor was reportedly notified on October 26, 2003.

Impact:   A local user can execute arbitrary code on the target system with root privileges.

A user on a host within an LSF cluster can execute arbitrary code on a remote target system within the same LSF cluster.

Solution:   According to the report, a patch is available from the vendor at:

FTP: ftp.platform.com
Path: patches/<version>/os/<os>/eauth*
Example: patches/5.1/os/sparc-sol7-64/eauth5.1_sparc-sol7-64.Z

The vendor reportedly issued an advisory on February 9, 2004 under Knowledge Base Article KB1-5RZI1.

Vendor URL:  www.platform.com/products/LSFfamily/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Lam3rZ Security Advisory #1/2004: LSF eauth vulnerability leads to



                 Lam3rZ Security Advisory #1/2004

                           23 Feb 2004

               Remote (within a cluster) root in LSF


Name:             Load Sharing Facility versions 4.x, 5.x, 6.x
Severity:         High
Vendor URL:       http://www.platform.com
Author:           Tomasz Grabowski (cadence@aci.com.pl)
Vendor notified:  26 Oct 2003
Vendor confirmed: 27 Oct 2003
Vendor advisory:   9 Feb 2004


Impact:
-------

"eauth" is the component within LSF which controls authenication. Specific
input data strings can be constructed and can cause failure of the eauth
binary, leading to the code execution under root privileges. This security
risk is contained to "local cluster". This means that it can be exploited
remotely (from one host to another) but only between hosts within the LSF
cluster.



Description:
------------

Tests shows, that it is possible to cause SIGSEGV on eauth.
The bug is in 'eauth -s' mode.

This is how you can reproduce the bug:
$ eauth -s                                      [press Enter]
1006 1006 eKlempa 192.168.10.106 4110 20 user   [press Enter]
LSF_From_PC AAAAAAAAAAAAAAAAAAAA                [press Enter]
Segmentation fault (core dumped)


This bug is exploitable (i.e. attacker can change program execution flow
and point it to code of her choice, effectively gaining root access
privilege). As everyone can execute 'eauth' and it is setuid==root,
attacker can locally gain root privileges by exploiting it. Moreover,
while 'eauth -s' is used by daemons like 'mbatchd' to authorize clients,
it is possible to exploit this vulnerability on remote host within a
cluster.


How to patch:
-------------

This problem has been directly addressed in a security patch released for
LSF. The fix is contained to the "eauth" binary which will need to be
replaced for each platform used in the cluster. The patch can be
downloaded from Platform FTP site.

FTP: ftp.platform.com
Path: patches/<version>/os/<os>/eauth*
Example: patches/5.1/os/sparc-sol7-64/eauth5.1_sparc-sol7-64.Z

If the OS or version is not currently available, it can be built on
demand. Please contact Platform Technical Support if you have any
questions or concerns.
Phone: 1-877-444-4573
Email: support@platform.com



References:
-----------

This bug was confirmed in Platform's official security advisory dated
9 Feb 2004. It is accessible directly from Platform as Knowledge Base
Article KB1-5RZI1.


--
Tomasz Grabowski
Technical University of Szczecin,           +48 (91)4494234
Academic Centre of Computer Science     www.man.szczecin.pl

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC