Current time: 12-19-2018, 08:05 PM Hello There, Guest! (LoginRegister)


Post Reply 
Critical security issue
Author Message
sci2tech Away
Senior Member
****

Posts: 1,285
Joined: Jan 2007
Reputation: 23
Post: #1
Critical security issue
Backup engine can be used to upload a symlink to an arbitrary file. Of course, that file must be accessible and readable for vuxxxx user resulting a minor issue.
Ex:
download last available backup
unpack
create in htdocs a simlink to /etc/passwd
upload in backup folder
call http://site.tld/symlink_name and you will get passwd.

PS. My trac account is unusable that’s why I use forum.
(This post was last modified: 08-29-2010 10:58 PM by sci2tech.)
08-29-2010 08:35 PM
Visit this user's website Find all posts by this user Quote this message in a reply
gOOvER Offline
Banned

Posts: 3,564
Joined: Jul 2007
Post: #2
RE: Minor security issue
(08-29-2010 08:35 PM)sci2tech Wrote:  PS. My trac account is unusable that’s why I use forum.

Did you activate your account?? Maybe thats the problem. Elso write malte a PM, that he can fix your account.

I will open a Ticket for you Smile
Open a Ticket: http://isp-control.net/ispcp/ticket/2440
(This post was last modified: 08-29-2010 09:00 PM by gOOvER.)
08-29-2010 08:59 PM
Visit this user's website Find all posts by this user Quote this message in a reply
sci2tech Away
Senior Member
****

Posts: 1,285
Joined: Jan 2007
Reputation: 23
Post: #3
RE: Minor security issue
Please upgrade as critical and advise everybody to disable backup on all costumers. It is not a minor issue, it`s a BIGGG security whole because I was able to obtain total control to server. I`ll not provide yet a how to for obvious reason.
To disable backup you need to modify in ispcp-dmn-mngr line:
Code:
sub dmn_restore_data {

in

Code:
sub dmn_restore_data {
return 0;

because just setting backup to no wont prevent engine to restore a crafted backup
(This post was last modified: 08-29-2010 11:18 PM by sci2tech.)
08-29-2010 10:58 PM
Visit this user's website Find all posts by this user Quote this message in a reply
sci2tech Away
Senior Member
****

Posts: 1,285
Joined: Jan 2007
Reputation: 23
Post: #4
RE: Critical security issue
Indeed you need to make read only the backup folder but also change ownership of backup folder and to contained archives, and make them too read only.
Sorry to respond here not in trac Smile but I can`t do that.
08-30-2010 01:17 AM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #5
RE: Critical security issue
There are 2 ways to handle this issue:

1. Deal with the untarring and (fixed) permission handling in an inaccessible directory, mv the properly checked result to the user folder
2. Implement backup signing (we can easily implement a signature file which is calculated by encrypting the md5 hash of the archive file).

I'm strong in favour of the 2nd option, but open to your opinions...
08-30-2010 01:23 AM
Visit this user's website Find all posts by this user Quote this message in a reply
sci2tech Away
Senior Member
****

Posts: 1,285
Joined: Jan 2007
Reputation: 23
Post: #6
RE: Critical security issue
A quick fix, that leave backup functional and prevent issue (diff against current trunk):
Code:
Index: ispcp-backup-all
===================================================================
--- ispcp-backup-all    (revision 3238)
+++ ispcp-backup-all    (working copy)
@@ -190,10 +190,10 @@
            return $rs;
        }

-        $rs = setfmode("$db_backup_file", $domain_uid, $domain_gid, 0660);
+        $rs = setfmode("$db_backup_file", 0, 0, 0444);
        if( $rs != 0 ){
-            push_el(\@main::el, 'backup_sql()', "Domain $dmn_name: ERROR: Can not chmod 0660 uid: $domain_uid gid: $domain_gid file $db_backup_file!");
-            send_error_mail('backup_sql()', "Domain $dmn_name: ERROR: Can not chmod 0660 uid: $domain_uid gid: $domain_gid file $db_backup_file!");
+            push_el(\@main::el, 'backup_sql()', "Domain $dmn_name: ERROR: Can not chmod 0444 uid: 0 gid: 0 file $db_backup_file!");
+            send_error_mail('backup_sql()', "Domain $dmn_name: ERROR: Can not chmod 0444 uid: 0 gid: 0 file $db_backup_file!");
            unlink($db_backup_file);
            return $rs;
        }
@@ -273,10 +273,17 @@
            #

            if (! -d $dmn_backup_dir) {
-                $rs = make_dir($dmn_backup_dir, $domain_uid, $domain_gid, 0770);
+                $rs = make_dir($dmn_backup_dir, 0 ,0, 0555);
                return $rs if ($rs != 0);
            }

+            #todo test mode and adjust only if necessary
+            $rs = setfmode($dmn_backup_dir, 0, 0, 0555);
+            if ($rs != 0){
+                push_el(\@main::el, 'backup_all_engine()', "Domain $dmn_name: Error while changing mode to 0555 uid: 0: 0 for $dmn_backup_dir!");
+                send_error_mail('backup_all_engine()', "Domain $dmn_name: Error while changing mode to 0555 uid: 0 gid: 0 for $dmn_backup_dir!");
+            }
+
            if ($zip =~ '^(bzip2|gzip|lzma|xz)$') {
                my $extension = undef;

@@ -321,10 +328,10 @@
                        send_error_mail('backup_all_engine()', "Domain $dmn_name: Error while executing $cmd_mv -f $www_dir/$backup_filename $dmn_backup_dir!");
                    }

-                    $rs = setfmode("$dmn_backup_dir/$backup_filename", $domain_uid, $domain_gid, 0660);
+                    $rs = setfmode("$dmn_backup_dir/$backup_filename", 0, 0, 0444);
                    if ($rs != 0){
-                        push_el(\@main::el, 'backup_all_engine()', "Domain $dmn_name: Error while changing mode to 0660 uid: $domain_uid gid: $domain_gid for $dmn_backup_dir/$backup_filename!");
-                        send_error_mail('backup_all_engine()', "Domain $dmn_name: Error while changing mode to 0660 uid: $domain_uid gid: $domain_gid for $dmn_backup_dir/$backup_filename!");
+                        push_el(\@main::el, 'backup_all_engine()', "Domain $dmn_name: Error while changing mode to 0444 uid: 0 gid: 0 for $dmn_backup_dir/$backup_filename!");
+                        send_error_mail('backup_all_engine()', "Domain $dmn_name: Error while changing mode to 0444 uid: 0 gid: 0 for $dmn_backup_dir/$backup_filename!");
                    }

                } else { # some error occurred
(This post was last modified: 08-30-2010 01:50 AM by sci2tech.)
08-30-2010 01:35 AM
Visit this user's website Find all posts by this user Quote this message in a reply
sci2tech Away
Senior Member
****

Posts: 1,285
Joined: Jan 2007
Reputation: 23
Post: #7
RE: Critical security issue
In addition you need to also patch ispcp_dmn_mngr:
Code:
Index: ispcp-dmn-mngr
===================================================================
--- ispcp-dmn-mngr    (revision 3238)
+++ ispcp-dmn-mngr    (working copy)
@@ -1605,7 +1605,7 @@
    $rs = make_dir("$www_dir/$dmn_name/phptmp", $sys_user, $httpd_gid, 0770);
    return $rs if ($rs != 0);

-    $rs = make_dir("$www_dir/$dmn_name/backups", $sys_user, $httpd_gid, 0770);
+    $rs = make_dir("$www_dir/$dmn_name/backups", 0, 0, 0555);
    return $rs if ($rs != 0);

    $rs = make_dir("$www_dir/$dmn_name/errors", $sys_user, $sys_group, 0775);
@@ -1914,7 +1914,7 @@
    }

    if(! -d "$www_dir/$dmn_name/backups") {
-        $rs = make_dir("$www_dir/$dmn_name/backups", $sys_user, $httpd_gid, 0770);
+        $rs = make_dir("$www_dir/$dmn_name/backups", 0, 0, 0555);
        return $rs if ($rs != 0);
    }
08-30-2010 03:55 AM
Visit this user's website Find all posts by this user Quote this message in a reply
iwik Offline


Posts: 2
Joined: Aug 2010
Reputation: 0
Post: #8
RE: Critical security issue
I don't think that making users backups to be readable by each other (everyone) is good idea.

(08-30-2010 01:35 AM)sci2tech Wrote:  A quick fix, that leave backup functional and prevent issue (diff against current trunk):
Code:
-                    $rs = setfmode("$dmn_backup_dir/$backup_filename", $domain_uid, $domain_gid, 0660);
+                    $rs = setfmode("$dmn_backup_dir/$backup_filename", 0, 0, 0444);
08-30-2010 05:33 PM
Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #9
RE: Critical security issue
Quote:I don't think that making users backups to be readable by each other (everyone) is good idea.
There's no problem with that because user's folders are only accessible by them and the webserver (apache) user. Also notice that we use suexec so both cgi's/php's are executed as the website user, not the apache user.
08-30-2010 06:44 PM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,034
Joined: Jan 2007
Reputation: 92
Post: #10
RE: Critical security issue
I move this to the other section (security issues)
hm, maybe better in the internal area?
(This post was last modified: 08-30-2010 07:04 PM by joximu.)
08-30-2010 07:01 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)