Summary: |
|
||||||||||||||||||||||||
Any user that can submit Condor jobs on the host running Gratia Condor probe, can execute arbitrary code as the root user. |
|||||||||||||||||||||||||
| |||||||||||||||||||||||||
Access Required: |
local ordinary user with Condor submission privilege |
||||||||||||||||||||||||
The vulnerability requires local access to the machine with the ability to submit Condor jobs. |
|||||||||||||||||||||||||
Effort Required: |
low |
||||||||||||||||||||||||
Exploiting this vulnerability requires the attacker to submit a Condor job with unusual job attributes in the submit file. |
|||||||||||||||||||||||||
Impact/Consequences: |
high |
||||||||||||||||||||||||
The impact of this vulnerability is that the attacker gains root access to the host. |
|||||||||||||||||||||||||
Full Details: |
|
||||||||||||||||||||||||
The Condor architecture allows a user to specify attributes such as An example Condor submit file exploiting the The Condor history log for the sample job looks like
The Condor probe retrieves the attributes from the Condor logs.
The corresponding code executed by Condor probe is as shown below.
The generated Python code executes |
|||||||||||||||||||||||||
Cause: |
Code injection |
||||||||||||||||||||||||
This vulnerability is caused due to improper data validation by the Gratia Condor probe while running a generated Python script with root privileges. This allows an attacker to inject arbitrary python code in the script and make it run as root. |
|||||||||||||||||||||||||
Proposed Fix: |
|
||||||||||||||||||||||||
One possible fix is to validate the sanity of the job attributes. The attributes that are supposed to be numeric values should be validated to be numeric before use. Similarly, attributes expected to be string values should be properly escaped according to Python's escaping rules before inserting into the Python script. An example Perl function to perform the quoting is shown here: Another possible fix is to disallow usage of quotes in the attribute values. However this, though relatively easy to implement, is unnecessarily restrictive and hence is not recommended. Privileges should be dropped before executing the Python code as a preventative measure to limit the damage that can be done if an attacker injects code due to a flaw. One could also argue that Condor should prohibit users from specifying Condor inserted attributes by placing these in a separate namespace that users cannot modify, or using a list of protected attribute names. This would prevent an attacker from injecting malicious strings using job attributes that are normally created by Condor. In general, It is usually a bad programming practice to generate code on the fly and execute it. Such a practice makes it relatively easier for an attacker to inject and execute arbitrary code, if there is a flaw in the way the code is generated. Instead of having the Gratia Condor probe encode the data from the Condor system as Python code, it should encode the data as a sanitized data file that is processed by a program that takes the contents of this file and inserts the data into Gratia. |
|||||||||||||||||||||||||
Actual Fix: |
|
||||||||||||||||||||||||
Subroutines were added to the |
|||||||||||||||||||||||||
Acknowledgment: |
|
||||||||||||||||||||||||
This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL). |