CONDOR-2008-0001


Summary:

 

It is possible for a user that can submit jobs to a condor_schedd to modify arbitrary attributes of the job, including attributes an ordinary user should not be able to modify. For instance, a user can change the owner of their job to run as any non-root user.


Component Vulnerable Versions Platform Availability Fix Available
condor_schedd 6.8.0 - 6.8.8
7.0.0 - 7.0.4
7.1.0 - 7.1.2
all not known to be publicly exploited 6.8.9
7.0.5
7.1.3
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified local ordinary user with a condor authorization submission host low high
Fixed Date Credit
2008-Oct-07 Greg Thain

Access Required:

local ordinary user with a condor authorization

This vulnerability requires local access on a machine where the user has write authorization to the condor_schedd (i.e., a host and account where the user can submit a job).

Effort Required:

low

The use of ordinary condor command line tools is all that is required to exploit this vulnerability.

Impact/Consequences:

high

The attacker can run arbitrary code as a non-root user on the execute host or submission host depending on the job type. This can allow attacks on other users accounts or system resources.

Full Details:

 

There is a list of sensitive job attributes that an ordinary user is not allowed to modify to ensure the security of the system. These include the "owner" attribute. When a job is submitted, its attributes are checked and a sensitive attribute is not allowed to be set.

The user can also use condor_qedit to change attributes of a job. When this tool is used, the attribute and value are passed to condor_schedd as separate values and the attribute name from the user is checked to verify that it is not a sensitive attribute by comparing the user supplied name against a list. Unfortunately an attacker can surround the the attribute name with whitespace and the attribute will not test as being a sensitive attribute. Later code then removes whitespace from the attribute name and inserts it into the job ad. The following will change the owner of job 1.0 to the "condor" user:


        condor_qedit 1.0 ' owner' '"condor"'
  

Cause:

injection
failure to validate input

The attribute name supplied from condor_qedit to the condor_schedd was not validated to prevent illegal characters in the name, nor was the name transformed into a canonical form so the attribute name used in the test is the same name that is changed in the job ad.

Actual Fix:

 

Whitespace and other illegal characters in the attribute name are now rejected in the check of attribute names supplied by condor_qedit and in the lower level code that inserts or replaces an attribute in the job ad.