CONDOR-2008-0003


Summary:

 

User supplied input to condor_qedit can cause the condor_schedd to crash or potentially allow the execution of arbitrary code.


Component Vulnerable Versions Platform Availability Fix Available
condor_schedd 6.8.0 - 6.8.8
7.0.0 - 7.0.4
7.1.0 - 7.1.2
all not known to be publicly exploited 6.8.9
7.0.5
7.1.3
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified local ordinary user with a condor authorization submission host medium medium
Fixed Date Credit
2008-Oct-07 Matthew Farrellee

Access Required:

local ordinary user with a condor authorization

This vulnerability requires local access on a machine where the user has write authorization to the condor_schedd (i.e., a host and account where the user can submit a job).

Effort Required:

medium

The use of ordinary condor command line tools is all that is required to exploit this vulnerability to cause a crash, running arbitrary code would require an experienced attacker if it is possible.

Impact/Consequences:

medium

The simplest effect of exploiting this vulnerability is a minor denial of service. It may be possible for a skilled attacker to run code as the condor user or root on the machine which would have a high impact.

Full Details:

 

The administrator of the Condor system can set attributes of the form SCHEDD_ROUND_ATTR_attr_name. These names are used to group attribute values during negotiation. When a new attribute value is inserted by the user when submitting a job or by using condor_qedit, a check is made to see if an attribute name formed by transforming the user supplied attribute name to the form above is present in the configuration of the condor_schedd. By appending the 18 characters to the attribute name (maximum of 1023 characters), the resulting string can overflow an internal buffer that is 1023 bytes long. This can cause the condor_schedd to crash. Although unlikely, a carefully crafted value may allow an attacker to modify the behavior of the program or execute arbitrary code.

This overflow may result in the condor_schedd crashing which is then automatically restarted, resulting in a small period of denial of service. It is possible that a carefully crafted input could result in the execution of arbitrary code.

Cause:

buffer overflow
failure to validate input

This vulnerability is caused by a buffer overflow. The overflow occurs because the length of the source is not verified to be smaller than the destination, and by using the dangerous function strcpy.

Actual Fix:

 

The vulnerability was fixed by using the function strncpy which truncates the string if it is too large for the buffer.