Summary: |
|
||||||||||||||||||||||||
It is possible for an attacker to overwrite arbitrary files on the host running Gratia Condor probe. The attacker can escalate their privileges to root, or cause damage to the operating system in numerous ways. |
|||||||||||||||||||||||||
| |||||||||||||||||||||||||
Access Required: |
local ordinary user with Condor submission privileges |
||||||||||||||||||||||||
The vulnerability requires local access to the machine with the ability to submit Condor jobs. This also requires the ability to run arbitrary code as an unprivileged user on the host where the Gratia Condor probe runs. |
|||||||||||||||||||||||||
Effort Required: |
medium |
||||||||||||||||||||||||
To be successful, an attacker must win a race condition in order to overwrite critical system files. Additionally, gaining root access requires the attacker to submit a Condor job with unusual job attributes in the submit file. |
|||||||||||||||||||||||||
Impact/Consequences: |
high |
||||||||||||||||||||||||
If the attacker is successful, any file on the host could be overwritten. Careful selection of the target file and the data written, could compromise the root account or even crash the system. |
|||||||||||||||||||||||||
Full Details: |
|
||||||||||||||||||||||||
The Condor probe code tries to delete these files if they already exist, before
attempting to create them.
The files are created using For example, the following script repeatedly tries to create a symbolic link
Compromising the root account on the system requires a couple of additional steps. The Condor architecture allows a user to specify attributes such as An example Condor submit file exploiting the This exploit overwrites the password file which is used to control what
accounts are available on the host and their authentication information.
If a line can be added to this file, a new account can be added without a
password that is equivalent to the root account (has a user and group id of 0).
The attack works by setting the The Condor history log for the sample job looks like:
The Gratia Condor probe retrieves the attributes from the Condor logs.
The corresponding code that gets written to The line
The following code creates the new account's shell in a file named Root access can then be gained by using Thus gaining root access is essentially a four step process:
|
|||||||||||||||||||||||||
Cause: |
race condition |
||||||||||||||||||||||||
The cause of this vulnerability is using the |
|||||||||||||||||||||||||
Proposed Fix: |
|
||||||||||||||||||||||||
If it is necessary to create the debug files, the effective user and group ids
should be dropped to an unprivileged user and group before creating the files
in The file should also be created in a directory that is not world writable; one that is only used by the Gratia Condor probe. Another possible solution is to create the file with the |
|||||||||||||||||||||||||
Actual Fix: |
|
||||||||||||||||||||||||
The |
|||||||||||||||||||||||||
Acknowledgment: |
|
||||||||||||||||||||||||
This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL). |