PROBLEM:

--------

cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains

several format string vulnerabilities in syslog() calls.  Everyone, or

if access controls are being used, accepted hosts, can inject the network

daemon with a message causing segmentation fault.  As cfd is almost always

run as root due to it's nature (centralized configuration management

etc.), this can be quite lethal and lead into a root compromise.



AUTHOR INTERACTION:

-------------------



Notified the author on 1st Oct 2000 and worked with him.  Different fix

was applied to the newly released 1.6.0.a11 (alpha version).



I got the impression that there isn't going to be an official fix for

1.5.x releases.



VERSIONS AND PLATFORMS AFFECTED:

--------------------------------



Every recent version except 1.6.0a11 released on 1st Oct 2000.



1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not

part of Red Hat Linux or Powertools.  Debian, at least, includes cfengine

as a package.



I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I

wouldn't be surprised if it was exploitable some way or the other

though.



Not tested on other non-Linux platforms, but if you run cfd I suggest you

check it out no matter the platform.



DETAILS:

--------



If access controls are used (this is not the default) in cfd.conf or

equivalent, the attacker must have access to an allowed system

first.   Spoofing would probably also yield similar results; the fact

that there doesn't need not to be any reply from the server makes it

easier.



Segmentation fault can be induced as follows:



-----

$ telnet cfdserver 5308

Trying x.y.z.w...

Connected to cfdserver.some.domain.

Escape character is '^]'.

CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s

^]

telnet> quit

Connection closed.

-----

where 1.1.1.1 is your IP address and myhostname is some resolvable

hostname.



A longer string of %s's can also be used if that doesn't produce good

results.



If the %s string is not long enough, string like the following will be

syslogged; this doesn't look good:

-----

cfdserver cfd[11330]: Reverse hostname lookup failed, host

claiming to be 1.1.1.1 myhostname root

cfdserver.some.domain(null)1.1.1.1 nev^M  was 1.1.1.1 s%s%s^M

^Aû½^QÀØÀôü¿0¼^D^HÀj ^Húì¿^Hý¿Àj

-----



In the end, cfd dies in a segmentation fault.



As you can set %s%s%s freely, and it's passed almost without checking

as-is to syslog(), it shouldn't be too difficult for Joe

Hacker to exploit this.



Also, other components of cfengine use the same logging functions, so

a local root exploit could also be possible but those aren't as

interesting as this and will be fixed at the same time.



EXPLOIT:

--------



Not my business; I'm sure someone will produce one sooner or later though.



WORKAROUND:

-----------



Enable access controls in cfd.conf and/or firewall off TCP port

5308.  These can't be considered _good_ workarounds as users in the

local network/legit hosts can still exploit the service.



PATCH:

------



"Standard" patch to syslog calls included.  It applies quite cleanly to

both 1.5.x and 1.6.0aXX.



CREDITS:

--------



The vulnerability was found by Pekka Savola  while

doing a minor audit on cfengine in the light of format string

vulnerabilities.



--

Pekka Savola                 "Tell me of difficulties surmounted,

Pekka.Savola@netcore.fi      not those you stumble over and fall"