Bug 11406 - xinetd - ignores user and group directives for tcpmux services (CVE-2013-4342)
: xinetd - ignores user and group directives for tcpmux services (CVE-2013-4342)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/569768/
: MGA2TOO has_procedure MGA3-64-OK MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-08 11:09 CEST by Oden Eriksson
Modified: 2013-10-10 07:50 CEST (History)
5 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Oden Eriksson 2013-10-08 11:09:14 CEST
https://bugzilla.redhat.com/show_bug.cgi?id=1006100

" thomas.swan@gmail.com 2013-09-09 22:48:06 EDT

Created attachment 795808 [details]
preliminary patch to set credentials before execve

Description of problem:

If a tcpmux service is enabled, the user and group directives are ignored and the service always runs as root. Verified in the xinetd codebase and affects all active versions of RHEL and Fedora.  Without the fix for CVE-2012-0862, previously exposed non-tcpmux services could run as root bypassing their respective user and group restrictions.

Version-Release number of selected component (if applicable):
2.3.15-6

How reproducible:
Always

Steps to Reproduce:
1. Enabled tcpmux-server 
2. Create a sample tcpmux service

   service testcred
   {
      id = tcpmux-testcred
      disable = no
      user = nobody
      group = nobody
      socket_type = stream
      type = TCPMUXPLUS UNLISTED
      flags = NAMEINARGS
      server = /usr/bin/id
      server_args = id
      wait = no
   }

3. telnet localhost 1
4. type testcred

Actual results:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
testcred 
+Go
uid=0(root) gid=0(root) groups=0(root)

Expected results:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
testcred 
+Go
uid=99(nobody) gid=99(nobody) groups=99(nobody)
"

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-10-08 11:09:36 CEST
Fixed packages has been submitted for all.
Comment 2 David Walser 2013-10-08 14:41:04 CEST
Thanks Oden!

Advisory:
========================

Updated xinetd packages fix security vulnerability:

It was found that xinetd ignored the user and group configuration
directives for services running under the tcpmux-server service. This flaw
could cause the associated services to run as root. If there was a flaw in
such a service, a remote attacker could use it to execute arbitrary code
with the privileges of the root user (CVE-2013-4342).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342
https://rhn.redhat.com/errata/RHSA-2013-1409.html
========================

Updated packages in core/updates_testing:
========================
xinetd-2.3.15-1.1.mga2
xinetd-simple-services-2.3.15-1.1.mga2
xinetd-2.3.15-3.1.mga3
xinetd-simple-services-2.3.15-3.1.mga3

from SRPMS:
xinetd-2.3.15-1.1.mga2.src.rpm
xinetd-2.3.15-3.1.mga3.src.rpm
Comment 3 Dave Hodgins 2013-10-08 19:08:59 CEST
Testing complete on Mageia 3 x86_64
Before
# telnet 127.0.0.1 1
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
testcred
+Go
uid=0(root) gid=0(root) groups=0(root)
Connection closed by foreign host.

After installing the update
# telnet 127.0.0.1 1
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
testcred
+Go
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
Connection closed by foreign host.

Note, for step 1, to enable the tcpmux server, create a file such as
]# cat /etc/xinetd.conf/tcpmux
service tcpmux
  {
     type                = INTERNAL
     id                  = tcpmux
     socket_type         = stream
     protocol            = tcp
     user                = root
     wait                = no
  }

In the testcred config file, change the group from nobody to nogroup.
Comment 4 Dave Hodgins 2013-10-08 19:13:12 CEST
Advisory 11406.adv committed to svn.
Comment 5 Zoltan Balaton 2013-10-09 11:25:03 CEST
Tested on mga2 x86_64 with the procedure described above.
The correct config file for mga2 seems to be:
# cat /etc/xinetd.d/tcpmux 
service tcpmux
{
  type        = INTERNAL
  id          = tcpmux
  socket_type = stream
  protocol    = tcp
  user        = root
  wait        = no
}

service testcred
{
  id = tcpmux-testcred
  disable = no
  user = nobody
  group = nogroup
  socket_type = stream
  type = TCPMUXPLUS UNLISTED
  flags = NAMEINARGS
  server = /bin/id
  server_args = id
  wait = no
}
(diffs are group=nogrup and server=/bin/id)
Comment 6 David Walser 2013-10-09 23:33:18 CEST
Tested Mageia 3 i586 with the following config:
[root@luigi xinetd.d]# cat tcpmux-server
service tcpmux
{
  disable       = no
  id              = tcpmux-server
  type              = INTERNAL
  wait                = no
  socket_type         = stream
}
[root@luigi xinetd.d]# cat testcred 
service testcred
{
  id = tcpmux-testcred
  disable = no
  user = nobody
  group = nogroup
  socket_type = stream
  type = TCPMUXPLUS UNLISTED
  flags = NAMEINARGS
  server = /bin/id
  server_args = id
  wait = no
}

And got the following results:
[david@luigi ~]$ telnet localhost 1
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
testcred
+Go
uid=0(root) gid=0(root) groups=0(root)
Connection closed by foreign host.
[david@luigi ~]$ telnet localhost 1
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
testcred
+Go
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
Connection closed by foreign host.
Comment 7 David Walser 2013-10-09 23:40:11 CEST
Tested Mageia 2 i586, same config, same results.  Testing complete.  Validating.

Could a sysadmin push these SRPMS to updates.  Advisory is in SVN.
xinetd-2.3.15-1.1.mga2.src.rpm
xinetd-2.3.15-3.1.mga3.src.rpm
Comment 8 Thomas Backlund 2013-10-10 00:56:39 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0302.html
Comment 9 Oden Eriksson 2013-10-10 07:50:14 CEST
======================================================
Name: CVE-2013-4342
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1006100
Reference: CONFIRM:https://github.com/xinetd-org/xinetd/pull/10
Reference: REDHAT:RHSA-2013:1409
Reference: URL:http://rhn.redhat.com/errata/RHSA-2013-1409.html

xinetd does not enforce the user and group configuration directives
for TCPMUX services, which causes these services to be run as root and
makes it easier for remote attackers to gain privileges by leveraging
another vulnerability in a service.

Note You need to log in before you can comment on or make changes to this bug.