https://bugzilla.redhat.com/show_bug.cgi?id=1006100 " thomas.swan@gmail.com 2013-09-09 22:48:06 EDT Created attachment 795808 [details] preliminary patch to set credentials before execve Description of problem: If a tcpmux service is enabled, the user and group directives are ignored and the service always runs as root. Verified in the xinetd codebase and affects all active versions of RHEL and Fedora. Without the fix for CVE-2012-0862, previously exposed non-tcpmux services could run as root bypassing their respective user and group restrictions. Version-Release number of selected component (if applicable): 2.3.15-6 How reproducible: Always Steps to Reproduce: 1. Enabled tcpmux-server 2. Create a sample tcpmux service service testcred { id = tcpmux-testcred disable = no user = nobody group = nobody socket_type = stream type = TCPMUXPLUS UNLISTED flags = NAMEINARGS server = /usr/bin/id server_args = id wait = no } 3. telnet localhost 1 4. type testcred Actual results: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. testcred +Go uid=0(root) gid=0(root) groups=0(root) Expected results: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. testcred +Go uid=99(nobody) gid=99(nobody) groups=99(nobody) " Reproducible: Steps to Reproduce:
Fixed packages has been submitted for all.
Thanks Oden! Advisory: ======================== Updated xinetd packages fix security vulnerability: It was found that xinetd ignored the user and group configuration directives for services running under the tcpmux-server service. This flaw could cause the associated services to run as root. If there was a flaw in such a service, a remote attacker could use it to execute arbitrary code with the privileges of the root user (CVE-2013-4342). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342 https://rhn.redhat.com/errata/RHSA-2013-1409.html ======================== Updated packages in core/updates_testing: ======================== xinetd-2.3.15-1.1.mga2 xinetd-simple-services-2.3.15-1.1.mga2 xinetd-2.3.15-3.1.mga3 xinetd-simple-services-2.3.15-3.1.mga3 from SRPMS: xinetd-2.3.15-1.1.mga2.src.rpm xinetd-2.3.15-3.1.mga3.src.rpm
Version: 2 => 3Assignee: bugsquad => qa-bugsSummary: CVE-2013-4342: xinetd - ignores user and group directives for tcpmux services => xinetd - ignores user and group directives for tcpmux services (CVE-2013-4342)Whiteboard: (none) => MGA2TOOSeverity: normal => major
Testing complete on Mageia 3 x86_64 Before # telnet 127.0.0.1 1 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. testcred +Go uid=0(root) gid=0(root) groups=0(root) Connection closed by foreign host. After installing the update # telnet 127.0.0.1 1 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. testcred +Go uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) Connection closed by foreign host. Note, for step 1, to enable the tcpmux server, create a file such as ]# cat /etc/xinetd.conf/tcpmux service tcpmux { type = INTERNAL id = tcpmux socket_type = stream protocol = tcp user = root wait = no } In the testcred config file, change the group from nobody to nogroup.
CC: (none) => davidwhodginsWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK has_procedure
Advisory 11406.adv committed to svn.
URL: https://rhn.redhat.com/errata/RHSA-2013-1409.html => http://lwn.net/Vulnerabilities/569768/
Tested on mga2 x86_64 with the procedure described above. The correct config file for mga2 seems to be: # cat /etc/xinetd.d/tcpmux service tcpmux { type = INTERNAL id = tcpmux socket_type = stream protocol = tcp user = root wait = no } service testcred { id = tcpmux-testcred disable = no user = nobody group = nogroup socket_type = stream type = TCPMUXPLUS UNLISTED flags = NAMEINARGS server = /bin/id server_args = id wait = no } (diffs are group=nogrup and server=/bin/id)
CC: (none) => balatonWhiteboard: MGA2TOO MGA3-64-OK has_procedure => MGA2TOO MGA3-64-OK MGA2-64-OK has_procedure
Tested Mageia 3 i586 with the following config: [root@luigi xinetd.d]# cat tcpmux-server service tcpmux { disable = no id = tcpmux-server type = INTERNAL wait = no socket_type = stream } [root@luigi xinetd.d]# cat testcred service testcred { id = tcpmux-testcred disable = no user = nobody group = nogroup socket_type = stream type = TCPMUXPLUS UNLISTED flags = NAMEINARGS server = /bin/id server_args = id wait = no } And got the following results: [david@luigi ~]$ telnet localhost 1 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. testcred +Go uid=0(root) gid=0(root) groups=0(root) Connection closed by foreign host. [david@luigi ~]$ telnet localhost 1 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. testcred +Go uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) Connection closed by foreign host.
CC: (none) => luigiwalserWhiteboard: MGA2TOO MGA3-64-OK MGA2-64-OK has_procedure => MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK
Tested Mageia 2 i586, same config, same results. Testing complete. Validating. Could a sysadmin push these SRPMS to updates. Advisory is in SVN. xinetd-2.3.15-1.1.mga2.src.rpm xinetd-2.3.15-3.1.mga3.src.rpm
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK => MGA2TOO has_procedure MGA3-64-OK MGA2-64-OK MGA3-32-OK MGA2-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0302.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
====================================================== Name: CVE-2013-4342 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1006100 Reference: CONFIRM:https://github.com/xinetd-org/xinetd/pull/10 Reference: REDHAT:RHSA-2013:1409 Reference: URL:http://rhn.redhat.com/errata/RHSA-2013-1409.html xinetd does not enforce the user and group configuration directives for TCPMUX services, which causes these services to be run as root and makes it easier for remote attackers to gain privileges by leveraging another vulnerability in a service.