TGT Team: The function call_program in the tgtd daemon includes a callback function that will run arbitrary commands. Additionally, it does not check that the cmd argument is smaller than the allocated buffer size causing a buffer overflow. Example and proof of concept: usr/tgtd.c int call_program(const char *cmd, void (*callback)(void *data, int result), void *data, char *output, int op_len, int flags) ... char *pos, arg[256]; ... str_spacecpy(&pos, cmd); Where str_spacecpy (usr/tgtd.c) chops multiple white spaces into one white space. It takes a dest buffer and copies into a src buffer: void str_spacecpy(char **dest, const char *src) call_program is called from usr/target.c in get_redirect_address static int get_redirect_address(char *callback, char *buffer, int buflen, char **address, char **ip_port, int *rsn) ... if (call_program(callback, NULL, NULL, buffer, buflen, 0)) ... Where get_redirect_address is called from usr/target.c by: int target_redirected(struct iscsi_target *target, struct iscsi_connection *conn, char *buf, int *reason) ... char dst[INET6_ADDRSTRLEN], in_buf[1024]; ... ret = get_redirect_address(in_buf, buffer, sizeof(buffer), &addr, &port, &rsn); ... in_buf, size 1024, is passed to call_program as 'cmd', which then copies into the dest char buffer of size 256 causing a buffer overflow. In addition to that, any arbitrary command line argument that is pass in by tgtadm will be executed. Example: sudo tgtd -C 1 --iscsi portal=127.0.0.1:860 sudo ./scripts/tgt-admin -C 1 -e -c /home/ubuntu/tgt/targets.confg (in a different shell) sudo gdb --args tgtd -f -C 2 --iscsi portal=127.0.0.1 sudo ./scripts/tgt-admin -C 2 -e -c /home/ubuntu/tgt/targets.confg sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectAddress --value 127.0.0.1 sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectPort --value 860 sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectReason --value Temporary sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectCallback --value 1zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz sudo iscsiadm -m discovery -t st -p 127.0.0.1 sudo iscsiadm -m node -p 127.0.0.1 -l Upon attempting to authenticate, the command set by the --name RedirectCallback --value tgtadm directive will attempt to be executed. If you replace the above example with: sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectCallback --value "/usr/bin/logger `whoami`" You will see in the syslog file, where 'ubuntu' is the current user: ubuntu iqn.2014-05.local.localhost:foobar 127.0.0.1 I'm a bit unclear as to what exactly is suppose to happen here, or what the intended result is, but it seems that arbitrary commands should not be allowed to be injected from tgtadm in addition to checking the strlen of cmd. Thanks, and let me know if I can answer or clarify any questions. Jason Hullinger Security Architect HP Helion Cloud -- To unsubscribe from this list: send the line "unsubscribe stgt" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html