First published: Fri Jan 06 2012(Updated: )
Augeas is a configuration management API that represents the contents of config files as a tree in memory for editing, with the edits being written back to the actual file. By default it loads files it understands in a large number of standard system locations (/etc, /boot), but can also open files in a user specified location [1],[2]. It has two save modes of interest, "backup" that keeps the original in PATH.augorig and "newfile" that leaves the file alone, but writes the edited version to PATH.augnew. These can be set via the API [3] or --backup/--new with augtool (CLI tool around the API). A flaw was found in the current 0.10.0 version and most previous versions. It requires that the directory containing the file to be edited is writable by another user, so this needs the user to explicitly open a file in another location or for a file in a default location to be in a group/world writable directory. This attack hinges on behaviour to support writing to a bind mount (ticket #32 gives some history [4] relating to oVirt?) when doing the rename fails with EBUSY or EXDEV. Augeas instead opens the file and writes straight into it, see transform.c in clone_file when copy_if_rename_fails is set from transform_save. In two of the three, copy_if_rename_fails is only set if the node /augeas/save/copy_if_rename_fails is created by the user to enable the behaviour [4]. I think there are three ways to exploit this code. 1) with --backup When creating PATH.augsave, copy_if_rename_fails is always set to 1. A bind mount of a single file (or FUSE, enabling non-privileged attacks?) at PATH.augsave would cause the file contents to be written to the bind mounted file. 2) with --new and /augeas/save/copy_if_rename_fails As above, but create bind mount at PATH.augnew. 3) with --backup and /augeas/save/copy_if_rename_fails Augeas first moves PATH to PATH.augsave for the backup, then renames PATH.augnew to PATH. There's a tiny window in which a bind mount could be created at PATH, so the file contents are written to the bind mounted file. [1] <a href="http://augeas.net/page/Loading_specific_files">http://augeas.net/page/Loading_specific_files</a> [2] <a href="https://github.com/raphink/augeas-sandbox/blob/master/augload">https://github.com/raphink/augeas-sandbox/blob/master/augload</a> [3] <a href="http://augeas.net/docs/api.html#saving-the-tree">http://augeas.net/docs/api.html#saving-the-tree</a> [4] <a href="https://fedorahosted.org/augeas/ticket/32">https://fedorahosted.org/augeas/ticket/32</a>
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/augeas | <1.0.0 | 1.0.0 |
Redhat Enterprise Linux | =6.0 | |
Augeas Augeas | <=0.10.0 | |
Augeas Augeas | =0.0.1 | |
Augeas Augeas | =0.0.2 | |
Augeas Augeas | =0.0.3 | |
Augeas Augeas | =0.0.4 | |
Augeas Augeas | =0.0.5 | |
Augeas Augeas | =0.0.6 | |
Augeas Augeas | =0.0.7 | |
Augeas Augeas | =0.0.8 | |
Augeas Augeas | =0.1.0 | |
Augeas Augeas | =0.1.1 | |
Augeas Augeas | =0.2.0 | |
Augeas Augeas | =0.2.1 | |
Augeas Augeas | =0.2.2 | |
Augeas Augeas | =0.3.0 | |
Augeas Augeas | =0.3.1 | |
Augeas Augeas | =0.3.2 | |
Augeas Augeas | =0.3.3 | |
Augeas Augeas | =0.3.4 | |
Augeas Augeas | =0.3.5 | |
Augeas Augeas | =0.3.6 | |
Augeas Augeas | =0.4.0 | |
Augeas Augeas | =0.4.1 | |
Augeas Augeas | =0.4.2 | |
Augeas Augeas | =0.5.0 | |
Augeas Augeas | =0.5.1 | |
Augeas Augeas | =0.5.2 | |
Augeas Augeas | =0.5.3 | |
Augeas Augeas | =0.6.0 | |
Augeas Augeas | =0.7.0 | |
Augeas Augeas | =0.7.1 | |
Augeas Augeas | =0.7.2 | |
Augeas Augeas | =0.7.3 | |
Augeas Augeas | =0.7.4 | |
Augeas Augeas | =0.8.0 | |
Augeas Augeas | =0.8.1 | |
Augeas Augeas | =0.9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.