3.7
Advisory Published
CVE Published
Updated

CVE-2012-0787

First published: Fri Jan 06 2012(Updated: )

Augeas is a configuration management API that represents the contents of config files as a tree in memory for editing, with the edits being written back to the actual file. By default it loads files it understands in a large number of standard system locations (/etc, /boot), but can also open files in a user specified location [1],[2]. It has two save modes of interest, "backup" that keeps the original in PATH.augorig and "newfile" that leaves the file alone, but writes the edited version to PATH.augnew. These can be set via the API [3] or --backup/--new with augtool (CLI tool around the API). A flaw was found in the current 0.10.0 version and most previous versions. It requires that the directory containing the file to be edited is writable by another user, so this needs the user to explicitly open a file in another location or for a file in a default location to be in a group/world writable directory. This attack hinges on behaviour to support writing to a bind mount (ticket #32 gives some history [4] relating to oVirt?) when doing the rename fails with EBUSY or EXDEV. Augeas instead opens the file and writes straight into it, see transform.c in clone_file when copy_if_rename_fails is set from transform_save. In two of the three, copy_if_rename_fails is only set if the node /augeas/save/copy_if_rename_fails is created by the user to enable the behaviour [4]. I think there are three ways to exploit this code. 1) with --backup When creating PATH.augsave, copy_if_rename_fails is always set to 1. A bind mount of a single file (or FUSE, enabling non-privileged attacks?) at PATH.augsave would cause the file contents to be written to the bind mounted file. 2) with --new and /augeas/save/copy_if_rename_fails As above, but create bind mount at PATH.augnew. 3) with --backup and /augeas/save/copy_if_rename_fails Augeas first moves PATH to PATH.augsave for the backup, then renames PATH.augnew to PATH. There's a tiny window in which a bind mount could be created at PATH, so the file contents are written to the bind mounted file. [1] <a href="http://augeas.net/page/Loading_specific_files">http://augeas.net/page/Loading_specific_files</a> [2] <a href="https://github.com/raphink/augeas-sandbox/blob/master/augload">https://github.com/raphink/augeas-sandbox/blob/master/augload</a> [3] <a href="http://augeas.net/docs/api.html#saving-the-tree">http://augeas.net/docs/api.html#saving-the-tree</a> [4] <a href="https://fedorahosted.org/augeas/ticket/32">https://fedorahosted.org/augeas/ticket/32</a>

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
redhat/augeas<1.0.0
1.0.0
Redhat Enterprise Linux=6.0
Augeas Augeas<=0.10.0
Augeas Augeas=0.0.1
Augeas Augeas=0.0.2
Augeas Augeas=0.0.3
Augeas Augeas=0.0.4
Augeas Augeas=0.0.5
Augeas Augeas=0.0.6
Augeas Augeas=0.0.7
Augeas Augeas=0.0.8
Augeas Augeas=0.1.0
Augeas Augeas=0.1.1
Augeas Augeas=0.2.0
Augeas Augeas=0.2.1
Augeas Augeas=0.2.2
Augeas Augeas=0.3.0
Augeas Augeas=0.3.1
Augeas Augeas=0.3.2
Augeas Augeas=0.3.3
Augeas Augeas=0.3.4
Augeas Augeas=0.3.5
Augeas Augeas=0.3.6
Augeas Augeas=0.4.0
Augeas Augeas=0.4.1
Augeas Augeas=0.4.2
Augeas Augeas=0.5.0
Augeas Augeas=0.5.1
Augeas Augeas=0.5.2
Augeas Augeas=0.5.3
Augeas Augeas=0.6.0
Augeas Augeas=0.7.0
Augeas Augeas=0.7.1
Augeas Augeas=0.7.2
Augeas Augeas=0.7.3
Augeas Augeas=0.7.4
Augeas Augeas=0.8.0
Augeas Augeas=0.8.1
Augeas Augeas=0.9.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203