|
This is a multi-part message in MIME format.
--Boundary_(ID_AnwLdOHoJXd5dsgygcys6Q)
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 7BIT
Application: PBS Pro (part od PBS Works by Altair Engineering)
Affected version: < 10.4
OS: Linux/UNIX
CVE ID: pending
Class: temporary file creation race condition
Remote: no
Threat: destroy arbitrary choosen file of other user
Discovered: 02.02.2010
Discovered by: Bartlomiej Balcerek
Background:
PBS Pro is a commercial software used to perform and manage job
scheduling and execution.
It is widely used by supercomputing centers for cluster, grid and cloud
computing.
Vulnerability description:
PBS Pro execution deamon - pbs_mom - uses /var/spool/pbs/spool directory
to store
temporary files. This directory is world writable. Files within this
directory are
created on behalf of queue user (with his/her UID and GID) to store jobs
standard
output and error streams. Before pbs_mom creates a particular file, it
performs a
check whether file of that name already exists. If so, file of such name
is deleted
and than opened in write mode. It is possible to attacker to easily
guess other user
temporary file name and create arbitrary link between two actions of
check and create,
while other user job is executed. Link could point to choosen by
attacker file
owned by jobs owner, which in consequence will be overwritten by jobs
standard
output or error streams.
Exploit:
PoC attached.
Solution:
Upgrade to version >= 10.4
Bug history:
Discovered: 02.02.2010
Vendor contacted: 15.02.2010
Fixed version announced: 08.06.2010
Bug disclosed: 07.07.2010
--
Bartlomiej Balcerek
--Boundary_(ID_AnwLdOHoJXd5dsgygcys6Q)
Content-type: application/x-sh; name=pbs-v10.2.0.93147-PoC.sh
Content-transfer-encoding: 7bit
Content-disposition: attachment; filename=pbs-v10.2.0.93147-PoC.sh
#!/bin/bash
#set -x
# PBS Pro < 10.4 o+w race condition vulnerability Proof Of Concept by Bartlomiej Balcerek - bartol@pwr.wroc.pl
# Must be run on submitting host and will create /tmp/pbs_test_by_bartol file on exec host as a next job owner UID
echo Compiling racer...
cat << EOF | gcc -x c -o racer.x -
//repeatedly tries to create arbitrary choosen link
#include