Package: gatling Version: 0.13-6+b1 Justification: 5.b Severity: serious Tags: security
Dear Maintainers, Dropping privileges fails silently if -u is used with a username rather than a numeric user id. Such usage is even recommended in both the manpage and /etc/default/gatling. Any CGI script is consequently run as root (though chrooted - but a chroot is not a jail for root processes). Concretely, requesting "http://127.0.0.1/test.cgi";, from the following server will run /var/www/default/test.cgi as root: gatling -v -D -S -F -U -u nobody -c /var/www -C "^/test\\.cgi$" While this server will run it as user nobody: gatling -v -D -S -F -U -u 65534 -c /var/www -C "^/test\\.cgi$" Note that "-u nobody" is the recommended usage in manpage and /etc/default/gatling. Reproducing this is a bit cumbersome: # apt-get install busybox-static # mkdir /var/www/.bin # cp -al /bin/busybox /var/www/.bin/ # cat > /var/www/default/test.cgi << EOF #!/.bin/busybox sh cat << EOHDR Status: 200 Content-Type: text/plain; charset=UTF-8 Hallo Welt ========== EOHDR /.bin/busybox id echo "---" cat /secret.txt echo "---" EOF # echo "A SECRET HAS BEEN UNVEILED" > /var/www/secret.txt # chmod 0600 /var/www/secret.txt # chmod 0755 /var/www/default/test.cgi # touch /var/www/default/.proxy # gatling -v -D -S -F -U -u nobody -c /var/www -C "^/test\\.cgi$" $ curl "http://127.0.0.1/test.cgi"; The result shows that the CGI process is run with uid=0 and clearly has read access to /var/www/secret.txt. As is common knowledge, by mounting proc inside the chroot and accessing /proc/1/root/, the process can then escape the chroot. Note that using busybox is only one way to get non-compiled CGIs work in a chroot in the first place and is not a requirement for the bug to be exploited. The only requirement is a security hole in a CGI (which is, after all, quite common, which is why webservers drop privileges in the first place). I suggest the following procedures, in that order: - Fixing manpage and /etc/default/gatling to match actual behaviour - making gatling throw an error if the uid is non-numeric - implementing actual user name lookup and then reverting the above two. Yours Thomas Kremer -- System Information: Debian Release: 8.8 APT prefers oldstable APT policy: (700, 'oldstable'), (500, 'oldoldstable'), (450, 'stable'), (400, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages gatling depends on: ii libc6 2.19-18+deb8u10 ii libmbedcrypto0 2.4.2-1 ii libmbedtls10 2.4.2-1 ii libmbedx509-0 2.4.2-1 ii libowfat0 0.29-4 ii libssl1.1 1.1.0f-3 ii zlib1g 1:1.2.8.dfsg-2+b1 gatling recommends no packages. gatling suggests no packages. -- no debconf information
