what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Torque Server Buffer Overflow

Torque Server Buffer Overflow
Posted Jul 14, 2011
Authored by Adam Zabrocki, Bartlomiej Balcerek, Maciej Kotowicz

Torque Server versions prior to 2.4.1.4 and 3.0.[0,1] suffer from a buffer overflow vulnerability.

tags | advisory, overflow
advisories | CVE-2011-2193
SHA-256 | d42dea2627d928ed2511106108e44d93bc90572f0feebc4a43a5e9fbfbcc8c7b

Torque Server Buffer Overflow

Change Mirror Download
Name:                      Torque Server Buffer Overflow Vulnerability
Author: Adam Zabrocki (<pi3@itsec.pl>)
Bartlomiej Balcerek (<bartol@pwr.wroc.pl>)
Maciej Kotowicz
(<maciej.kotowicz@pwr.wroc.pl>)
Date: March 27, 2011
Risk: Moderate
CVE: CVE-2011-2193


Description:

TORQUE Resource Manager provides control over batch jobs and distributed
computing resources.
It is an advanced open-source product based on the original PBS project*
and incorporates the
best of both community and professional development. It incorporates
significant advances in
the areas of scalability, reliability, and functionality and is
currently in use at tens of
thousands of leading government, academic, and commercial sites
throughout the world. TORQUE
may be freely used, modified, and distributed under the constraints of
the included license.

TORQUE is commonly used in most of the GRID projects including WLCG,
EGEE, etc.


Details:

A buffer overflow vulnerability has been found in the Torque server.
This was
reported to the EGI SVG (RT 1870) as well as to the Torque software
providers.

This has been fixed by the Torque Providers, and an updated version is
also
available in EPEL.

Torque server does not check the length of "job name" argument before
using it - this string is verified only on the client side. It is
possible to use modified Torque client or DRMAA interface to submit job
with arbitrary chosen job name in terms of length and content. Thus, it
is possible to attacker to overflow buffer and overwrite some Torque
server process internal data causing its specific behavior.

What can be overwritten is log_buffer global string array and
all next symbols:

0000000000734b00 B log_buffer
0000000000738b00 B msg_registerrel
0000000000738b08 B msg_manager
0000000000738b10 B msg_startup1
0000000000738b18 B msg_momnoexec1
0000000000738b20 B msg_man_uns
0000000000738b28 B msg_sched_nocall
0000000000738b30 B msg_issuebad
0000000000738b38 B stdout@@GLIBC_2.2.5
0000000000738b40 B msg_job_end_stat
0000000000738b48 b dtor_idx.6147
0000000000738b50 b completed.6145
0000000000738b58 b acct_opened
0000000000738b5c b acct_auto_switch
0000000000738b60 b acctfile
0000000000738b68 b acct_opened_day
0000000000738b70 b spaceused
0000000000738b78 b spaceavail
0000000000738b80 b username.6360
0000000000738bc0 b groupname.6402


Here is example how to submit the crafted job:

[bartol@bartek_torque torque-mod]$ echo /bin/date | ./src/cmds/qsub -Z
"Job_Name=`perl -e 'print "A"x16350'`"

It is possible now to see in debugger that structures adjacent to
log_buffer are overwritten with "A" chars (encoded as 0x41 numbers):

Program received signal SIGINT, Interrupt.
0x00000033550cd323 in __select_nocancel () from /lib64/libc.so.6
(gdb) x/20x 0x0000000000738b00
0x738b00 <msg_registerrel>: 0x4141414141414141
0x4141414141414141
0x738b10 <msg_startup1>: 0x4141414141414141
0x4141414141414141
0x738b20 <msg_man_uns>: 0x4141414141414141 0x4141414141414141

The overflow occurs in the following code:

1560 sprintf(log_buffer, msg_jobnew,
1561 preq->rq_user, preq->rq_host,
1562 pj->ji_wattr[(int)JOB_ATR_job_owner].at_val.at_str,
1563 pj->ji_wattr[(int)JOB_ATR_jobname].at_val.at_str,
1564 pj->ji_qhdr->qu_qs.qu_name);


We proved that server crash is easily possible (including database
damage) and we think privilege escalation can be done with some more
effort as well, but the latter is strongly dependable on particular
build flags and architecture.

The overflow is also possible in pbs_iff setuid binary, since the "host"
variable length is not checked:

sprintf(log_buffer,"cannot resolve IP address for host '%s'
herror=%d: %s",
hostname, /*1*/
h_errno,
hstrerror(h_errno));


Affected Software:

Versions of Torque prior to Torque 2.4.14 and also Torque 3.0.[0,1]


References:

CVE assignment:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2193

RH bug:
https://bugzilla.redhat.com/show_bug.cgi?id=711463

RH release for SL5:
https://admin.fedoraproject.org/updates/torque-2.3.13-2.el5


Cluster resources ref.
http://www.clusterresources.com/pipermail/torqueusers/2011-June/012982.html


Timeline:

Yyyy-mm-dd

2011-05-10 Vulnerability reported to EGI SVG by Bartlomiej Balcerek, in
addition to reporting to
software providers
2011-05-10 Acknowledgement from the EGI SVG to the reporter
2011-06-06 Software provider states issue fixed
2011-06-07 Bug subitted in RH EPEL, as EGI mostly uses EPEL distribution
2011-06-22 Updated packages formally released in EPEL
2011-06-24 Public disclosure by the EGI SVG

--
http://pi3.com.pl

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close