Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <YemPSkQtnUCflmaH@sulfur.vonhaugwitz.com>
Date: Thu, 20 Jan 2022 17:35:22 +0100
From: Hannes von Haugwitz <hannes@...haugwitz.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-45417 - aide (>= 0.13 <= 0.17.3): heap-based buffer
 overflow vulnerability in base64 functions

Summary
=======

David Bouman discovered a heap-based buffer overflow vulnerability in base64
functions of AIDE, an advanced intrusion detection system. An attacker could
crash the program and possibly execute arbitrary code through large (<16k)
extended file attributes or ACL. A local user might exploit this flaw for root
privilege escalation.

Project
=======

AIDE (https://aide.github.io)

Affected versions
=================

AIDE >= 0.13, <= 0.17.3

CVE ID
======

CVE-2021-45417

Proof of concept
================

To take advantage of the flaw the user needs write access to a mounted file
system that supports large enough extended attributes (e.g. XFS) or ACL (e.g.
tmpfs).

AIDE needs to be compiled with --with-xattr or --with-posix-acl configure flag
(this is the case for most distributions).

# extended attributes on XFS filesystem

    $ touch user-file; xattr -w user.comment "$(for i in {1..40000} ; do printf '%c' A ; done)" user-file
    # aide --config=/dev/null --after "$(pwd)/user-file xattrs" --after "database_out=file:/dev/null" --init

# ACL on tmpfs file system

    $ touch user-file; for i in {1000..2000} ; do setfacl -m u:${i}:r user-file ; done
    # aide --config=/dev/null --after "$(pwd)/user-file acl" --after "database_out=file:/dev/null" --init

Analysis
========

The vulnerability is caused by a fixed buffer size (16384 in
src/base64.h[base.h]) in the encode_base64/decode_base64 functions[base64.c].
Initially this was safe as the base64 functions were only used for
encoding/decoding of the calculated hashsums. However since the addition of
extended file attribute and ACL support in AIDE 0.13 encode_base64 is also used
for encoding xattr and ACL values before writing them to the database.

This allows a user to create a file with a large extended attribute value or
large ACL causing aide (ussaly triggered by cron as root) to segfault.

The issue is fixed by precalculating the size of the return buffer depending on
the input in the encode_base64/decode_base64 functions.

[base64.h] https://github.com/aide/aide/blob/v0.17.3/include/base64.h#L38
[base64.c] https://github.com/aide/aide/blob/v0.17.3/src/base64.c

Mitigation
==========

Upgrade to AIDE v0.17.4 (only containing the fix for this issue) [v0.17.4]

Alternatively apply one of the provided patches:

aide-0.17-cve-2021-45417.patch: patch for 0.17.x
aide-0.16-cve-2021-45417.patch: patch for 0.16.x (backported for Debian oldstable)

Though not tested the patch for 0.16.x might also apply for earlier releases < 0.16.

If you cannot upgrade, consider removing `acl` and `xattrs` groups from rules
matching files on affected file systems.

[v0.17.4] https://github.com/aide/aide/releases/tag/v0.17.4

Credit
======

The issue was reported by David Bouman.

View attachment "aide-0.16-cve-2021-45417.patch" of type "text/x-diff" (3034 bytes)

View attachment "aide-0.17-cve-2021-45417.patch" of type "text/x-diff" (3164 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.