Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <1490987389.392790.930214152.29A71F3D@webmail.messagingengine.com>
Date: Fri, 31 Mar 2017 14:09:49 -0500
From: Mark Felder <feld@...d.me>
To: oss-security@...ts.openwall.com
Subject: CVE Request -- mapr: information disclosure vulnerability

Hello,

The mapr web frontend component creates an information disclosure
vulnerability.  During the setup of mapr the configure.sh script calls a
function ConfigureWSRole:

function ConfigureWSRole() {
  if [ $clientOnly -eq 0 -a $dontChangeSecurityPermissionsOn -eq 0 ];
  then
    ConfigureRunUserForWS
  fi

This calls ConfigureRunUserForWS from configure-common.sh:

function ConfigureRunUserForWS() {
  local val=`getent group shadow 2>/dev/null`
  if [ "$?" != "0" -o "$val" = "" ]; then
    # Create a group named shadow
    groupadd shadow  >> $logFile 2>&1
  fi
  # Add CURR_USER to the group wheel
  if [ -f /etc/SuSE-release ]; then
      # Add CURR_USER to the group wheel for SUSE
      usermod -A shadow $MAPR_USER >> $logFile 2>&1
      STATUS=$?
      #
      # The '-A' option has been removed from SuSE 12 
      #
      if [ $STATUS -ne 0 ]; then
          usermod -a -G shadow $MAPR_USER  >> $logFile 2>&1
      fi
  else
      usermod -a -G $MAPR_GROUP,shadow $MAPR_USER  >> $logFile 2>&1
  fi
  # Change group-owner of /etc/shadow
  chgrp shadow /etc/shadow  >> $logFile 2>&1
  # Allow read permissions for user shadow
  chmod ug+r /etc/shadow >> $logFile 2>&1
}

This results in a shadow file that is now readable to the application:

# ls -la /etc/shadow
-r--r-----. 1 root shadow 657 Mar 30 16:09 /etc/shadow
# grep shadow /etc/group
shadow:x:1000:mapr

The option to disable this codepath, -no-auto-permission-update,  is not
recommended by Mapr and comes with a warning in the script as it will
break the webserver's ability to authenticate the local mapr user, which
is used to administer the cluster:

        echo "    -no-auto-permission-update - do not update the system
        security permissions automatically"
        echo "                             Warn: Features like WebServer
        might not work properly"
        echo "                             default: disabled"

The website docs[1] casually describe the option, "Pass this option to
prevent MapR from silently altering permissions in /etc/shadow."

These files are part of the mapr-core-internal package:

# rpm -fq /opt/mapr/server/configure.sh
mapr-core-internal-5.2.0.39122.GA-1.x86_64
# rpm -fq /opt/mapr/server/configure-common.sh
mapr-core-internal-5.2.0.39122.GA-1.x86_64


Thanks

[1] http://maprdocs.mapr.com/home/ReferenceGuide/configure.sh.html

-- 
  Mark Felder
  feld@...d.me

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.