From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] misc-progs: getipstat: Extend functionality
Date: Mon, 26 Apr 2021 12:14:51 +0100
Message-ID: <A4BF6E58-693E-4D76-A019-8F8131701382@ipfire.org>
In-Reply-To: <9cb073f65a19800c3f0e46c1be007b3a0308209d.camel@disroot.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2195257424922109473=="
List-Id: <development.lists.ipfire.org>

--===============2195257424922109473==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

> On 26 Apr 2021, at 12:04, Robin Roevens <robin.roevens(a)disroot.org> wrote:
>=20
> Hi Michael
>=20
> Michael Tremer schreef op ma 26-04-2021 om 11:40 [+0100]:
>> Hello Robin,
>>=20
>>> On 23 Apr 2021, at 17:22, Robin Roevens <
>>> robin.roevens(a)disroot.org
>>> > wrote:
>>>=20
>>> * bugfix: Make sure outputfiles are removed beforehand
>>> to prevent permission errors writing to them.
>>> * Add optional parameter "-x" to have iptables report exact numbers
>>> * Add optional parameter "-f <output_filename>" to save iptables
>>> filters table output to an alternate filename
>>> * Add optional parameter "-n <output_filename>" to save iptables
>>> nat table output to an alternate filename
>>> * Add optional parameter "-m <output_filename>" to save iptables
>>> mangle table output to an alternate filename
>>>=20
>>> Signed-off-by: Robin Roevens <
>>> robin.roevens(a)disroot.org
>>> >
>>> ---
>>> src/misc-progs/getipstat.c | 74 +++++++++++++++++++++++++++++++++++---
>>> 1 file changed, 69 insertions(+), 5 deletions(-)
>>>=20
>>> diff --git a/src/misc-progs/getipstat.c b/src/misc-progs/getipstat.c
>>> index c806d54a9..57ad81d46 100644
>>> --- a/src/misc-progs/getipstat.c
>>> +++ b/src/misc-progs/getipstat.c
>>> @@ -2,6 +2,15 @@
>>>  *
>>>  * Get the list from IPTABLES -L
>>>  *=20
>>> + * Optional commandline parameters:
>>> + *  -x=20
>>> + *   instruct iptables to expand numbers
>>=20
>> I would say that we should always call iptables with =E2=80=9C-x=E2=80=9D =
(I have no idea why this isn=E2=80=99t the default). There is no point to hav=
e this configurable because this command is not being called by a user and so=
 we should make a decision either way.
>=20
> Since the output was used on webgui pages, I assumed you wanted pretty prin=
ted sizes, for readability by the user (And I think I indeed prefer that on t=
he gui). Therefore I implemented it as an optional parameter. No problem for =
me to just use -x always and not make it optional but I do think it adds valu=
e to the command to the keep '-x' hence displaying pretty values on the webgu=
i and eventually the webgui could give the choice to the user to see the pret=
ty print or the exact print; defaulting to the pretty print, as it is pretty =
:-)

Oh, I must have confused this with =E2=80=9C-w=E2=80=9D, the locking paramete=
r. Wherever we present this data to the user (and only god knows why we are a=
ctually doing this), we should format sizes in something human readable, inde=
ed.

If there is a long option, we should probably use those, so that stupid peopl=
e like me do not confuse them (=E2=80=94-wait over -w, and =E2=80=94-exact ov=
er -x).

>>=20
>>> + *  -f <filter_rules_output_filename>
>>> + *   output filter table to alternative filename in /var/tmp/
>>=20
>> This is adding a shell command line injection vulnerability into the code =
which allows an unprivileged user to execute commands as root. More below.
>>=20
>>> + *  -n <nat_rules_output_filename>
>>> + *   output nat table to alternative filename in /var/tmp/
>>> + *  -m <mangle_rules_output_filename>
>>> + *   output mangle table to alternative filename in /var/tmp/
>>>  */
>>>=20
>>> #include <stdio.h>
>>> @@ -12,16 +21,71 @@
>>> #include <fcntl.h>
>>> #include "setuid.h"
>>>=20
>>> +int cmdOutputToFile(char *cmd, char *filename) {
>>> +	FILE *file;
>>> +	char command[STRING_SIZE];
>>>=20
>>> -int main(void)
>>> +	// remove file if it already exist to prevent permission denied errors
>>> +	// if we have no explicit write permission on it.
>>> +	if ((file =3D fopen(filename, "r"))) {
>>> +		fclose(file);
>>> +		if (remove(filename) !=3D 0) {
>>> +			fprintf(stderr, "\n%s could not be overwritten.\n", filename);
>>> +			return 1;
>>> +		}
>>> +	}
>>=20
>> You can simply use access() to check if a file already exists. That avoids=
 actually allocating a whole file descriptor.
>>=20
>>> +	// Execute command and redirect output to file
>>> +	snprintf(command, STRING_SIZE - 1, "%s > %s", cmd, filename);
>>> +	return safe_system(command);
>>=20
>> Here is the bit that introduces the vulnerability by passing through =E2=
=80=9Cfilename=E2=80=9D without any sanitisation.
>>=20
>> Since safe_system() is calling a shell, a filename like =E2=80=9C/dev/null=
; reboot=E2=80=9D would reboot the system. Trying to open the file before wil=
l work fine, because almost anything is a legal filename.
>>=20
>> So this solution is not acceptable as it pretty much allows anyone to run =
anything.
>=20
> Well.. I haven't really touched any C/C++ code since I graduated from schoo=
l some 20 years ago .. so it was already a bit of a challenge for me to come =
up with the current code. Absolutely oblivious to possible vulnerabilities.
> Luckily you catched it :-).

This is why we are doing this review process. And although it sometimes seems=
 painful, it is very much worth it.

>=20
>>=20
>>> +}
>>> +
>>> +int main(int argc, char** argv)
>>> {
>>> +	// Set defaults
>>> +	char params[STRING_SIZE] =3D "-L -v -n";
>>> +	char out_file_filter[STRING_SIZE] =3D "/var/tmp/iptables.txt";
>>> +	char out_file_nat[STRING_SIZE] =3D "/var/tmp/iptablesnat.txt";
>>> +	char out_file_mangle[STRING_SIZE] =3D "/var/tmp/iptablesmangle.txt";
>>> +
>>> +	int opt;
>>> +	char command[STRING_SIZE];
>>> +=09
>>> 	if (!(initsetuid()))
>>> 		exit(1);
>>>=20
>>> -	safe_system("/sbin/iptables -L -v -n > /var/tmp/iptables.txt");
>>> -	safe_system("/sbin/iptables -L -v -n -t nat > /var/tmp/iptablesnat.txt"=
);
>>> -	safe_system("/sbin/iptables -t mangle -L -v -n > /var/tmp/iptablesmangl=
e.txt");
>>> -	safe_system("chown nobody.nobody /var/tmp/iptables.txt /var/tmp/iptable=
snat.txt /var/tmp/iptablesmangle.txt");
>>> +	// Parse command line params
>>> +	if (argc > 1) {
>>> +		while ((opt =3D getopt(argc, argv, "xf:n:m:")) !=3D -1) {
>>> +			switch(opt) {
>>> +				case 'x':
>>> +					strcat(params, " -x");
>>> +					break;
>>=20
>> See above.
>>=20
>>> +				case 'f':
>>> +					snprintf(out_file_filter, STRING_SIZE - 1, "/var/tmp/%s", optarg);
>>> +					break;
>>> +				case 'n':
>>> +					snprintf(out_file_nat, STRING_SIZE - 1, "/var/tmp/%s", optarg);
>>> +					break;
>>> +				case 'm':
>>> +					snprintf(out_file_mangle, STRING_SIZE - 1, "/var/tmp/%s", optarg);
>>> +					break;
>>=20
>> I agree with the argument parsing. We should simply expect one of -f, -n o=
r -m being passed and then only run the one command.
>>=20
>> A much better solution would be to not write the output to disk at all (sa=
ves the whole sanitisation headache), but just output it to the console. That=
 way, we can parse it very easily in the existing perl CGI scripts because we=
 do not do anything else but reading the file back again; and you can do the =
same in Zabbix.
>>=20
>> Is that an acceptable solution for you?
>=20
> That is absolutely acceptable for me, as I already thought it to be a bit c=
umbersome handling this through files.

I guess this file was written by someone who couldn=E2=80=99t implement it in=
 any better way. We unfortunately have loads of code that isn=E2=80=99t techn=
ically the best (or remotely a good) solution, so I am happy to fix that now.=
 We all learned a lot over the years.

> I will try to rework this when I have clarity about '-x' (see above) and ad=
apt any cgi that is using it.

So if you simply call safe_system() with string that doesn=E2=80=99t change, =
you are fine.

I would also suggest to use run() which avoids the shell (and therefore a who=
le class of vulnerabilities) and takes an array which makes it easier to add =
the filter/nat/mangle options. There are lots of examples in src/misc-progs, =
but feel free to ask any questions on here.

Best,
-Michael

>=20
> Regards
> Robin
>=20
>>=20
>> Best,
>> -Michael
>>=20
>>> +				default:
>>> +					fprintf(stderr, "\nBad argument given.\n\ngetipstat [-x][-f <filter=
_rules_output_filename>][-n <nat_rules_output_filename>][-m <mangle_rules_out=
put_filename>]\n");
>>> +					exit(1);
>>> +			}
>>> +		}
>>> +	}
>>> +
>>> +	// Generate ipstat files
>>> +	snprintf(command, STRING_SIZE - 1, "/sbin/iptables %s", params);
>>> +	cmdOutputToFile(command, out_file_filter);
>>> +	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat %s", params);
>>> +	cmdOutputToFile(command, out_file_nat);
>>> +	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle %s", param=
s);
>>> +	cmdOutputToFile(command, out_file_mangle);
>>> +	snprintf(command, STRING_SIZE - 1, "chown nobody.nobody %s %s %s", out_=
file_filter, out_file_nat, out_file_mangle);
>>> +	safe_system(command);
>>> =09
>>> 	return 0;
>>> }
>>> --=20
>>> 2.31.1
>>>=20
>>>=20
>>> --=20
>>> Dit bericht is gescanned op virussen en andere gevaarlijke
>>> inhoud door MailScanner en lijkt schoon te zijn.
>>>=20
>>=20
>>=20
>=20
> --=20
> Dit bericht is gescanned op virussen en andere gevaarlijke=20
> inhoud door MailScanner en lijkt schoon te zijn.


--===============2195257424922109473==--