This morning a message was posted on bugtraq by Blazde/Roland about the recent Argus hacking contest at CeBit in Germany and an exploit he discovered on one of the systems being protected by one of the products in the Argus PitBull product line. I wanted to give an unofficial response to a few of the issues mentioned by Roland. I'm an employee of Argus (very technical, not marketing or sales, even though my title may not give you that impression) and am very familiar with the PitBull LX product that Roland was referring to. As Roland mentioned, he located a misconfiguration in our integration of the PitBull LX technology into the 'sysctl' system call. This system call makes a permission to see if a user can access its functionality. 'sysctl' allows a 'root' user to modify the modprobe kernel parameters. Therefore, a user must first become root in order to exploit this. In order to fix this problem, a simple security flag access check needs to be added to this system call. Once in place, this ability will no longer be available to attackers who are being restricted by the PitBull LX technology. Unfortunately for Roland, he never actually managed break the system in the way required for the contest. The systems in the contest stayed up almost half a day past the end of the contest, and much of Roland's work was done during that time. Roland did a great job of analyzing the system and showed a lot of persistence in tracking down potential exploits. I can understand his frustration for coming so close but missing the deadline. Apparently Roland's frustration was showing when he commented about the web sites "disappearing" and Argus not wanting to release an official press release. After each hacking contest, Argus disconnects the systems associated with hacking contest -- the CeBit contest was no different. The systems weren't even shut down immediately, they were left running for many hours. There was nothing diabolical about the fact that the systems were eventually shut down. This was definitely not an attempt to squeek by without noticing that something had happened. In fact, it was when the administrators of this contest logged in via sshd in order to shut down the systems that they tripped the "trojan" that Roland had put into place. Unfortunately, the code that was run by Roland did not modify the system in the proscribed way by the rules, and in fact was run after the contest had ended. There also seems to be a misunderstanding here about Argus not wanting the fact that this occurred to be made public. While we of course wish that we would have put the check into the 'sysctl' system call for security flags so that Roland would not have found a way to use it to his advantage, the fact is that Roland did in fact find a way to do it. The fact is that we received specific information on the exploit Wednesday in the late afternoon (Central Standard Time). The post to BugTraq was made available Friday morning. I believe that it is extremely unfortunate that we were not given much more than 24 hours to produce a patch for the problem, run it through our quality assurance group, and notify our customers and members of this forum of the problem. Let alone to release a press release that discusses the events. I am also sorry that Roland feels that we were unresponsive in regards to this problem. This is particularly troubling, as we are a company that prides itself on our responsiveness and support of our products. I believe this is very significant in an industry where the standard is to either blame any problems a companies software has on another vendor (it must be the OS's fault, or 'oh! your using X's product, well you should call them'), or to simply not return queries in anything close to a timely manner. With that said, a source code patch for the kernel is being attached to this message, and will be made available on the main Argus corporate web site as well as the Argus Revolution server. We are also notifying our customers of the problem. For Argus, PitBull LX is an extremely new product (our other mainstay product PitBull Foundation has been around for years). PitBull LX is the next generation of Trusted Operating System technology, and was designed from the ground up to provide the most important pieces of functionality that are found in traditional Trusted Operating Systems, but in a way that more closely matches the standard Unix environment and the security models that are being used in the real world to protect these systems. We are understandably very proud of the product, and had the confidence in the technology to make it a part of these contests in order to expose the technology to the world, and to put it in the ring (so to speak). It is gratifying to know that after spending a lot of time involving himself with the technology, and finding a problem in our security flag checks, that Roland still thinks highly of the technology. While we are hard at work making sure that our PitBull LX technology and product is properly integrated into the Linux environment, it is my hope that if additional problems are found in the product as it grows, we will be given the opportunity to demonstrate our responsiveness and dedication to providing a real security solution, rather than just snake oil. Sincerely, Jeff Thompson (aka Mythrandir) Software Evangelist and Visionary Argus Systems Group, Inc. http://www.argus-systems.com/ http://www.argusrevolution.com/
Patch ID: ASGLX20010301 Vulnerability: A root process may use sysctl(2) to modify kernel variables regardless of PitBull LX attributes. Fix: A process using sysctl(2) to modify a kernel variable will be subject to a PitBull attribute check. If the process has the ASG_RES_SYS flag set, the process will be unable to write new values to variables. If the process does not have the ASG_RES_SYS flag set, the process is only subject to the standard linux attribute checks. Caveat: This PitBull LX attribute check will also apply to process attempting to modify the variable by writing to its corresponding "/proc/sys" entry. Prerequisites: This is a source patch to the linux-2.2.16-argus source tree. This patch requires the installation of argus_kernel-source-1.0-2.2.16.i386.rpm. This package can be found in the product directory of the installation CD. Installation: 1) Change your working directory to "/usr/src/linux-2.2.16-argus". 2) Copy the patch "ASGLX20010330" to this directory. 3) Run the command "patch -p1 < ./ASGLX20010301.patch". 4) The source tree is now patched. You will now need to rebuild your kernel using following the guidelines presented in chapter 11 (Building a Customized Kernel) of the PitBull LX Administration Guide.
diff -Nur linux-2.2.16/kernel/sysctl.c linux-2.2.16-argus/kernel/sysctl.c --- linux-2.2.16/kernel/sysctl.c Fri Mar 30 15:22:03 2001 +++ linux-2.2.16-argus/kernel/sysctl.c Fri Mar 30 18:45:58 2001 @@ -1,4 +1,14 @@ /* + * Portions of this code Copyright (c) 2000-2001 by Argus Systems Group, Inc. + * + * http://www.argus-systems.com + * + * + * + * + */ + +/* * sysctl.c: General linux system control interface * * Begun 24 March 1995, Stephen Tweedie @@ -29,6 +39,10 @@ #include <linux/nfs_fs.h> #endif +#ifdef CONFIG_ARGUS +#include <linux/secmod.h> +#endif /* CONFIG_ARGUS */ + #if defined(CONFIG_SYSCTL) /* External variables not in a header file. */ @@ -353,6 +367,14 @@ static int test_perm(int mode, int op) { + +#ifdef CONFIG_ARGUS + if((op == S_IWOTH) && (SECFUNC(SECMOD_RESTRICT_SYS))) + { + return(-EACCES); + } +#endif /* CONFIG_ARGUS */ + if (!current->euid) mode >>= 6; else if (in_egroup_p(0))
