Re: [Full-disclosure] Medium security hole in Varnish reverse proxy

[Tim Brown]

On Monday 29 March 2010 18:12:38 John Adams wrote:

> Post some code that people can evaluate.

I don't really like posting PoC code, but consider:

param.set user root
stop
start
vcl.inline test "backend default { .host = \"127.0.0.1\"; .port = \"8080\"; } 
C{ #include  }C sub vcl_recv { C{ system(\"touch /tmp/foo\"); }C 
}"
vcl.use test

Should give you some ideas

> For starters, There's no reason why varnish ever has to run as root.
> It never listens on privileged ports, and the C compiler is never
> available over a network interface.

The proxy process doesn't run as root by default, but that's not much 
consolation if the master process can reconfigure it at will.  The C compiler 
is available over whatever interface the master port is bound to, and in most 
cases that will be localhost:6082.  I've seen that as a default configuration 
for FreeBSD, Fedora, Debian and Ubuntu packages.

> You can ask varnish to reload a configuration and recompile it, but
> you'd have to have write access to the filesystem first.

Not strictly true, have a look at vcl.inline (as per the example above).

> You an also
> only cause recompilation to occur if the admin interface is up and
> running, which can be easily disabled.

True, but up until the latest version this was your only option since there 
was no authentication support and the default in many cases (including as 
noted in my advisory, the Redhat packaging files included in Varnish trunk) was 
to enable it.  The addition of authentication in 2.1.0 will /if enabled/ 
improve the situation no end.

> Poul is probably correct. Any vulnerabilities in Varnish with regards
> to privilege escalation are configuration issues.

Technically he is probably right but I still think the design sucks too, and 
let's be honest, an attacker probably doesn't need to make the distinction 
anyway.

Tim
-- 
Tim Brown




signature.asc
Description: This is a digitally signed message part.

Re: [Full-disclosure] Medium security hole in Varnish reverse proxy

[John Adams]

Post some code that people can evaluate.

For starters, There's no reason why varnish ever has to run as root.
It never listens on privileged ports, and the C compiler is never
available over a network interface.

You can ask varnish to reload a configuration and recompile it, but
you'd have to have write access to the filesystem first.  You an also
only cause recompilation to occur if the admin interface is up and
running, which can be easily disabled.

Poul is probably correct. Any vulnerabilities in Varnish with regards
to privilege escalation are configuration issues.

-j

On Mon, Mar 29, 2010 at 12:49 AM, Tim Brown  wrote:
> Hi,
>
> I've identified a couple of security flaws affecting the Varnish reverse proxy
> which may allow privilege escalation. These issues were reported by email to
> the vendor but he feels that it is a configurational issue rather than a 
> design
> flaw.  Whilst I can partially see his point in that the administrative
> interface can be disabled, I'm not convinced that making a C compiler
> available over a network interface without authentication is sound practice,
> especially when the resultant compiled code can be made to run as root rather
> trivially.
>
> Tim
> --
> Tim Brown
> 
> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>