packages/cockpit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-6126

Browse Source 
(cherry picked from commit db7bd85b2204926940e843df767e0f0f62b1750c)
This commit is contained in:
lingsheng 2024-07-04 03:00:43 +00:00 committed by openeuler-sync-bot
parent 97972aeeb4
commit 12440c960e
2 changed files with 167 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
backport-CVE-2024-6126.patch Normal file
View File

@ -0,0 +1,156 @@
From 08965365ac311f906a520cbf65427742d5f84ba4 Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Mon, 10 Jun 2024 10:49:56 +0200
Subject: [PATCH] pam-ssh-add: Fix insecure killing of session ssh-agent
[CVE-2024-6126]
Some distributions like Debian 12, or possibly some administrators
enable pam_env's deprecated `user_readenv` option [1]. The user session
can change the `$SSH_AGENT_PID`, so that it can pass an arbitrary pid to
`pam_sm_close_session()`. This is a local authenticated DoS.
Avoid this by storing the agent pid in a global variable. The
cockpit-session process stays around for the entire session time, so we
don't need to put the pid into the PAM data.
It can also happen that the user session's ssh-agent gets killed, and
some other process later on recycles the PID. Temporarily drop
privileges to the target user so that we at least don't kill anyone
else's process.
Add an integration test which checks that changing the env variable
works, pointing it to a different process doesn't kill that, and
ssh-agent (the original pid) is still cleaned up correctly. However, as
pam_so.env in Fedora crashes hard, skip the test there.
Many thanks to Paolo Perego <paolo.perego@suse.com> for discovering,
and Luna Dragon <luna.dragon@suse.com> for reporting this issue!
[1] https://man7.org/linux/man-pages/man8/pam_env.8.html
CVE-2024-6126
https://bugzilla.redhat.com/show_bug.cgi?id=2290859
---
src/pam-ssh-add/pam-ssh-add.c | 46 ++++++++++++++++++++++++++++-------
test/verify/check-session | 33 +++++++++++++++++++++++++
2 files changed, 70 insertions(+), 9 deletions(-)
diff --git a/src/pam-ssh-add/pam-ssh-add.c b/src/pam-ssh-add/pam-ssh-add.c
index a9159d71004..839b797d215 100644
--- a/src/pam-ssh-add/pam-ssh-add.c
+++ b/src/pam-ssh-add/pam-ssh-add.c
@@ -54,6 +54,9 @@ const char *pam_ssh_agent_arg = NULL;
const char *pam_ssh_add_program = PATH_SSH_ADD;
const char *pam_ssh_add_arg = NULL;
+static unsigned long ssh_agent_pid;
+static uid_t ssh_agent_uid;
+
/* Environment */
#define ENVIRON_SIZE 5
#define PATH "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -866,6 +869,25 @@ start_agent (pam_handle_t *pamh,
error ("couldn't set agent environment: %s",
pam_strerror (pamh, res));
}
+
+ /* parse and store the agent pid for later cleanup */
+ if (strncmp (auth_pid, "SSH_AGENT_PID=", 14) == 0)
+ {
+ unsigned long pid = strtoul (auth_pid + 14, NULL, 10);
+ if (pid > 0 && pid != ULONG_MAX)
+ {
+ ssh_agent_pid = pid;
+ ssh_agent_uid = auth_pwd->pw_uid;
+ }
+ else
+ {
+ error ("invalid SSH_AGENT_PID value: %s", auth_pid);
+ }
+ }
+ else
+ {
+ error ("unexpected agent pid format: %s", auth_pid);
+ }
}
free (auth_socket);
@@ -952,19 +974,25 @@ pam_sm_close_session (pam_handle_t *pamh,
int argc,
const char *argv[])
{
- const char *s_pid;
- int pid = 0;
parse_args (argc, argv);
/* Kill the ssh agent we started */
- s_pid = pam_getenv (pamh, "SSH_AGENT_PID");
- if (s_pid)
- pid = atoi (s_pid);
-
- if (pid > 0)
+ if (ssh_agent_pid > 0)
{
- debug ("Closing %d", pid);
- kill (pid, SIGTERM);
+ debug ("Closing %lu", ssh_agent_pid);
+ /* kill as user to guard against crashing ssh-agent and PID reuse */
+ if (setresuid (ssh_agent_uid, ssh_agent_uid, -1) < 0)
+ {
+ error ("could not drop privileges for killing ssh agent: %m");
+ return PAM_SESSION_ERR;
+ }
+ if (kill (ssh_agent_pid, SIGTERM) < 0 && errno != ESRCH)
+ message ("could not kill ssh agent %lu: %m", ssh_agent_pid);
+ if (setresuid (0, 0, -1) < 0)
+ {
+ error ("could not restore privileges after killing ssh agent: %m");
+ return PAM_SESSION_ERR;
+ }
}
return PAM_SUCCESS;
}
diff --git a/test/verify/check-session b/test/verify/check-session
index 56a0fc08c04..21812f32507 100755
--- a/test/verify/check-session
+++ b/test/verify/check-session
@@ -86,6 +86,39 @@ class TestSession(testlib.MachineCase):
b.logout()
wait_session(should_exist=False)
+ # try to pwn $SSH_AGENT_PID via pam_env's user_readenv=1 (CVE-2024-6126)
+
+ if m.image in ["fedora-39", "fedora-40", "centos-10", "rhel-10-0"]:
+ # pam_env user_readenv crashes in Fedora/RHEL 10, skip the test
+ # https://bugzilla.redhat.com/show_bug.cgi?id=2293045
+ return
+ if m.ostree_image:
+ # not using cockpit's PAM config
+ return
+
+ # this is enabled by default in tools/cockpit.debian.pam, as well as
+ # Debian/Ubuntu's /etc/pam.d/sshd; but not in Fedora/RHEL
+ if "debian" not in m.image and "ubuntu" not in m.image:
+ self.write_file("/etc/pam.d/cockpit", "session required pam_env.so user_readenv=1\n", append=True)
+ victim_pid = m.spawn("sleep infinity", "sleep.log")
+ self.addCleanup(m.execute, f"kill {victim_pid} || true")
+ self.write_file("/home/admin/.pam_environment", f"SSH_AGENT_PID={victim_pid}\n", owner="admin")
+
+ b.login_and_go()
+ wait_session(should_exist=True)
+ # starts ssh-agent in session
+ m.execute("pgrep -u admin ssh-agent")
+ # but the session has the modified SSH_AGENT_PID
+ bridge = m.execute("pgrep -u admin cockpit-bridge").strip()
+ agent = m.execute(f"grep --null-data SSH_AGENT_PID /proc/{bridge}/environ | xargs -0 | sed 's/.*=//'").strip()
+ self.assertEqual(agent, str(victim_pid))
+
+ # logging out still kills the actual ssh-agent, not the victim pid
+ b.logout()
+ wait_session(should_exist=False)
+ m.execute("while pgrep -u admin ssh-agent; do sleep 1; done", timeout=10)
+ m.execute(f"test -e /proc/{victim_pid}")
+
if __name__ == '__main__':
testlib.test_main()

13
cockpit.spec
View File

@ -10,11 +10,14 @@
Name: cockpit Name: cockpit
Version: 309 Version: 309
Release: 1 Release: 2
Summary: A easy-to-use, integrated, glanceable, and open web-based interface for Linux servers Summary: A easy-to-use, integrated, glanceable, and open web-based interface for Linux servers
License: LGPLv2+ License: LGPLv2+
URL: https://cockpit-project.org/ URL: https://cockpit-project.org/
Source0: https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz Source0: https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz
Patch6000: backport-CVE-2024-6126.patch
%define build_basic 1 %define build_basic 1
%define build_optional 1 %define build_optional 1
@ -58,7 +61,7 @@ Recommends: polkit NetworkManager-team setroubleshoot-server >= 3.3.3 sscg >
Recommends: udisks2-lvm2 >= 2.6 udisks2-iscsi >= 2.6 device-mapper-multipath clevis-luks virt-install Recommends: udisks2-lvm2 >= 2.6 udisks2-iscsi >= 2.6 device-mapper-multipath clevis-luks virt-install
%prep %prep
%setup -q -n cockpit-%{version} %autosetup -n cockpit-%{version} -p1
%build %build
%configure \ %configure \
@ -320,6 +323,12 @@ fi
%doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz,cockpit-tls.8.gz} %doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz,cockpit-tls.8.gz}
%changelog %changelog
* Thu Jul 04 2024 lingsheng <lingsheng1@h-partners.com> - 309-2
- Type:CVE
- ID:CVE-2024-6126
- SUG:restart
- DESC:fix CVE-2024-6126
* Tue Jan 23 2024 zhouwenpei <zhouwenpei1@h-partners.com> - 309-1 * Tue Jan 23 2024 zhouwenpei <zhouwenpei1@h-partners.com> - 309-1
- Type:NA - Type:NA
- ID:NA - ID:NA