Fixing a mess: Symlinks and security Opening Windows to a Wider - PowerPoint PPT Presentation

Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. Fixing a mess: Symlinks and security Opening Windows to a Wider World Opening Windows to a Wider World Das Bild kann derzeit nicht angezeigt werden. Jeremy Allison Samba Team jra@samba.org

Das Bild kann derzeit nicht angezeigt werden. In the beginning.. Das Bild kann derzeit nicht angezeigt werden. ● Fileserving is conceptually very simple. Samba (smbserver) Opening Windows to a Wider World Opening Windows to a Wider World was a simple proxy for client requests. ● Client says “open this pathname” – Server makes the pathname relative to the exported share (*). – Server returns handle internally mapped to file descriptor. ● Client uses handle to make further requests (read/write/close/etc.). ● Easy – job done ! ● (*) The devil is in the details.

Pathname problems Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. ● Windows pathnames are different from UNIX/Posix/Linux. Opening Windows to a Wider World Opening Windows to a Wider World ● Prohibited characters ':', different character sets. ● Local pathnames can start with “/”, and contain “.” and “..” ● Client-sent pathnames need processing: – Early code stripped off any leading “/” – Walked the path removing “.” – Walked the path backing up to the previous “/” on “..” – Ensured the resulting path started with “./” ● Amazingly enough, this protects from all client attempts to break out of an exported share.

Das Bild kann derzeit nicht angezeigt werden. Enter the symlink Das Bild kann derzeit nicht angezeigt werden. ● What are symlinks ? Opening Windows to a Wider World Opening Windows to a Wider World – Usually 4096 byte key/value store. – Key is pathname, value stored in place of file contents. – Metadata in file system causes kernel to treat them differently. – Came from Berkeley in BSD 4.2 in 1983. ● When parsing pathnames kernel reads contents of symlink (value) – If contents start with “/” replace current path and restart parsing – If contents don't start with “/” replace last parsed component

Symlink effects Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. Opening Windows to a Wider World Opening Windows to a Wider World ● Samba users started adding symlinks inside shares to make their lives easier. – Smbd server didn't treat symlink paths any differently, it just follows them. ● Less than one minute later someone added an absolute symlink to /etc/passwd. Oh. – “Houston, we have a problem...” – We needed to find a way to say “I'm sorry Dave, I can't do that”.

Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. The Unbearable Uselessness of POSIX Opening Windows to a Wider World Opening Windows to a Wider World ● Casting around inside modern POSIX, O_NOFOLLOW seems like a good idea. ● From the POSIX spec: – “ O_NOFOLLOW - If pathname is a symbolic link, then the open fails, with the error ELOOP. ” – This does not do what you think it does. Read on. ● “ Symbolic links in earlier components of the pathname will still be followed. ” – THIS IS NEVER WHAT YOU WOULD WANT ! – Only way to use this is to walk the path, component by

Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. The lstat solution ? Opening Windows to a Wider World Opening Windows to a Wider World ● OK, O_NOFOLLOW is a bust. How about changing all calls to stat() into lstat(). – lstat() can tell you if a pathname is a symbolic link. – Only works for the last component. ● This suffers from the same problem as O_NOFOLLOW. – Path must be walked, component by component. ● Unfortunately that's not what smbd does. – On client request for a share, smbd changes directory to the root of that share. All calls are then relative to the $cwd.

Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. POSIX giveth and POSIX taketh away Opening Windows to a Wider World Opening Windows to a Wider World ● Next possible solution: realpath(). – “r ealpath() expands all symbolic links and resolves references to /./, /../ and extra '/' characters in the null- terminated string named by path to produce a canonicalized absolute pathname ”. ● Seems perfect. How to use: – Process client name as previously described. – If required, pass relative name from client to realpath(). ● Obtains absolute path guaranteed to have no symlinks. – Check that the exported share path are the leading

Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. The End of the talk ! Opening Windows to a Wider World Opening Windows to a Wider World ● Using realpath() provides a perfect solution. – But what about.. ? ● Can be controlled by a smb.conf switch to allow people who want insecure symlinks to work. – No really, what about.. ? ● Allows all smbd pathnames to be $cwd-relative to the root of the share, no code disruption or major changes. – All I'm saying is can't the client.. ● SHUT UP, SHUT UP, I CAN'T HEAR YOU. LA LA LA !!! And so things stayed for many years..

Das Bild kann derzeit nicht angezeigt werden. The First Cracks in the Das Bild kann derzeit nicht angezeigt werden. Solution Opening Windows to a Wider World Opening Windows to a Wider World ● Symlinks can only be created on the exported filesystem by an authenticated user with local access. – So even if smbd did allow access outside the share via a symlink, it's no worse than what a logged-on user can do locally. ● This ignores NFS. – If the filesystem is exported by NFS as well as smbd, then an attacker can create a remote symlink that smbd will follow. ● Don't use NFS, don't export the same areas via both protocols. – But realpath() still saves us, right ?

Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. More Cracks in the Walls ● UNIX extensions for SMB1 get implemented in smbd. Opening Windows to a Wider World Opening Windows to a Wider World – Little consideration of security concerns when designed or implemented. – Allowing SMB1 to give full POSIX semantics enabling SMB1 UNIX clients to host user home directories or even full remote boot was the priority. ● Client can create symlinks on the server. – In a spectacular failure of judgement, I implement this as a direct call to symlink() inside smbd. No modification of the incoming symlink value sent from the client. – “ Well it might be useful to have the server-side processes

Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. Structural Failure Imminent ● A user pointed out that Samba didn't implement the Opening Windows to a Wider World Opening Windows to a Wider World Windows “open with backup intent” flag. – If a connected user has SeBackup Privilege they can ignore ACL restrictions. – For smbd, this means doing everything as root. ● Code quality had improved since the early days. Explicitly doing everything as root needs some careful consideration. ● Parallel filename resolution path created – check_reduced_name_with_privilege(). – Complex solution outside of main code paths.

Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. The House Falls Down Opening Windows to a Wider World Opening Windows to a Wider World ● On Thu, 15 Dec 2016, security@samba.org gets an email from Jann Horn of the Google Zero Day Initiative with the subject: “security bug report: symlink race permits opening files outside share directory” ● Included was a proof of concept patch to smbclient that exposes the race condition inherent in checking the client pathname with realpath() followed by the open() call. – I'm lucky enough to see this. Immediately I know we're hosed. I squirm for a few minutes as the proof of concept never works unless smbd is slowed down via strace(). – We have to fix this properly. This is going to be painful.

Das Bild kann derzeit nicht angezeigt werden. Das Bild kann derzeit nicht angezeigt werden. Fun with TOCTOU Server Client Opening Windows to a Wider World Opening Windows to a Wider World 1) Open file 1) OK, Is a/long/pathname/secret ins “a/long/pathname/secret” realpath(a/long/pathname/secret) → /share/a/long/pathname/secret Looks good to me ! 2) Rename “a/long/pathname” 2) realpath(a/long/pathname) to “a/long/get-out-of-my-way” → /share/a/long/pathname Looks good to me ! Rename completed. 3) Symlink “a/long/pathname” 3) a/long/pathname is good. Anything i to “/etc” 1) open(a/long/pathname/secret) Here Have a nice day !

Das Bild kann derzeit nicht angezeigt werden. How to fix ? Idea #1 Das Bild kann derzeit nicht angezeigt werden. ● Immediate patch idea – change UNIX extensions symlink Opening Windows to a Wider World Opening Windows to a Wider World to add “smbsym:” prefix to any incoming symlink target. Strip this out when client requests symlink target. ● Works by making any symlink target implicitly into a path relative to the directory including it. – Nice idea, but breaks lots of existing setups. – Targets including “../” still need careful handling. – Doesn't fix NFS or local races. ● Doesn't work. Not a complete or safe fix. Might be worth revisiting when creating SMB3 UNIX extensions spec.