Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

get cpuprof and get memprof commands exist symlink-attacks vulnerability. #4484

Closed
toptotu opened this issue Feb 7, 2021 · 6 comments
Closed
Assignees

Comments

@toptotu
Copy link

toptotu commented Feb 7, 2021

Dear beego Team,

I would like to report a security vulnerability in Beego's admin module.

The vulnerability code is in the profile.go file,MemProf and GetCPUProfile function does not correctly check whether the created file exists. As a result, Attackers can launch attacks symlink attacks locally.

poc code:
https://play.golang.org/p/TAvghgm_7fY

func main() {
file, err := os.Create("cpu-pid.pprof")
if err != nil {
fmt.Printf("Error creating file: %s", err)
}
_, err = file.Write([]byte("My logs for this process"))
if err != nil {
fmt.Println(err)
}
}

$ ln -s other/logs cpu-pid.pprof
$ go build symlink_attack.go
$ ./symlink_attack
$ cat other/logs

  • My logs for this process
    $
@toptotu toptotu changed the title The /proc interface parameter of the admin service is get cpuprof and get memprof commands, which have a symlink-attacks vulnerability. get cpuprof and get memprof commands, which have a symlink-attacks vulnerability. Feb 7, 2021
@toptotu toptotu changed the title get cpuprof and get memprof commands, which have a symlink-attacks vulnerability. get cpuprof and get memprof commands exist symlink-attacks vulnerability. Feb 7, 2021
@flycash flycash self-assigned this Feb 7, 2021
@flycash flycash added kind/bug Definite and accepted bugs priority/P0 labels Feb 7, 2021
@flycash
Copy link
Collaborator

flycash commented Feb 10, 2021

From my understanding, if attackers could run ln -s other/logs cpu-pid.pprof, they could do something more dangerous.

@toptotu
Copy link
Author

toptotu commented Feb 19, 2021

From my understanding, if attackers could run ln -s other/logs cpu-pid.pprof, they could do something more dangerous.

Exactly. Attackers can use this vulnerability to escalate privileges.

@flycash
Copy link
Collaborator

flycash commented Feb 19, 2021

Exactly. Attackers can use this vulnerability to escalate privileges.

I am still confused.

Attackers ran ln -s other/logs cpu-pid.pprof and we output the profile data into this file, how did they escalate privileges.

I mean why they don't do something more dangerous directly insteead of running ln -s other/logs cpu-pid.pprof?

@toptotu
Copy link
Author

toptotu commented Feb 20, 2021

Exactly. Attackers can use this vulnerability to escalate privileges.

I am still confused.

Attackers ran ln -s other/logs cpu-pid.pprof and we output the profile data into this file, how did they escalate privileges.

I mean why they don't do something more dangerous directly insteead of running ln -s other/logs cpu-pid.pprof?

What I mean is that in special scenarios, there are unauthorized attacks. The beego application runs under the root permission, and the written pprof file can be created by a low-privilege user using the symlink method, which may cause unauthorized rewriting.

@flycash
Copy link
Collaborator

flycash commented Feb 21, 2021

Got it.

@flycash
Copy link
Collaborator

flycash commented Apr 6, 2021

There are many similar cases in Beego. For example, the log files. So I think we don't need to do more things about it because if we want to enhance this, we should enhance all similar cases. More importantly, I think users should be responsible for ensuring that their server are safe :(
I don't have any good idea to resolve this problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants