Releases: ossec/ossec-hids
Fix for CVE-2015-3222 which allows for root escalation via syscheck
Affected versions: 2.7 - 2.8.1
Beginning is OSSEC 2.7 (d88cf1c) a feature was added to syscheck, which
is the daemon that monitors file changes on a system, called
report_changes. This feature is only available on *NIX systems. It's
purpose is to help determine what about a file has changed. The logic to
do accomplish this is as follows which can be found in
src/syscheck/seechanges.c:
252 /* Run diff */
253 date_of_change = File_DateofChange(old_location);
254 snprintf(diff_cmd, 2048, "diff \"%s\" \"%s\" > \"%s/local/%s/diff.%d\" "
255 "2>/dev/null",
256 tmp_location, old_location,
257 DIFF_DIR_PATH, filename + 1, (int)date_of_change);
258 if (system(diff_cmd) != 256) {
259 merror("%s: ERROR: Unable to run diff for %s",
260 ARGV0, filename);
261 return (NULL);
262 }
Above, on line 258, the system() call is used to shell out to the
system's diff command. The raw filename is passed in as an argument
which presents an attacker with the possibility to run arbitrary code.
Since the syscheck daemon runs as the root user so it can inspect any
file on the system for changes, any code run using this vulnerability
will also be run as the root user.
An example attack might be creating a file called foo-$(touch bar)
which should create another file bar.
Again, this vulnerability exists only on *NIX systems and is contingent
on the following criteria:
- A vulnerable version is in use.
- The OSSEC agent is configured to use syscheck to monitor the file
system for changes. - The list of directories monitored by syscheck includes those writable
by underprivileged users. - The
report_changesoption is enabled for any of those directories.
The fix for this is to create temporary trusted file names that symlink
back to the original files before calling system() and running the
system's diff command.
Beta04 with more of the good stuff
2.9.0-beta04 Merging master->stable
New beta with more goodness
Merge pull request #536 from cgzones/analysisd analysisd: fix compiler warnings
2.9.0-beta: First Beta Release
2.9.0-beta02 only deploy on winagent
snapshot/20150112
snapshot/20150112
Fix for CVE-2014-5284 which allows for root escalation via temp files
This includes a fix for the Security Issue identified by Jeff Petersen of Roka Security LLC. Full details of the issue are attached to this commit message.
This correct will create the temp file for the hosts deny file in /var/ossec and will use mktemp where available to create NON-predictable temp file name. In cases where mktemp is not available we have written a BAD version of mktemp, but should be a little better then just process id.
Researcher Info
Jeff Petersen
Roka Security LLC
[email protected]
OSSEC 0.5 (released 11/2005) - 2.8
Affected code: All know version
SHA1 checksum: 1d72a8cd347379ef7a533ba9633231c5bfedfa1a ossec-hids-2.8.tar.gz
OSSEC v2.8 provides a utility named "host-deny.sh" which may be used to add and remove IP addresses from the /etc/hosts.deny file. For example, too many unsuccessful attempts to log into the shell as root via sshd can trigger an automatic block of the offending IP address if the "active response" system is enabled (the default configuration option has it enabled). The IP address is then automatically removed after the block has expired (default is 600 seconds). The logic for the removal can be found in ossec-hids-2.8/active-response/host-deny.sh and is as follows:
111 # Deleting from hosts.deny
112 elif [ "x${ACTION}" = "xdelete" ]; then
113 lock;
114 if [ "X$UNAME" = "XFreeBSD" ]; then
115 cat /etc/hosts.allow | grep -v "ALL : ${IP} : deny$"> /tmp/hosts.deny.$$
116 mv /tmp/hosts.deny.$$ /etc/hosts.allow
117 else
118 cat /etc/hosts.deny | grep -v "ALL:${IP}$"> /tmp/hosts.deny.$$
119 cat /tmp/hosts.deny.$$ > /etc/hosts.deny
120 rm /tmp/hosts.deny.$$
121 fi
As shown above on lines 115 and 118, a predictable filename is written to the /tmp directory in the format of "/tmp/hosts.deny." followed by the process ID. Then the contents of the file are copied back to the /etc/hosts.deny file. This presents a race condition that any local user can perform:
- create the /tmp/hosts.deny.$$ file first
- wait for root to overwrite the file
- write your own data to the file before it is copied to /etc/hosts.deny
Though the window of attack is very small, this attack has been 100% reliable on a test system by monitoring the file via inotify(7).
In addition to the previous information that was sent, it should be noted that this vulnerability can result in command execution as the root user via the "twist" option (see hosts_options(5) for more info).
An example from my proof of concept is below.
# [user@host ~]$ ./ossec2root.pl
# Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ...done
# Monitoring /tmp ...
#
# (ssh root@host a few times with an incorrect password)
# (10 minutes pass???)
#
# [user@host ~]$ cat /etc/hosts.deny
# cat /etc/hosts.deny
# sshd : ALL : twist id | wall
#
Now whenever anyone connects to sshd on the host, the command "id | wall" will be executed as root.
OSSEC HIDS Release Version 2.8.0
Downloads & checksum
Agent 2.8 – Windows
https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-agent-win32-2.8.exe
Server/Agent 2.8 – Linux/BSD
https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-hids-2.8.tar.gz
Change log
- bug fix of eventchannel timestamp pull:<PullRequest (bug fix of eventchannel timestamp)> by jrossi
- Align eventchannel log format with eventlog, fixes #155 pull:<PullRequest (Align eventchannel log format with eventlog, fixes #155)> by gaelmuller
- fix active-response on mac os installation pull:<PullRequest (fix active-response on mac os installation)> by jknockaert
- os_net fixes pull:<PullRequest (os_net fixes)> by cgzones
- Fixes #194. Checks for both paths of openssl pull:<PullRequest (Fixes #194. Checks for both paths of openssl)> by harshilmathur
- os_regex review pull:<PullRequest (os_regex review)> by cgzones
- os_regex unit tests #2 pull:<PullRequest (os_regex unit tests #2)> by cgzones
- Windows agent UI version and Copyright update pull:<PullRequest (Windows agent UI version and Copyright update)> by jbcheng
- os_regex unit tests pull:<PullRequest (os_regex unit tests)> by cgzones
- [tests] explicit enable branch coverage for new version of lcov pull:<PullRequest ([tests] explicit enable branch coverage for new version of lcov)> by cgzones
- [os_xml] fix possible array underflows: see coverity pull:<PullRequest ([os_xml] fix possible array underflows: see coverity)> by cgzones
- Avoid a crash of agentd on Solaris. pull:<PullRequest (Avoid a crash of agentd on Solaris.)> by danpop60
- Use the evironment for the CC binary pull:<PullRequest (Use the evironment for the CC binary)> by jrossi
- Fixes to win32 installation pull:<PullRequest (Fixes to win32 installation)> by awiddersheim
- Fix windows agent compile error/warnings #define ENOBUFS, ALERT_SYSTEM_ERR pull:<PullRequest (Fix windows agent compile error/warnings #define ENOBUFS, ALERT_SYSTEM_ERR)> by jbcheng
- Moving ossec-lua back to posix so that we do no have a libreadline dep pull:<PullRequest (Moving ossec-lua back to posix so that we do no have a libreadline dep)> by jrossi
- os_xml refresh2 pull:<PullRequest (os_xml refresh2)> by cgzones
- Added more Vista+-associated event IDs for existing rules pull:<PullRequest (Added more Vista+-associated event IDs for existing rules)> by mstarks01
- Added #include for errno.h in os_net.c pull:<PullRequest (Added #include for errno.h in os_net.c)> by denied39
- Fixes to win32 (un)installation process pull:<PullRequest (Fixes to win32 (un)installation process)> by awiddersheim
- Removing event ID 676 pull:<PullRequest (Removing event ID 676)> by mstarks01
- Remove event ID 672 pull:<PullRequest (Remove event ID 672)> by mstarks01
- Added <email_idsname> option to ossec.conf (additional email header) pull:<PullRequest (Added <email_idsname> option to ossec.conf (additional email header))> by dopefish
- Fix make.sh files for win32 pull:<PullRequest (Fix make.sh files for win32)> by awiddersheim
- Continue removing the bro-ids stuff pull:<PullRequest (Continue removing the bro-ids stuff)> by ddpbsd
- os_xml review pull:<PullRequest (os_xml review)> by cgzones
- Unittest os regex pull:<PullRequest (Unittest os regex)> by jrossi
- Fix compile warnings with win32 pull:<PullRequest (Fix compile warnings with win32)> by awiddersheim
- Remove win32 service start and stop executables pull:<PullRequest (Remove win32 service start and stop executables)> by awiddersheim
- os_zlib update pull:<PullRequest (os_zlib update)> by cgzones
- enable full clang support and remove gcc dependencies pull:<PullRequest (enable full clang support and remove gcc dependencies)> by cgzones
- Added error checking to ossec.conf installation pull:<PullRequest (Added error checking to ossec.conf installation)> by awiddersheim
- Show details during win32 installation pull:<PullRequest (Show details during win32 installation)> by awiddersheim
- Fixes to win32 services pull:<PullRequest (Fixes to win32 services)> by awiddersheim
- Added /? as a parameter to ossec-agent on win32 pull:<PullRequest (Added /? as a parameter to ossec-agent on win32)> by awiddersheim
- Update manage_keys.c pull:<PullRequest (Update manage_keys.c)> by awiddersheim
- Use file command in ossec-installer.nsi pull:<PullRequest (Use file command in ossec-installer.nsi)> by awiddersheim
- Fixes to ossec-installer.nsi pull:<PullRequest (Fixes to ossec-installer.nsi)> by awiddersheim
- SetDateSave off in ossec-installer.nsi pull:<PullRequest (SetDateSave off in ossec-installer.nsi)> by awiddersheim
- Grandstream ATA decoder pull:<PullRequest (Grandstream ATA decoder)> by mstarks01
- A simple script to calculate OSSEC events-per-second pull:<PullRequest (A simple script to calculate OSSEC events-per-second)> by mstarks01
- removing deploy from travis-ci pull:<PullRequest (removing deploy from travis-ci)> by jrossi
- ossec-lua lua interpreter pull:<PullRequest (ossec-lua lua interpreter)> by jrossi
- Fixing route-null active response on Windows pull:<PullRequest (Fixing route-null active response on Windows)> by mstarks01
- Remove ui.nsi pull:<PullRequest (Remove ui.nsi)> by awiddersheim
- Fixes to ossec-installer.nsi pull:<PullRequest (Fixes to ossec-installer.nsi)> by awiddersheim
- Fixes to ossec-installer.nsi pull:<PullRequest (Fixes to ossec-installer.nsi)> by awiddersheim
- add eventchannel (again) with proper build pull:<PullRequest (add eventchannel (again) with proper build)> by gaelmuller
- remove unused source code files pull:<PullRequest (remove unused source code files)> by cgzones
- Remove local file additions in setup-win.c pull:<PullRequest (Remove local file additions in setup-win.c)> by awiddersheim
- Fix win32 ARGV0 names pull:<PullRequest (Fix win32 ARGV0 names)> by awiddersheim
- simplify cJSON makefile [pull:<PullRequest (simplify cJSON makefile)>](https://github.com/ossec/...
v2.7.1: Merged in gaelmuller/ossec-hids (pull request #16)
OSSEC 2.7.1 has been released and posted on our download page. You can check the release notes to find out what has been updated in this release. Note there have been not update to the OSSEC virtual appliance. We will bring that system inline with 2.7.1 before the end of the year.
Release Notes
Trend Micro, Inc.
| Version | 2.7.1 |
|---|---|
| Date | November 21, 2013 |
Summary of changes in v2.7.1
- Installation
- Server
- Fixed Solaris update install (ddpbsd)
- Agent
- Fixed InstallAgent.sh script for Mac OSX addusers
*Distinguishing OSX 10.5 from previous versions
- Fixed InstallAgent.sh script for Mac OSX addusers
- Allow os_auth to resolve manager hostname to IP address
- Fixed Windows Agent
- Server
- Syscheck
- Extended filesize from an integer to a long integer
- Rootcheck
- No Change
- Agents
- Make Heartbeat interval configuable (Christobel Rosa)
- Was fixed at 10 minutes interval, now configurable
- Use ossec.conf "notify_time", "time-reconnect"
- For both *nix and Windows agents
- More details TBD (To Be Documented)
- Make Heartbeat interval configuable (Christobel Rosa)
- Log monitoring/analysis
- Added new feature "custom_alert_output" (Christobel Rosa)
- More details TBD (To Be Documented)
- Added checking for duplicate rule ID's (@cgzones)
- Added new feature "custom_alert_output" (Christobel Rosa)
- Rules and Decoders
- etc/decoder.xml updated
- Fixed ar_log decoder (dcid)
- Updated <auditd-...> decoders (jp.zurbrugg)
- Added Pure-FTPd transfer log decoder (@ddpbsd)
- Added mptscsih \ mptbase SCSI controller log decoders
- etc/rules/ updated
- nginx_rules.xml
- Added to reduce noise
- pure-ftpd_rules.xml
- Added rules 11310, 11311, 11312
- syslog_rules.xml
- Added rules 2935-2939 for SCSI controller
- web_appsec_rules.xml Updated PHPMyAdmin rules
- Added rule 31515,31516, 31530-31533, 31550
- web_rules.xml - Updated,
- Added rule 31164,31165 for SQL injection attempt
- nginx_rules.xml
- Output and Alert options
- csyslogd
- Fixed crash issue in non-debug mode due to memory corruption
- ossec-dbd
- Fixed database log entries truncation issue
- Active Response
- Fixed firewall-drop.sh script to prevent a resource loop (dcid)
- Added ip-customblock.sh script (dcid)
- Fixed ar.conf ownership issue (@ddpbsd)
- Scripts fixes
- Add a log message when something "did not start correctly" (@ddpbsd)
- Contributions
- Added contrib/ossec2snorby/ scripts, see README for details
v2.7
It has been over a year since the release of OSSEC 2.6 in July 2011. Through all this time many developers have contributed patches and many users have tested several pre-release builds. A sincere THANKS to all of you.
The key enhancements in v2.7 are:
- Installation
- Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
- Add manage_agents -f option for bulk generation of client keys from an input file.
- During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
- Syscheck
- Add prelinking support – reduce confusion when a file change is the result of prelinking.
- Rootcheck
- Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
- Log monitoring/analysis
- Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
- Alert options and syslog output
- Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
- Support JSON and Splunk formats in syslog output.
- Rules and other notable changes/fixes
- Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
- Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
- Update decoders include: PIX, auditd, apache, pam, php.
- Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
- Update rootcheck rules.
- ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
- Many bug fixes…
- LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2