CONDOR-2008-0004


Summary:

 

User supplied input to condor_qedit can cause the condor_schedd to crash and not be able to recover.


Component Vulnerable Versions Platform Availability Fix Available
condor_schedd 6.8.0 - 6.8.8
7.0.0 - 7.0.4
7.1.0 - 7.1.2
all not known to be publicly exploited 6.8.9
7.0.5
7.1.3
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified local ordinary user with a condor authorization submission host medium medium
Fixed Date Credit
2008-Oct-07 Matthew Farrellee

Access Required:

local ordinary user with a condor authorization

This vulnerability requires local access on a machine where the user has write authorization to the condor_schedd (i.e., a host and account where the user can submit a job).

Effort Required:

medium

The use of ordinary condor command line tools is all that is required in the first step of this vulnerability. A successful attack would then need the condor_schedd to restart which would require administrative privilege or another vulnerability.

Impact/Consequences:

medium

The effect of exploiting this vulnerability is that the condor_schedd will not be able to recover from a crash or restart without manual intervention.

Full Details:

 

A user can use condor_qedit to insert an attribute that does not have any value. This is illegal. The code creates an invalid log entry representing this value to the log before detecting that it is illegal. When the log is compressed, the log file is replaced and the new log will not contain the illegal record. Newer versions of Condor perform log compression as part of a clean shutdown which then requires a crash to exploit this vulnerability.

When the job queue log file is read upon restart recovery the illegal value is detected and the condor_schedd is aborted. This will occur each time the condor_schedd is restarted (by a condor_schedd crash, such as CONDOR-2008-0003, or waiting for routine maintenance) until the offending log record is removed the from the log file by hand.

For instance the command


      condor_qedit 1.0 BAD_ATTR ''
  

will write the following log record to job queue log (spool/job_queue.log):


      103 1.0 BAD_ATTR
  

Cause:

injection
denial of service
failure to validate input

This vulnerability is caused by a user being able to inject an invalid log record into the job queue log. When this record is later read the system deals with the invalid record by aborting.

Actual Fix:

 

When an attribute value is encountered where the value is the empty string, the value is replaced with the string UNDEFINED. This represents the undefined value in the classad language and is an appropriate choice to replace the invalid empty value.