Recently, I was alerted by Todd Houle that his infosec folks had identified an vulnerability with CasperCheck that should be addressed.
The problem:
CasperCheck downloads a QuickAdd installer from a web server inside a .zip file and initially stores it in the /tmp directory. All users on the system have access to /tmp, so it was possible for an malicious unprivileged user to leverage a race condition to replace the downloaded .zip file with another .zip file with the same name.
Assuming that the replaced .zip file was valid and passed the check for being a valid .zip file, CasperCheck would then expand the contents of the replaced .zip file into the /var/root/quickadd directory. Assuming that the malicious unprivileged user had their own installer package stored inside the replaced .zip file, the next time that CasperCheck would determine that it needs to install the Casper agent via its cached QuickAdd installer, it would instead install that installer package in place of the expected QuickAdd package.
The fix:
The vulnerability assumes that the QuickAdd package is being downloaded to a place where an unprivileged user can access it, so the implemented fix to this problem is to download it to a place where only root has access. Todd fixed the issue by changing the designated download location to the following:
From: /tmp/quickadd.zip
To: $quickadd_dir/quickadd.zip, where the value of $quickadd_dir is /var/root/quickadd
Moving the download location to /var/root/quickadd means that the download is going to a location inside the root account’s home directory. Only root has write access to its home directory, which stops an account which doesn’t have root privileges from being able to swap out the .zip file.
Changes to CasperCheck:
Fortunately, the changes needed to implement this fix are minor and are in two places:
The quickadd_zip variable has changed:
From: /tmp/quickadd.zip
To: $quickadd_dir/quickadd.zip, where the value of $quickadd_dir is /var/root/quickadd
The update_quickadd function has been updated, to move the following actions to be first:
- The creation of the /var/root/quickadd directory, if that directory is not already present
- The removal of existing files from the /var/root/quickadd directory
I’ve posted an updated CasperCheck script with the described changes to the following location:
https://github.com/rtrouton/CasperCheck/blob/master/script/caspercheck.sh
If you’re a CasperCheck user, I recommend updating to the latest version at your earliest convenience.
The changes to the script can be seen here:
https://github.com/rtrouton/CasperCheck/commit/35e4e1d6ba9f363b894b36535b151637eb70602e
Hat tip: Thanks to Todd to alerting me to this issue and providing help to fix it.
