[Xymon] Remote Code execution

Christoph Zechner zechner at vrvis.at
Thu Oct 14 16:43:52 CEST 2021



On 14/10/2021 15:30, Jeremy Laidman wrote:
> Christoph
> 
> On Thu, 14 Oct 2021 at 18:01, Christoph Zechner <zechner at vrvis.at 
> <mailto:zechner at vrvis.at>> wrote:
> 
>     Hi,
> 
>     On 13/10/2021 04:04, Jeremy Laidman wrote:
>      > I think the "remote code execution" mentioned in the two
>     references are
>      > two very different things: remotely configuring commands to run
>     on the
>      > client, in the context of collecting data, versus remotely sending
>      > arbitrary pre-compiled code over the Internet to execute on the
>     Xymon
>      > server, by leveraging the ability to overflow a memory buffer.
>     Calling
>      > them both "remote code execution" is confabulating two different
>     things.
> 
>     That's on me, I was just trying to summarise different approaches in a
>     non-precise way, sorry.
> 
> 
> Sorry, I didn't mean this as a criticism. I think the terminology you 
> used in the two cases is quite reasonable, in their contexts. It's just 
> that in the one context, there's the potential for people to confabulate 
> the two meanings. And to be honest, the ability to run arbitrary 
> commands on a host server, even by design, isn't above being given the 
> once-over with a critical eye. As sysadmins, it's our responsibility to 
> keep our systems going, which means defending against malicious 
> attackers as well as our own accidents!
> 
> I'm glad you raised the discussion. The principle of avoiding remote 
> code execution is valid regardless of whether the execution is by design 
> or by accident. After all, an accident can only occur when there aren't 
> sufficient safeguards to protect against it, and we should consider 
> accidents inevitable. As a result of your questions, my team is now 
> taking a look at our Xymon deployments to see where we can reduce risks, 
> by seeing what changes we can make to the way we collect some of our 
> data for Xymon's analytics.
> 
> <snip>
> 
>      > This feature is on by default. There appear to be two ways to it
>     off: 1)
>      > don't run the clients in central mode, and 2) add the "--noexec"
>      > parameter to logfetch (in LOGFETCHOPTIONS in the file
>     xymonclient.cfg).
> 
>     ad 1) clients are per default not running in central mode or did I
>     misunderstand you here?
> 
> 
> I thought they did. But I had to check this for myself.
> 
> To run in local mode, the xymon client script xymonclient.sh needs to be 
> run with the "--local" switch, specified within the clientlaunch.cfg 
> file. The default entry for [client] that runs the client script, 
> doesn't have the "--local" switch. So by default, the client runs in 
> central mode. From the original clientlaunch.cfg:
> 
> [client]
>          ENVFILE $XYMONCLIENTHOME/etc/xymonclient.cfg
>          CMD $XYMONCLIENTHOME/bin/xymonclient.sh
>          LOGFILE $XYMONCLIENTLOGS/xymonclient.log
>          INTERVAL 5m
> 
> I checked versions between 4.3.4 (from 2012, long before the 
> vulnerabilities were reported) to 4.3.28, and none has "--local" in 
> clientlaunch.cfg.

I tried to run a client in local mode today (Debian 10), but it was not 
possible, because the "xymond_client" binary is missing from the Debian 
package (bug report [1]).

> 
> I didn't check the Terabithia packages, but I have no reason to think 
> they would default to local mode.
> 
> So yes, Xymon clients run in central mode, by default. I suspect it 
> wasn't always the case, and I'm quite sure that Xymon/Hobbit's 
> precursor, BigBrother, didn't have a central mode.
> 
>     Thank you very much for your time and effort, I highly appreciate
>     it. It
>     seems to me that "--noexec" would be a good sane default for
>     logfetch in
>     any way.
> 
> 
> I concur.
> 
> And if we really wanted to be extra careful (paranoid?), we might adjust 
> the xymonclient.sh script to run logfetch like so:
> 
> LD_PRELOAD=/usr/libexec/sudo/sudo_noexec.so 
> /usr/libexec/xymon-client/logfetch $LOGFETCHOPTS $LOGFETCHCFG 
> $LOGFETCHSTATUS >>$MSGTMPFILE
> 
> (assuming the "sudo" package is installed, and has noexec enabled; 
> there's also a useful standalone utility called "noexec" at 
> http://noexec.sourceforge.net/ <http://noexec.sourceforge.net/>)
> 
> Given that the logfetch command accepts input from a remote system, we 
> might prefer to have an assurance that the input cannot be used to trick 
> logfetch into running commands. I'm not necessarily promoting this as a 
> "best practice", and it's likely to have problems (dependency on sudo 
> for one), but as a mental exercise in looking for ways to almost 
> eliminate a class of attack, there's at least some value in that.

Nice suggestion, I will look into that as well, thank you!

Cheers
Christoph


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903614

> 
> Cheers
> Jeremy




More information about the Xymon mailing list