Application: PBS Pro (part od PBS Works by Altair Engineering) Affected version: < 10.4 OS: Linux/UNIX CVE ID: pending Class: temporary file creation race condition Remote: no Threat: destroy arbitrary choosen file of other user Discovered: 02.02.2010 Discovered by: Bartlomiej Balcerek Background: PBS Pro is a commercial software used to perform and manage job scheduling and execution. It is widely used by supercomputing centers for cluster, grid and cloud computing. Vulnerability description: PBS Pro execution deamon - pbs_mom - uses /var/spool/pbs/spool directory to store temporary files. This directory is world writable. Files within this directory are created on behalf of queue user (with his/her UID and GID) to store jobs standard output and error streams. Before pbs_mom creates a particular file, it performs a check whether file of that name already exists. If so, file of such name is deleted and than opened in write mode. It is possible to attacker to easily guess other user temporary file name and create arbitrary link between two actions of check and create, while other user job is executed. Link could point to choosen by attacker file owned by jobs owner, which in consequence will be overwritten by jobs standard output or error streams. Exploit: PoC attached. Solution: Upgrade to version >= 10.4 Bug history: Discovered: 02.02.2010 Vendor contacted: 15.02.2010 Fixed version announced: 08.06.2010 Bug disclosed: 07.07.2010 -- Bartlomiej Balcerek
Attachment:
pbs-v10.2.0.93147-PoC.sh
Description: Bourne shell script