In this article we will discuss a recently published vulnerability in quite popular software – fail2ban (CVE-2021-32749). Under the right conditions, this bug could be exploited to achieve code execution with root privileges. Luckily, it is difficult for a “normal” attacker to achieve. This vulnerability is rooted in a way the mail command from the mailutils package works. Furthermore, I have to admit, I figured it out by a total accident!
fail2ban analyzes logs (or other data sources) for brute-force attacks and blocks the source IP addresses if detected. There are a number of rules for specific services (SSH, SMTP, HTTP, etc.). Moreover, there are specific actions performed when an attack is detected – one of them is sending an email to the administrator with a notification that a given IP address has been blocked. If we search the Internet for a way to send an email from the command line, we can often find such a solution:
|
1 |
$ echo "test e-mail" | mail -s "subject" user@example.org |
This is exactly how the action of sending an email to fail2ban is defined – a fragment of the file below ./config/action.d/mail-whois.conf:
|
1 2 3 4 5 6 7 |
actionban = printf %%b "Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n Here is more information about <ip> :\n `%(_whois_command)s`\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> |
There is nothing suspicious about the snippet above that would draw our attention. However, if we look at the mailutils documentation, we can find information about the so-called tilde escape sequences:
The ‘~!’ escape executes specified command and returns you to mail compose mode without altering your message. When used without arguments, it starts your login shell. The ‘~|’ escape pipes the message composed so far through the given shell command and replaces the message with the output the command produced. If the command produced no output, mail assumes that something went wrong and retains the old contents of your message.
Here’s the above in action:
|
1 2 3 4 5 6 7 8 9 |
jz@fail2ban:~$ cat -n pwn.txt 1 Next line will execute command :) 2 ~! uname -a 3 4 Best, 5 JZ jz@fail2ban:~$ cat pwn.txt | mail -s "whatever" whatever@whatever.com Linux fail2ban 4.19.0-16-cloud-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux jz@fail2ban:~$ |
If we look again at the fail2ban action definitions, we can see that the result of the whois command is attached to the email. If the attacker was able to add a tilde escape sequence as part of the whois response for the IP address of their choice – after sending the email to the administrator, it would end up executing the code – most likely as an administrator (root).
From the attackers’ perspective, what are our options?
The first thing that came to mind was trying to ask my ISP to contact RIPE and just add a specific entry for my IP address 😉 Unfortunately – it doesn’t work that way. RIPE/ARIAN/APNIC and others modify entries for whole classes of IP addresses. Additionally, it is unlikely that anyone would agree to add any suspicious string to the WHOIS response without asking any questions about it.
Then, maybe the option would be to run your own WHOIS server? Surprisingly – it is possible and you can come across several “private” WHOIS servers. All thanks to the mechanism that has been described in more detail in the RFC: namely, if in the WHOIS response we find the ReferralServer attribute, the client will try to connect to the server set as the value of this attribute. An example operation can be seen by verifying the WHOIS response for the IP address 157.5.7.5:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
$ whois 157.5.7.5 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2021, American Registry for Internet Numbers, Ltd. # NetRange: 157.1.0.0 - 157.14.255.255 CIDR: 157.4.0.0/14, 157.14.0.0/16, 157.1.0.0/16, 157.12.0.0/15, 157.2.0.0/15, 157.8.0.0/14 NetName: APNIC-ERX-157-1-0-0 NetHandle: NET-157-1-0-0-1 Parent: NET157 (NET-157-0-0-0-0) NetType: Early Registrations, Transferred to APNIC OriginAS: Organization: Asia Pacific Network Information Centre (APNIC) [… cut …] ReferralServer: whois://whois.apnic.net ResourceLink: http://wq.apnic.net/whois-search/static/search.html OrgTechHandle: AWC12-ARIN OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3188 OrgTechEmail: search-apnic-not-arin@apnic.net [… cut …] Found a referral to whois.apnic.net. % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '157.0.0.0 - 157.255.255.255' % Abuse contact for '157.0.0.0 - 157.255.255.255' is 'helpdesk@apnic.net' inetnum: 157.0.0.0 - 157.255.255.255 netname: ERX-NETBLOCK descr: Early registration addresses [… cut …] |
Theoretically, if we were the owners of a large enough network – we could try to ask our Regional Internet Registries to add an appropriate entry. Then, from the level of our own RWhois server, we would be able to freely control the responses sent.
Nevertheless – it is quite easy to imagine a scenario where an attacker / black hat – simply compromises the network or server on which the RWHOIS service is running, and then performs the attack from that network. This seems to be an easier and cheaper task than becoming a large enough company to legally run your own working whois server.
Of course, you can be a government of a large country and simply control that country’s network traffic. If we look closely at the WHOIS protocol, we can notice several things:
- it’s an extremely old protocol (origins date back to 1977)
- very easy to implement (question/answer)
- absolutely unencrypted 😉
Given the above – by carrying out a MITM attack on this unencrypted protocol – the attacker (in this case, the government) could simply insert the appropriate, malicious string in the responses.
What is worth noting is that the problem is not so much with fail2ban itself, but with mailutils – where the mentioned functionality is not a bug, but a planned outcome. Hence, it is worth paying attention to your own, proprietary scripts that use the mail command, and to other software that could also be vulnerable.
History has shown time and time again that security is difficult and complex. Sometimes an innocent, seemingly harmless functionality can turn out to be quite a threat.