windows: mitigate possible escalation of privileges

[kenhys]

Reported by @zubrahzz

ref. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28169

In the previous version, NT AUTHORITY\Authenticated Users:(I)(M) is granted. It means that logged in users can replace any files under opt/td-agent/bin. It also allows for attacker to gain administrative privileges by replacing these files because these files are executed as a local services with SYSTEM privilege.

Note that this PR was merged, we need to update gems by td-agent-gem with administraror privilege.

[kenhys]

Because of missing the td-agent 3 build environment, it is not confirmed yet but I hope it will fix the issue.

[kenhys]

ref.

td-agent 4 has been already fixed. https://github.com/fluent-plugins-nursery/td-agent-builder/pull/247

[kenhys]

@ashie could you check build, please?

[ashie]

Sorry, I don't have build env...

[cosmo0920]

I'm working on building and confirming this PR.

[cosmo0920]

I couldn’t build with the following error:

          [Packager::MSI] I | 2021-01-04T17:08:47+09:00 | Using local resource `localization-en-us.wxl.erb' from `C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/resources/td-agent/msi/localization-en-us.wxl.erb'
          [Packager::MSI] I | 2021-01-04T17:08:47+09:00 | Rendering `C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/resources/td-agent/msi/localization-en-us.wxl.erb' to `C:/Users/cosmo/AppData/Local/Temp/td-agent20210104-14908-b4ofud/localization-en-us.wxl'
          [Packager::MSI] I | 2021-01-04T17:08:47+09:00 | Using local resource `parameters.wxi.erb' from `C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/resources/td-agent/msi/parameters.wxi.erb'
          [Packager::MSI] I | 2021-01-04T17:08:47+09:00 | Rendering `C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/resources/td-agent/msi/parameters.wxi.erb' to `C:/Users/cosmo/AppData/Local/Temp/td-agent20210104-14908-b4ofud/parameters.wxi'
          [Packager::MSI] I | 2021-01-04T17:08:47+09:00 | Using local resource `source.wxs.erb' from `C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/resources/td-agent/msi/source.wxs.erb'
          [Packager::MSI] I | 2021-01-04T17:08:47+09:00 | Rendering `C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/resources/td-agent/msi/source.wxs.erb' to `C:/Users/cosmo/AppData/Local/Temp/td-agent20210104-14908-b4ofud/source.wxs'
          [Packager::MSI] I | 2021-01-04T17:08:58+09:00 | Packaging time: 10.776s
The following shell command exited with status 104:

    $ candle.exe -nologo -arch x64 -dProjectSourceDir="C:\opt\td-agent" "project-files.wxs" "C:\Users\cosmo\AppData\Local\Temp\td-agent20210104-14908-b4ofud\source.wxs"

Output:

    project-files.wxs
source.wxs
C:\Users\cosmo\AppData\Local\Temp\td-agent20210104-14908-b4ofud\source.wxs(124) : error CNDL0104 : Not a valid source file; detail: �s 41�A�ʒu 8 �ɂ���J�n�^�O 'Directory' �ƏI���^�O 'Product' ���Ή����Ă��܂���B �s 124�A�ʒu 5�B

Error:

    (nothing)

C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/util.rb:139:in `rescue in shellout!'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/util.rb:134:in `shellout!'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/packagers/msi.rb:66:in `block (2 levels) in <class:MSI>'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/packagers/msi.rb:62:in `chdir'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/packagers/msi.rb:62:in `block in <class:MSI>'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/packagers/base.rb:167:in `instance_eval'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/packagers/base.rb:167:in `block in run!'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/instrumentation.rb:23:in `measure'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/packagers/base.rb:164:in `run!'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/project.rb:1150:in `block in package_me'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/project.rb:1139:in `each'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/project.rb:1139:in `package_me'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/project.rb:1088:in `build'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/cli.rb:89:in `build'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/gems/thor-1.0.1/lib/thor/command.rb:27:in `run'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/gems/thor-1.0.1/lib/thor/invocation.rb:127:in `invoke_command'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/gems/thor-1.0.1/lib/thor.rb:392:in `dispatch'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/cli/base.rb:33:in `dispatch'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/gems/thor-1.0.1/lib/thor/base.rb:485:in `start'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/lib/omnibus/cli.rb:42:in `execute!'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bundler/gems/omnibus-d75718522deb/bin/omnibus:16:in `<top (required)>'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bin/omnibus:23:in `load'
  C:/Users/cosmo/Documents/GitHub/omnibus-td-agent/vendor/bundle/bin/omnibus:23:in `<main>'

Rendered result is:

td-agent20210104-14908-b4ofud.zip

[cosmo0920]

@kenhys I'd found that this PR is not buildable. Could you check my result?

[kenhys]

I've fixed extra , and push -f.

[kenhys]

https://github.com/treasure-data/omnibus-td-agent/pull/274#discussion_r551304931 indicates the problem is not fixed yet, it is not unexpected behavior.

[cosmo0920]

I'm rebuilding with force pushed changes.

[cosmo0920]

Rebuilt msi package indicates following previleges:

PS> icacls.exe C:\opt\td-agent\bin
C:\opt\td-agent\bin BUILTIN\Administrators:(I)(OI)(CI)(F)
                    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                    BUILTIN\Users:(I)(OI)(CI)(RX)
                    NT AUTHORITY\Authenticated Users:(I)(M)
                    NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

1 個のファイルが正常に処理されました。0 個のファイルを処理できませんでした

This result should work as expected? This branch cannot be built but with #275 patch, we can built omnibus-td-agent's msi package.

[kenhys]

It should be rebase first.

[kenhys]

NT AUTHORITY\Authenticated Users:(I)(M) should not be set because it means users can modify the content.

[kenhys]

I've rebased for #275

[kenhys]

Ah, I got it.

[kenhys]

It seems that <Feature> is missing in the previous commit, so it should work as expected now.

[cosmo0920]

It seems that <Feature> is missing in the previous commit, so it should work as expected now.

OMG! :scream:

[cosmo0920]

With the commit https://github.com/treasure-data/omnibus-td-agent/pull/274/commits/942b41d85d7bd5c415ecde65513400dd374f1caa, I've got the following result:

PS> icacls.exe C:\opt\td-agent\bin
C:\opt\td-agent\bin BUILTIN\Users:(OI)(CI)(RX)
                    BUILTIN\Administrators:(OI)(CI)(F)
                    NT SERVICE\TrustedInstaller:(OI)(CI)(F)
                    NT AUTHORITY\SYSTEM:(F)
                    CREATOR OWNER:(OI)(CI)(IO)(F)
                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)

1 個のファイルが正常に処理されました。0 個のファイルを処理できませんでした

Does it fulfill our requirements for mitigating vulnerability CVE-2020-28169, @kenhys?

[kenhys]

It is the expected result!

[cosmo0920]

@repeatedly Can we merge this? CVE-2020-28169 is also affected this omnibus version of td-agent.

[repeatedly]

Thanks for working this issue! Does anyone have td-agent 3.8.1 with this fix? I want to upload it to td-agent repository.

[kenhys]

@repeatedly

Note that this PR was merged, we need to update gems by td-agent-gem with administrator privilege.

On windows, this behavior is incompatible change from the previous versions, so please announce somewhere else.

[cosmo0920]

I'll try to build td-agent 3.8.1 on Windows.

[cosmo0920]

I'd sent a PR to build td-agent 3.8.1 msi package on Windows: #277.

[repeatedly]

this behavior is incompatible change from the previous versions, so please announce somewhere else.

What tasks are needed on user side? Issue command or something?

I'd sent a PR to build td-agent 3.8.1 msi package on Windows

Thanks!

[kenhys]

What tasks are needed on user side? Issue command or something?

For both of newer and upgrade users:

• need admin privilege to execute td-agent-gem command

For upgrade users since 3.8.0 or older version, explicitly remove privileges for NT AUTHORITY\Authenticated Users. from c:\opt\td-agent. It should be applied recursively.

For fresh install users, no need to do a manual operation