Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 170477 - app-accessibility/festival: privilege elevation with current default setup
Summary: app-accessibility/festival: privilege elevation with current default setup
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-11 20:10 UTC by Eugene Medvedev
Modified: 2007-07-25 21:39 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
festival-bug-170477.diff (festival-bug-170477.diff,1.18 KB, patch)
2007-06-05 06:20 UTC, solar (RETIRED)
Details | Diff
festival-bug-170477.diff (festival-bug-170477.diff,1.60 KB, patch)
2007-06-06 02:53 UTC, solar (RETIRED)
Details | Diff
festival-1.95_beta-r3.ebuild (festival-1.95_beta-r3.ebuild,5.79 KB, text/plain)
2007-06-08 13:00 UTC, Paul Bredbury
Details
festival.rc (festival.rc,538 bytes, text/plain)
2007-06-08 13:02 UTC, Paul Bredbury
Details
server.scm (server.scm,493 bytes, text/plain)
2007-06-08 13:02 UTC, Paul Bredbury
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eugene Medvedev 2007-03-11 20:10:03 UTC
Festival as it is currently set up by portage when installed runs under the root user. If a festival daemon setup is used, the default server password is nil, i.e. absent.

When the daemon is running, anyone who can connect to the festival daemon at the normal TCP port can issue the '(system "<whatever>")' command, which will execute with root privileges. The default configuration denies connection from anywhere but localhost, but local users can connect and execute commands from root regardless.

Reproducible: Always

Steps to Reproduce:
Using the festival_client.pl provided in /usr/share/doc/festival-*/ connect to your localhost festival daemon with a non root user, and enter the command
(system "whoami > /tmp/amiroot")
then exit the client and
cat /tmp/amiroot



There's several approaches to fixing this, but giving the daemon it's own user account seems the best approach.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-12 15:25:04 UTC
thanks for your report.  CCing maintainer
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-16 16:05:48 UTC
adding herds

please comment/fix, since jeeves has not seen williamh for 20days
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 07:03:44 UTC
Herds please advise and provide an updated ebuild as necessary.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-30 20:25:43 UTC
Herds please advise.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-09 19:04:42 UTC
Herds/Maintainer please advise
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 11:57:54 UTC
Herds please advise.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-20 07:25:55 UTC
Herds please advise.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2007-06-04 18:41:21 UTC
hurry up or mask
Comment 9 solar (RETIRED) gentoo-dev 2007-06-05 06:20:58 UTC
Created attachment 121219 [details, diff]
festival-bug-170477.diff

How about something like this? Run it as it's own user and set it's shell to /bin/false.


solar@here $ echo '(system "whoami > /tmp/amiroot")' | busybox nc localhost 1314 
LP
nil
ft_StUfF_keyOK
solar@here $ cat /tmp/amiroot
festival


I don't know if the 'system' command can/should/could be disabled all together or if there is a better alternative but this meets the initial 
posters suggestion.
Comment 10 Eugene Medvedev 2007-06-05 07:58:45 UTC
(In reply to comment #9)
> I don't know if the 'system' command can/should/could be disabled all together
> or if there is a better alternative but this meets the initial 
> posters suggestion.

It shouldn't be disabled altogether because festival extensively uses it internally (for example, it is required to use mbrola voices). Also, I think I've seen several code examples which involve using it from the client to play the speech festival generates, so you probably can't prevent the client from using it without breaking stuff. But it definitely doesn't have to be root. :)

Adding the festival user to the audio group in the ebuild would be a good idea, by the way.
Comment 11 Samuli Suominen (RETIRED) gentoo-dev 2007-06-05 11:04:55 UTC
(In reply to comment #9)
> Created an attachment (id=121219) [edit]
> festival-bug-170477.diff
> 
> How about something like this? Run it as it's own user and set it's shell to
> /bin/false.

It still doesn't stop one for wgetting, building, running shellcode which opens backdoor to experiment with local exploits to gain root privileges..
Comment 12 Eugene Medvedev 2007-06-05 11:57:45 UTC
> It still doesn't stop one for wgetting, building, running shellcode which opens
> backdoor to experiment with local exploits to gain root privileges..

Considering that connections are only allowed from localhost in the default configuration, you have to be a local user already to do that, or am I missing something?
Comment 13 solar (RETIRED) gentoo-dev 2007-06-05 15:27:16 UTC
(In reply to comment #10)
> Adding the festival user to the audio group in the ebuild would be a good idea,
> by the way.

Can you please attach an updated diff. 

cvs -d :pserver:anonymous@anoncvs.gentoo.org:/var/cvsroot \
  co gentoo-x86/app-accessibility/festival
...
cvs diff -u > foo.diff
Comment 14 Eugene Medvedev 2007-06-05 21:43:32 UTC
> Can you please attach an updated diff. 

If I knew enough portage, I'd post a diff with that instead of just a bug report in the first place. :)
Comment 15 Eugene Medvedev 2007-06-05 21:55:38 UTC
Oh, almost forgot, just noticed this. The server.scm configuration file that comes with the ebuild actually contains:

; Server access list (hosts)
(set! server_access_list '("[^.]+" "127.0.0.1" "localhost.*" "192.168.*"))

If 192.168.* is allowed, and you can (system "<whatever>") from a different machine, the argument about using festival to try local exploits still stands.

Maybe adding a warning to set a server password if you plan to connect to festival remotely is also in order.
Comment 16 solar (RETIRED) gentoo-dev 2007-06-06 02:23:52 UTC
(In reply to comment #15)
> Oh, almost forgot, just noticed this. The server.scm configuration file that
> comes with the ebuild actually contains:
> 
> ; Server access list (hosts)
> (set! server_access_list '("[^.]+" "127.0.0.1" "localhost.*" "192.168.*"))
> 

Question:
Would that regexp currently allow remote exec of the "system" command with
a domain such as localhost.is.a.myth.gentoo.org ?
Comment 17 solar (RETIRED) gentoo-dev 2007-06-06 02:53:50 UTC
Created attachment 121309 [details, diff]
festival-bug-170477.diff
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-07 22:22:26 UTC
That patch sounds good to me despite it is only a poor workaround.

Sound herd: someone wants to commit it into the tree or can we commit it ourselves?
Comment 19 William Hubbs gentoo-dev 2007-06-07 23:53:15 UTC
I am looking at commiting this tonight or tomorrow.

Thanks.
Comment 20 William Hubbs gentoo-dev 2007-06-08 02:05:11 UTC
I have found one issue with this patch so far.  The festival server can create a log, and by default that goes to /var/log/festival.log.  That does not work if festival is running as a user other than root since /var/log is read-only to any other user.  Any suggestions?

Comment 21 solar (RETIRED) gentoo-dev 2007-06-08 03:13:00 UTC
(In reply to comment #20)
> I have found one issue with this patch so far.  The festival server can create
> a log, and by default that goes to /var/log/festival.log.  That does not work
> if festival is running as a user other than root since /var/log is read-only to
> any other user.  Any suggestions?

Things like apache, clamav, lighttpd, mysql, snort and squid all use a subdir in 
/var/log/ that is owned by that user. So you want /var/log/festival/festival.log
Comment 22 Paul Bredbury 2007-06-08 13:00:36 UTC
Created attachment 121494 [details]
festival-1.95_beta-r3.ebuild

Fixes /var/log/festival/ and enewuser. Big cleanup. Not using a diff because it would be larger than the file.
Comment 23 Paul Bredbury 2007-06-08 13:02:08 UTC
Created attachment 121496 [details]
festival.rc

Runs as "festival" user.
Comment 24 Paul Bredbury 2007-06-08 13:02:38 UTC
Created attachment 121497 [details]
server.scm

Sets logfile location.
Comment 25 William Hubbs gentoo-dev 2007-06-09 03:10:12 UTC
The fix for this has been committed to the tree.  I'm not sure whether I can close this or if I should wait for the security team to check it.  Please advise.

Comment 26 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-09 03:58:45 UTC
Thx William, now it's time for arches.

Arches please test and mark stable. Target keywords are:

festival-1.95_beta-r4.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 27 Markus Meier gentoo-dev 2007-06-09 10:55:32 UTC
app-accessibility/festival-1.95_beta-r4  USE="X asterisk -esd -mbrola"
1. emerges on x86
2. passes collision test
3. app-accessibility/gnome-speech-0.4.11 emerges with it
4. works

Portage 2.1.2.7 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.5-r3, 2.6.20.12 i686)
=================================================================
System uname: 2.6.20.12 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 09 Jun 2007 09:00:01 +0000
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.3.5-r3, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi mikmod mmx mono mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 28 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-09 14:22:32 UTC
ppc stable
Comment 29 Jeroen Roovers (RETIRED) gentoo-dev 2007-06-09 14:34:40 UTC
Stable for HPPA.
Comment 30 Markus Rothe (RETIRED) gentoo-dev 2007-06-09 14:55:43 UTC
ppc64 stable
Comment 31 Brian Evans 2007-06-09 16:33:31 UTC
Testing festival-1.95_beta-r4

1. Emerges fine
2. Passes collision
3. Works fine
4. no security hole with test case


$ emerge --info
Portage 2.1.2.7 (default-linux/alpha/2007.0, gcc-4.1.2, glibc-2.5-r2, 2.6.21-gentoo-r1 alpha)
=================================================================
System uname: 2.6.21-gentoo-r1 alpha EV56
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 09 Jun 2007 14:20:01 +0000
distcc 2.18.3 alpha-unknown-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17.50.0.16
sys-devel/gcc-config: 1.3.15-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="alpha"
AUTOCLEAN="yes"
CBUILD="alpha-unknown-linux-gnu"
CFLAGS="-mieee -pipe -O2 -mcpu=ev56"
CHOST="alpha-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/overlay"
SYNC="rsync://eldest/gentoo-portage"
USE="X acl alpha alsa berkdb bitmap-fonts bzip2 cli cracklib crypt cups curl dri fortran gdbm gpm iconv ipv6 isdnlog ldap libg++ logrotate midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl postfix pppd python readline reflection session spl sqlite ssl startup-notification tcpd test truetype-fonts type1-fonts unicode xorg zlib" ALSA_CARDS="au8810" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="vga s3virge nv cirrus"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 32 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-06-09 16:46:35 UTC
stable on alpha.

Brian++
Comment 33 Wulf Krueger (RETIRED) gentoo-dev 2007-06-09 19:21:45 UTC
Marked stable on amd64.
Comment 34 Raúl Porcel (RETIRED) gentoo-dev 2007-06-10 13:22:08 UTC
x86 stable, thanks Markus.
Comment 35 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-11 14:10:58 UTC
sparc stable.
Comment 36 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-14 19:17:20 UTC
ia64 is there something wrong with stabilization?
Comment 37 Raúl Porcel (RETIRED) gentoo-dev 2007-07-14 19:19:01 UTC
ia64 is not security supported :)

Plus i can't test it
Comment 38 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-15 10:33:45 UTC
err, indeed :)
Comment 39 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-25 21:39:45 UTC
it's GLSA 200707-10, thanks