603272 – net-analyzer/sguil-sensor: root privilege escalation via init script

Bug 603272 - net-analyzer/sguil-sensor: root privilege escalation via init script

Summary: net-analyzer/sguil-sensor: root privilege escalation via init script

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-12-21 01:46 UTC by Michael Orlitzky
Modified:	2022-09-19 18:46 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2016-12-21 01:46:00 UTC

The ebuild for sguil-sensor gives ownership of its log directories to the "sguil" user/group:

  diropts -g sguil -o sguil
  keepdir /var/lib/sguil /var/lib/sguil/archive \
      "/var/lib/sguil/${HOSTNAME}" \
      "/var/lib/sguil/${HOSTNAME}/portscans" \
      "/var/lib/sguil/${HOSTNAME}/ssn_logs" \
      "/var/lib/sguil/${HOSTNAME}/dailylogs" \
      "/var/lib/sguil/${HOSTNAME}/sancp"

The init script then sets $LOG_DIR to one of those directories,

  LOG_DIR="${LOGDIR}/${HOSTNAME}/dailylogs"

and trusts its contents:

  chmod 770 "${LOG_DIR}/${today}"
  chown root:sguil "${LOG_DIR}/${today}"

The "sguil" user can make ${today} a symlink to any path on the system; afterwards, the init script (as root) gives the sguil group write access to the target of the symlink. He can do that because he owns the containing directory, and doing so lets him gain root the next time log_packets is started.

Comment 1 Robin Johnson archtester

2020-04-03 23:16:44 UTC

Unrestricting and reassigning to security@ per bug #705894

Comment 2 Robin Johnson archtester

2020-04-03 23:18:27 UTC

unrestricting per bug 705894

Comment 3 Sam James archtester

2020-05-21 22:47:57 UTC

@maintainer(s): ping.

Comment 4 Larry the Git Cow gentoo-dev

2022-08-11 04:01:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=129c759430752122af77fd9a00b0835e8a30c6d3

commit 129c759430752122af77fd9a00b0835e8a30c6d3
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-11 04:00:15 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-11 04:00:15 +0000

    profiles: last rite net-analyzer/sguil-sensor
    
    Bug: https://bugs.gentoo.org/603272
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

Comment 5 John Helmert III archtester

2022-09-19 18:46:42 UTC

Whoops, looks like I tagged the wrong bug. All unstable, so all done!

commit 31c1a39700a70382a13f65f6bef70698c174d8b4
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-09-18 21:19:57 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-18 21:19:57 +0000

    net-analyzer/sguil-sensor: treeclean
    
    Bug: https://bugs.gentoo.org/630752
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-analyzer/sguil-sensor/Manifest                 |  1 -
 net-analyzer/sguil-sensor/files/log_packets.confd  | 18 -----
 net-analyzer/sguil-sensor/files/log_packets.initd  | 91 ----------------------
 net-analyzer/sguil-sensor/files/sensor_agent.initd | 29 -------
 net-analyzer/sguil-sensor/metadata.xml             | 12 ---
 .../sguil-sensor/sguil-sensor-1.0.0-r3.ebuild      | 81 -------------------
 profiles/package.mask                              |  5 --
 7 files changed, 237 deletions(-)