Bug 603344

Description Michael Orlitzky 2016-12-21 14:39:47 UTC

The init script for spamass-milter grants ownership of its socket directory to the "milter" user:

  checkpath -q -d -o ${SOCKET_USER:-milter}:${SOCKET_GROUP:-milter} \
      -m 0755 ${socketdir}

Later, it calls chown/chmod on its socket file which lives in that directory:

  chown ${SOCKET_USER:-milter}:${SOCKET_GROUP:-milter} ${SOCKET} ...
  chmod ${SOCKET_MODE:-664} ${SOCKET} ...

The "milter" user can change ${SOCKET} between the time that it is created, and the time that chown/chmod are called on it. Thus there is a race condition, and it can be used to gain root on the machine: simply replace ${SOCKET} with a symlink to some place important.

The init script runs [ -S ${SOCKET} ... ] in a loop, so I found it easiest to exploit this by constantly swapping a real socket with a symlink. For example, as the milter user in /var/run/milter,

  while true; do \
    cp -a spamass-milter.sock.bak spamass-milter.sock; \
    ln -sf /home/mjo/foo.txt ./spamass-milter.sock; \
  done;

If I start the spamass-milter service with that running, it changes ownership of /home/mjo/foo.txt to milter:milter and makes it mode 664.

Another reliable way to exploit the chown/chmod is to make your symlink point to a socket. Then the "-S" test will always succeed, so all you have to do is clobber the socket with a symlink repeatedly in a loop.