| Summary: | <net-vpn/peervpn-0.044-r4: root privilege escalation via config file replacement | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | zmedico |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | ~2 [noglsa] | ||
| Package list: |
=net-vpn/peervpn-0.044-r4
|
Runtime testing required: | --- |
Fixed in 0.044-r4: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe0d13da698c205e0d71eff7c1fb5ef12b3b83ca There are no older versions to remove. |
net-vpn/peervpn installs its configuration directory owned by the "peervpn" user: fowners ${PN}:${PN} /etc/${PN} The configuration file /etc/peervpn/peervpn.conf might be owned by root:root, but since the parent directory is owned by the "peervpn" user, he can simply replace it. And the peervpn.conf file contains some sensitive settings: ## Option: upcmd <command> ## Description: Defines a shell command that will be executed after ## the TAP device has been opened. ## Example: upcmd echo virtual interface is up #upcmd echo virtual interface is up ... ## Option: enableprivdrop <yes|no> ## Description: If enabled, the PeerVPN process will automatically ## try to drop its privileges after finishing its ## initialization. If a certain configuration is ## desired, the options "user", "group" and "chroot" ## should be set too. ## Example: enableprivdrop yes #enableprivdrop yes A clever "peervpn" user can replace your configuration file with a modified one that abuses those two settings to run an arbitrary command as root the next time you start the service. Specifically, enableprivdrop no upcmd do-my-bidding.sh