| Summary: | mail-filter/mimedefang: privilege escalation via PID file manipulation | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | normal | CC: | maintainer-needed, maracay, net-mail+disabled, treecleaner | ||||
| Priority: | Normal | Keywords: | PMASKED, PullRequest | ||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| See Also: | https://github.com/gentoo/gentoo/pull/11833 | ||||||
| Whiteboard: | B3 [noglsa cve] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Deadline: | 2019-05-24 | ||||||
| Attachments: |
|
||||||
Reported upstream: http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038077.html MIMEDefang ships two vulnerable init scripts, so *something* will need to be fixed. I'll deal with the CVE once I hear from upstream. CVE has been assigned: CVE-2017-14102 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14102): MIMEDefang 2.80 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command, as demonstrated by the init-script.in and mimedefang-init.in scripts. References: http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038077.html http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038085.html This is fixed in mimedefang-2.81, but the init script will need an update.
1. The PID files are now created as root, but they need to be moved to
a root-owned directory (i.e. /run).
2. There are now separate lock files for the daemons (a role previously
played by the PID files). These can still go in the spool directory,
but they need to be specified with "-o" on the command line.
There are some other cosmetic improvements to the init script that can be made:
* The `[ "$FOO" != "" ] && echo --foo=$FOO` construction is accomplished
by ${FOO:+--foo=${FOO}}.
* If you split the multiplexor into a separate init script, you can make
use of the command, command_args, command_user, etc. OpenRC variables
and then let the default start/stop functions do all the work for you.
(The command_args would need the variable expansion trick above.)
* There's not need to check for a pre-existing PID file yourself in the
start() function.
Created attachment 494540 [details, diff]
Patch to address this issue in config file and init script
Hi,
In case it is any use to anyone, attached is a patch which addresses this issue and makes this package compatible with the latest mimedefang 2.82. It's a patch against files/mimedefang.conf and files/mimedefang.init in the ebuild. It:
- separates out lock files and pid files in exactly the same way upstream has done in their recent changes to their shipped init script (examples/init-script.in in the source), using the new -o option. pid files are now in /run, and lock files in /var/spool/MIMEDefang
- makes changes to the above 2 files to reflect a change in upstream's very recent 2.82 release, where some shell variables have been renamed (see 2.82 release notes).
The existing mimedefang-2.75.ebuild in this package builds the latest 2.82 perfectly fine if just renamed to mimedefang-2.82.ebuild. I am currently using 2.82 with this patch on a production machine without any problems. These are the pid and lock files:
ls -lha /var/spool/MIMEDefang/*.lock
-rw------- 1 defang defang 0 Sep 13 18:59 /var/spool/MIMEDefang/mimedefang.lock
-rw------- 1 defang defang 0 Sep 13 18:59 /var/spool/MIMEDefang/mimedefang-multiplexor.lock
ls -lha /run/mimedefang*.pid
-rw-r--r-- 1 root root 6 Sep 13 18:59 /run/mimedefang-multiplexor.pid
-rw-r--r-- 1 root root 6 Sep 13 18:59 /run/mimedefang.pid
Eddie
This got lost in Bugzilla, please ebuild. Current Version is 2.84 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85321a149337128aee2299663fd31f3e98bda724 commit 85321a149337128aee2299663fd31f3e98bda724 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-04-24 13:01:59 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-04-24 13:01:59 +0000 package.mask: Last rite mail-filter/mimedefang Bug: https://bugs.gentoo.org/629450 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe699000ab8a8d1dfbab923acb8093f64558fb4f commit fe699000ab8a8d1dfbab923acb8093f64558fb4f Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2019-06-16 14:08:12 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2019-06-16 14:08:12 +0000 mail-filter/mimedefang: remove last-rited package, bug 629450 Bug: https://bugs.gentoo.org/629450 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> mail-filter/mimedefang/Manifest | 3 - .../mimedefang/files/mimedefang-2.72-ldflags.patch | 38 ------ mail-filter/mimedefang/files/mimedefang.conf | 131 --------------------- mail-filter/mimedefang/files/mimedefang.init | 102 ---------------- mail-filter/mimedefang/metadata.xml | 9 -- mail-filter/mimedefang/mimedefang-2.73.ebuild | 64 ---------- mail-filter/mimedefang/mimedefang-2.74.ebuild | 62 ---------- mail-filter/mimedefang/mimedefang-2.75.ebuild | 62 ---------- 8 files changed, 471 deletions(-) Removed over a year ago so no GLSA, tree is clean. Closing. |
The MIMEDefang init script stores its PID file in the spool directory: SPOOLDIR='/var/spool/MIMEDefang' PID="$SPOOLDIR/$prog.pid" which is owned by the same user that the daemon runs as: drwx------ 2 defang defang 4096 Aug 31 09:47 MD-Quarantine drwx------ 2 defang defang 4096 Aug 31 09:47 MIMEDefang This is a minor security risk, because the "defang" user can write whatever he wants into the PID file. When you go to stop the service, stop() { ebegin "Stopping mimedefang" start-stop-daemon --stop --quiet --pidfile $PID eend $? "Failed to stop mimedefang" ... root will send a SIGTERM to the contents of that PID file. This is exploitable by the "defang" user to kill root processes. (The same thing goes for the multiplexer daemon). The mimedefang daemons should write their PID files as root to prevent this sort of abuse. This is probably an upstream bug -- I'll look into it.