Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629418 - <net-vpn/peervpn-0.044-r4: root privilege escalation via config file replacement
Summary: <net-vpn/peervpn-0.044-r4: root privilege escalation via config file replacement
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa]
Depends on:
Reported: 2017-08-31 02:09 UTC by Michael Orlitzky
Modified: 2017-09-03 22:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-08-31 02:09:40 UTC
net-vpn/peervpn installs its configuration directory owned by the "peervpn" user:

  fowners ${PN}:${PN} /etc/${PN}

The configuration file /etc/peervpn/peervpn.conf might be owned by root:root, but since the parent directory is owned by the "peervpn" user, he can simply replace it. And the peervpn.conf file contains some sensitive settings:

  ## Option:       upcmd <command>
  ## Description:  Defines a shell command that will be executed after
  ##               the TAP device has been opened.
  ## Example:      upcmd echo virtual interface is up

  #upcmd echo virtual interface is up


  ## Option:       enableprivdrop <yes|no>
  ## Description:  If enabled, the PeerVPN process will automatically
  ##               try to drop its privileges after finishing its
  ##               initialization. If a certain configuration is
  ##               desired, the options "user", "group" and "chroot"
  ##               should be set too.
  ## Example:      enableprivdrop yes

  #enableprivdrop yes

A clever "peervpn" user can replace your configuration file with a modified one that abuses those two settings to run an arbitrary command as root the next time you start the service. Specifically,

  enableprivdrop no
Comment 1 Zac Medico gentoo-dev 2017-09-03 21:55:25 UTC
Fixed in 0.044-r4:

There are no older versions to remove.