629446 – <sys-cluster/swift-2.15.1-r1: possible root privilege escalation via config file replacement

Bug 629446 - <sys-cluster/swift-2.15.1-r1: possible root privilege escalation via config file replacement

Summary: <sys-cluster/swift-2.15.1-r1: possible root privilege escalation via config f...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2017-08-31 13:26 UTC by Michael Orlitzky
Modified:	2017-09-04 22:27 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-08-31 13:26:02 UTC

sys-cluster/swift installs its config files as root:root, but places them in a directory owned by the "swift" user:

  $ ls -al /etc/swift/
  total 132K
  drwxr-xr-x  2 swift swift 4.0K 2017-08-31 08:58 .
  drwxr-xr-x 97 root  root   12K 2017-08-31 09:02 ..
  -rw-r--r--  1 root  root  9.3K 2017-08-31 08:58 account-server.conf
  ...

So while the "swift" user can't write directly to those files, he can simply replace them. This can be most likely be exploited to gain root (I'm not 100% sure, because I have no idea what swift does). For example, the "swift" user
can put

  bind_port = 80
  user = root

in account-server.conf and, at the very least, cause a weird denial of service.

If an attacker gains control of the "swift" user via a remote exploit, then that same trick can be used to start the daemons as root next time, making it a remote root exploit. In other words, the benefits of running as an unprivileged user are negated.

Comment 1 Matthew Thode ( prometheanfire ) archtester

2017-08-31 16:54:36 UTC

fixed in 2017.2.9999 and 2.15.1-r1 (which is set to go stable with the rest of pike in about a month).

so... let me know next steps

Comment 2 Matthew Thode ( prometheanfire ) archtester

2017-08-31 16:55:01 UTC

fixed by changing the owner to root:swift and fperms 0750 on /etc/swift

Comment 3 Matthew Thode ( prometheanfire ) archtester

2017-09-03 21:55:58 UTC

2.15.1-r1 is now stable

Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-03 23:28:38 UTC

(In reply to Matthew Thode ( prometheanfire ) from comment #3)
> 2.15.1-r1 is now stable

Thanks Matthew, could you please verify if the tree is clean of vulnerable versions? 

@Security please add to an existing glsa or file a new one.

Gentoo Security Padawan
ChrisADR

Comment 5 Matthew Thode ( prometheanfire ) archtester

2017-09-03 23:50:04 UTC

yep, cleaned up and stable

Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-04 00:02:39 UTC

(In reply to Matthew Thode ( prometheanfire ) from comment #5)
> yep, cleaned up and stable

Thank you

Comment 7 Yury German Gentoo Infrastructure

2017-09-04 05:27:16 UTC

Maintainer(s), please drop the vulnerable version(s).
                |                                 |   u   |
               | a a         p s   a     n r     |   n   |
               | l m   h i   p p   r m m i i s   | e u s | r
               | p d a p a p c a x m i 6 o s 3   | a s l | e
               | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p
               | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o
---------------+---------------------------------+-------+-------
     2.10.2-r1 | o + o o o o o o + ~ o o o o o o | 5 # 0 | gentoo
     2.13.1-r1 | o + o o o o o o + ~ o o o o o o | 6 #   | gentoo
     2.15.1-r1 | o + o o o o o o + ~ o o o o o o | 6 o   | gento

Comment 8 Matthew Thode ( prometheanfire ) archtester

2017-09-04 21:09:35 UTC

the r1's are not vulnerable, the same fix was made to all released versions.

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2017-09-04 22:27:23 UTC

GLSA Vote: No