631140 – net-analyzer/smokeping: privilege escalation via PID file manipulation

Bug 631140 - net-analyzer/smokeping: privilege escalation via PID file manipulation

Summary: net-analyzer/smokeping: privilege escalation via PID file manipulation

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [ebuild]
Keywords:

Depends on:	651212 651646
Blocks:
	Show dependency tree

Reported:	2017-09-16 18:01 UTC by Michael Orlitzky
Modified:	2020-06-18 00:55 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
smokeping-2.6.11-r1.ebuild (smokeping-2.6.11-r1.ebuild,4.10 KB, text/plain) 2017-09-16 18:01 UTC, Michael Orlitzky	no flags	Details
smokeping.init.5 (smokeping.init.5,1.32 KB, text/plain) 2017-09-16 18:02 UTC, Michael Orlitzky	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-09-16 18:01:56 UTC

Created attachment 494768 [details]
smokeping-2.6.11-r1.ebuild

The init script for smokeping gives ownership of its PID file directory to the "smokeping" user:

  start() {
      checkconfig || return 1

      checkpath -d -m 0755 -o smokeping:smokeping /run/smokeping
      ...

This can be exploited by the "smokeping" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are under the control of the "smokeping" user).

Since smokeping cannot drop privileges itself, there is no way to safely use the PID file that it creates: to run as a restricted user, we need start-stop-daemon to execute smokeping as a restricted user, after which it's already to late.

I've rewritten the init script to work around this by passing "--nodaemon" to smokeping, and by letting OpenRC background it and manage its PID file. Since smokeping insists on writing a PID file (it won't start otherwise), I've modified the ebuild to stick the unsafe PID file in /var/lib/smokeping. Now that /run/smokeping is unused, the tmpfiles.d entry is no longer needed.

Comment 1 Michael Orlitzky gentoo-dev

2017-09-16 18:02:21 UTC

Created attachment 494770 [details]
smokeping.init.5

Comment 2 Michael Orlitzky gentoo-dev

2017-09-16 18:05:07 UTC

One more thing: I dropped the line,

  checkpath -d -m 0755 -o smokeping:smokeping /var/cache/smokeping

because /var/cache/smokeping doesn't appear in the config anywhere (and apparently systemd doesn't need it). If I messed that up, just add it back.

Comment 3 D'juan McDonald (domhnall) 2017-10-03 06:58:57 UTC

@maintainer(s), ebuild provided, please call for stabilization when ready, thank you.

Gentoo Security Padawan
Daj Uan (jmbailey/mbailey_j)

Comment 4 Aaron Bauman Gentoo Infrastructure

2017-10-20 02:43:11 UTC

(In reply to jmbailey from comment #3)
> @maintainer(s), ebuild provided, please call for stabilization when ready,
> thank you.
> 
> Gentoo Security Padawan
> Daj Uan (jmbailey/mbailey_j)

the ebuild would need to be in the tree first.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2018-02-06 06:38:55 UTC

(In reply to Michael Orlitzky from comment #1)
> Created attachment 494770 [details]
> smokeping.init.5

It looks like this new init.d script does not fix bug #602652.

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2018-02-08 19:44:54 UTC

(In reply to Jeroen Roovers from comment #5)
> (In reply to Michael Orlitzky from comment #1)
> > Created attachment 494770 [details]
> > smokeping.init.5
> 
> It looks like this new init.d script does not fix bug #602652.

That said, I have added it in 2.7.1.

Comment 7 nic 2018-03-26 20:08:51 UTC

--nodaemon breaks event logging to syslog bug #651212

Comment 8 John Helmert III gentoo-dev

2020-06-18 00:55:56 UTC

Maintainer(s): Ping.