Bug#1023688: improper permissions on fcgiwrap systemd socket lead to privilege escalation to www-data under default config

Tue, 08 Nov 2022 11:09:15 -0800 

Package: fcgiwrap
Version: 1.1.0-12
Severity: critical
Tags: patch, security

On a default installation of Debian 11 (bullseye) with other releases probably 
also affected, systemd socket file /lib/systemd/system/fcgiwrap.socket from 
package fcgiwrap contains no Mode= configuration parameter, making systemd pick 
the default 0666. The socket is therefore world accessible and any user on the 
system may, when package fcgiwrap is installed, elevate privileges and execute 
code as www-data user by communicating with the socket via fastcgi protocol. 
www-data is specified as User= and Group= in 
/lib/systemd/system/fcgiwrap.service, also supplied by package fcgiwrap.

Proof of concept terminal recording: http://upload.sijanec.eu/f.mp4

Solution: add SocketMode=0660, SocketUser=www-data, Group=www-data to 
/lib/systemd/system/fcgiwrap.socket --- this would, however, break existing 
configurations that rely on /run/fcgiwrap.socket being world connectable.

Is this intended behaviour? Doesn't it break user's expectations, as suddenly 
everyone can influence httpd (nginx slaves also run under www-data, for 
example)?

----- BEGIN PATCH -----
Author: Anton Luka Šijanec <an...@sijanec.eu>
Description: Modify default user/group and listening mode of socket
Forwarded: no

--- a/systemd/fcgiwrap.socket
+++ b/systemd/fcgiwrap.socketfixed
@@ -3,6 +3,9 @@ Description=fcgiwrap Socket

 [Socket]
 ListenStream=/run/fcgiwrap.sock
+Mode=0660
+SocketUser=www-data
+SockerGroup=www-data

 [Install]
 WantedBy=sockets.target
----- END PATCH -----

Attachments:
root@host:~# ls -lah /run/fcgiwrap.socket
srw-rw-rw- 1 root root 0 Nov  8 19:42 /run/fcgiwrap.socket

=> /lib/systemd/system/fcgiwrap.socket
[Unit]
Description=fcgiwrap Socket

[Socket]
ListenStream=/run/fcgiwrap.socket

[Install]
WantedBy=sockets.target



=> /lib/systemd/system/fcgiwrap.service
[Unit]
Description=Simple CGI Server
After=nss-user-lookup.target
Requires=fcgiwrap.socket

[Service]
Environment=DAEMON_OPTS=-f
EnvironmentFile=-/etc/default/fcgiwrap
ExecStart=/usr/sbin/fcgiwrap ${DAEMON_OPTS}
User=www-data
Group=www-data

[Install]
Also=fcgiwrap.socket

-- 
Anton Luka Šijanec <an...@sijanec.eu>
F4C3E3A4DFB7254397A9F993E76135F49802CD14
http://splet.sijanec.eu/pgp-key.txt

Reply via email to