Package: groonga-httpd Version: 6.1.5-1 Severity: critical Tags: security Justification: root security hole
Dear Maintainer, The path of the logdirectory of groonga-httpd can be manipulated by user groonga: ls -l /var/log/groonga total 8 -rw-r--r-- 1 root root 1296 Apr 25 18:44 groonga.log drwxr-xr-x 2 groonga groonga 4096 Apr 25 18:55 httpd The files in /var/log/groonga/httpd/*.log are once a day rotated by logrotate as user root with the following config: /var/log/groonga/httpd/*.log { daily missingok rotate 30 compress delaycompress notifempty create 640 groonga groonga sharedscripts postrotate . /etc/default/groonga-httpd if [ x"$ENABLE" = x"yes" ]; then /usr/bin/curl --silent --output /dev/null \ "http://127.0.0.1:10041/d/log_reopen" fi endscript } Due to logrotate is prone to a race-condition(see the link to my blog below) it is possible for user "groonga" to replace the directory /var/log/groonga/httpd with a symbolik link to any directory(for example /etc/bash_completion.d). logrotate will place files AS ROOT into /etc/bash_completition.d and set the owner and group to "groonga.groonga". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then. You can find an exploit for this bug at my blog: https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges (This exploit won't work well with lvm or docker but works reliable if the filesystem is directly on the disk) Mitigation: You could mitigate the problem by changing the owner and group of /var/log/groonga to root, or by using the "su option" inside the logrotate-configfile. -- System Information: Debian Release: 9.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages groonga-httpd depends on: ii curl 7.52.1-5+deb9u9 ii groonga-server-common 6.1.5-1 ii init-system-helpers 1.48 ii libc6 2.24-11+deb9u4 ii libgroonga0 6.1.5-1 ii libpcre3 2:8.39-3 ii libssl1.1 1.1.0j-1~deb9u1 ii lsb-base 9.20161125 ii zlib1g 1:1.2.8.dfsg-5 groonga-httpd recommends no packages. groonga-httpd suggests no packages. -- no debconf information