Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate

Wed, 01 May 2019 08:39:22 -0700 

Package: groonga-httpd
Version: 6.1.5-1
Severity: critical
Tags: security
Justification: root security hole

Dear Maintainer,

The path of the logdirectory of groonga-httpd can be manipulated by user
groonga:

ls -l /var/log/groonga
total 8
-rw-r--r-- 1 root    root    1296 Apr 25 18:44 groonga.log
drwxr-xr-x 2 groonga groonga 4096 Apr 25 18:55 httpd

The files in /var/log/groonga/httpd/*.log are once a day rotated by
logrotate as user root with the following config:

/var/log/groonga/httpd/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 640 groonga groonga
    sharedscripts
    postrotate
        . /etc/default/groonga-httpd
        if [ x"$ENABLE" = x"yes" ]; then
            /usr/bin/curl --silent --output /dev/null \
                "http://127.0.0.1:10041/d/log_reopen";
        fi
    endscript
}


Due to logrotate is prone to a race-condition(see the link to my
blog below) it is possible for user "groonga" to replace the
directory /var/log/groonga/httpd with a symbolik link to any
directory(for example /etc/bash_completion.d). logrotate will place
files AS ROOT into /etc/bash_completition.d and set the owner and
group to "groonga.groonga". An attacker could simply place a
reverse-shell into this file. As soon as root logs in, a reverse
shell will be executed then.

You can find an exploit for this bug at my blog:
https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges

(This exploit won't work well with lvm or docker but works reliable
if the filesystem is directly on the disk)

Mitigation:

You could mitigate the problem by changing the owner and group of
/var/log/groonga to root, or by using the "su option" inside the
logrotate-configfile. 


-- System Information:
Debian Release: 9.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages groonga-httpd depends on:
ii  curl                   7.52.1-5+deb9u9
ii  groonga-server-common  6.1.5-1
ii  init-system-helpers    1.48
ii  libc6                  2.24-11+deb9u4
ii  libgroonga0            6.1.5-1
ii  libpcre3               2:8.39-3
ii  libssl1.1              1.1.0j-1~deb9u1
ii  lsb-base               9.20161125
ii  zlib1g                 1:1.2.8.dfsg-5

groonga-httpd recommends no packages.

groonga-httpd suggests no packages.

-- no debconf information

Reply via email to