Bug#928304: marked as done (groonga-httpd: Privilege escalation due to insecure use of logrotate (CVE-2019-11675))

Sat, 11 May 2019 06:11:24 -0700 

Your message dated Sat, 11 May 2019 13:03:28 +0000
with message-id <e1hprey-0007hz...@fasolo.debian.org>
and subject line Bug#928304: fixed in groonga 9.0.0-1+deb10u1
has caused the Debian Bug report #928304,
regarding groonga-httpd: Privilege escalation due to insecure use of logrotate 
(CVE-2019-11675)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928304
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: groonga-httpd
Version: 6.1.5-1
Severity: critical
Tags: security
Justification: root security hole

Dear Maintainer,

The path of the logdirectory of groonga-httpd can be manipulated by user
groonga:

ls -l /var/log/groonga
total 8
-rw-r--r-- 1 root    root    1296 Apr 25 18:44 groonga.log
drwxr-xr-x 2 groonga groonga 4096 Apr 25 18:55 httpd

The files in /var/log/groonga/httpd/*.log are once a day rotated by
logrotate as user root with the following config:

/var/log/groonga/httpd/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 640 groonga groonga
    sharedscripts
    postrotate
        . /etc/default/groonga-httpd
        if [ x"$ENABLE" = x"yes" ]; then
            /usr/bin/curl --silent --output /dev/null \
                "http://127.0.0.1:10041/d/log_reopen";
        fi
    endscript
}


Due to logrotate is prone to a race-condition(see the link to my
blog below) it is possible for user "groonga" to replace the
directory /var/log/groonga/httpd with a symbolik link to any
directory(for example /etc/bash_completion.d). logrotate will place
files AS ROOT into /etc/bash_completition.d and set the owner and
group to "groonga.groonga". An attacker could simply place a
reverse-shell into this file. As soon as root logs in, a reverse
shell will be executed then.

You can find an exploit for this bug at my blog:
https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges

(This exploit won't work well with lvm or docker but works reliable
if the filesystem is directly on the disk)

Mitigation:

You could mitigate the problem by changing the owner and group of
/var/log/groonga to root, or by using the "su option" inside the
logrotate-configfile. 


-- System Information:
Debian Release: 9.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages groonga-httpd depends on:
ii  curl                   7.52.1-5+deb9u9
ii  groonga-server-common  6.1.5-1
ii  init-system-helpers    1.48
ii  libc6                  2.24-11+deb9u4
ii  libgroonga0            6.1.5-1
ii  libpcre3               2:8.39-3
ii  libssl1.1              1.1.0j-1~deb9u1
ii  lsb-base               9.20161125
ii  zlib1g                 1:1.2.8.dfsg-5

groonga-httpd recommends no packages.

groonga-httpd suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: groonga
Source-Version: 9.0.0-1+deb10u1

We believe that the bug you reported is fixed in the latest version of
groonga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kentaro Hayashi <haya...@clear-code.com> (supplier of updated groonga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 09 May 2019 22:44:57 +0900
Source: groonga
Architecture: source
Version: 9.0.0-1+deb10u1
Distribution: testing-proposed-updates
Urgency: medium
Maintainer: Groonga Project <packa...@groonga.org>
Changed-By: Kentaro Hayashi <haya...@clear-code.com>
Closes: 928304
Changes:
 groonga (9.0.0-1+deb10u1) testing-proposed-updates; urgency=medium
 .
   * debian/groonga-httpd.logrotate
     debian/groonga-server-gqtp.logrotate
     - Mitigate privilege escalation by changing the owner and group of logs
       with "su" option. Reported by Wolfgang Hotwagner.
       (Closes: #928304) (CVE-2019-11675)
Checksums-Sha1:
 7ff32a98f7d32d65e355aa07b3ae1240af4a8851 3213 groonga_9.0.0-1+deb10u1.dsc
 7afc5c52e231ba3c0259ab79a6b0828c91ca3078 15420743 groonga_9.0.0.orig.tar.gz
 eaacb001998b1f7cb3448bd14124d66328163488 195 groonga_9.0.0.orig.tar.gz.asc
 e51163bcca0c6ab2074566a8b65de4929578ea3f 96880 
groonga_9.0.0-1+deb10u1.debian.tar.xz
 2c67c00669696243e20af4f1383e9e3e422d484a 7002 
groonga_9.0.0-1+deb10u1_source.buildinfo
Checksums-Sha256:
 6fb0f51a21654db4670313ad00aac6c01b76ee9df7202483e3b79c65cb50a6f3 3213 
groonga_9.0.0-1+deb10u1.dsc
 5b762b52053eeab4e3e320014359bb5bdc18d9b0c3d42ad825051872434e50ea 15420743 
groonga_9.0.0.orig.tar.gz
 223f6f2d171fde6fb5de09501cc19bf1ede1b14dc5720e4a8ee0b04011ae0196 195 
groonga_9.0.0.orig.tar.gz.asc
 648919a36807fb2079e6535484277b94e06f04a3f101f6865cb38fc3e6489c8b 96880 
groonga_9.0.0-1+deb10u1.debian.tar.xz
 e7b8f997b87c6e84afd3c5b8c2a09422b0198c202b34d30d90a5cad3811c40ac 7002 
groonga_9.0.0-1+deb10u1_source.buildinfo
Files:
 16cbe0b124225509f7095f7e0b10cd92 3213 database optional 
groonga_9.0.0-1+deb10u1.dsc
 8d13bcdcb0e318aef5df5630d94993bc 15420743 database optional 
groonga_9.0.0.orig.tar.gz
 45084f9ae5a9b3f1fcdf45ecd441300a 195 database optional 
groonga_9.0.0.orig.tar.gz.asc
 32b819b0a75ef1674ecf0584585cb67f 96880 database optional 
groonga_9.0.0-1+deb10u1.debian.tar.xz
 c7824c8045c21c1c63e794a79c773385 7002 database optional 
groonga_9.0.0-1+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcZ6y2T2+nE0h+6Bk9/t1xWbtIOMFAlzUL3gACgkQ9/t1xWbt
IOMdiQ//fJSsjkOpacBzcIrX/i/k951qeJFX9GjAZj2YvrRKXTEoZZI7R1hEwyPR
AYZeRo636EYLjkfQ8+vxoN8pUQHzrWohPMGztoGc2kLDBf9GEFOYXMdkNhq6wqlh
b/Yoy6ei8xvIos/kU8jfmRqmYUZyvzOtP8qfaWB+HYHoxoycAs2spQQgQnTn45iN
aC/t+msXmBWVWVT7pcL41ez3ONpJF6VuCShXiBaJ/F5kymJAjBSJLSD2XYVP5Tic
PMX1eQ/8ERVXlZy4GRe/ATsudSPh/Fp9xJEVN9r4vi20hJ2sO3ekwNjKjG4VlezY
AiN/FbNwk7s1MMrburXvxAgYgXpHeZEYvMRscvnLAiP7wTkx8zVuexBzQvked6yS
/bWMGxfptzbPhTQoDyfSK0FjJQWyY0Zfjud3vD7yVWgTEZzRr4sqXAMDwOKNPs5g
IEzMUczpAchMK6dY62bs9XKx4nlsfaBiFaMKoWQOXXUq8VptacTMSM1E5sAloa8o
e6sweWiD4ZEnEMitRW51fjQKfMVjDhaJwonla9zW9LPSDSVgf57A2zWUW7aI/16h
gnT5KTEKERZR76fAy7HIpU7Q4qB+i8YDYyIFKxASfK/n/jZkNwsYy9Dp53L+jBYE
n99ECHIqpHZAxGnAdxMNCtOCxcZZQQUZ8le/t9a62xEtftgaz9I=
=0KZz
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to