Headline
CVE-2017-20147: privilege escalation via PID file manipulation
In the smokeping-2.6.11-r1.ebuild package for SmokePing on Gentoo, the initscript uses a PID file that is writable by the smokeping user. By writing arbitrary PIDs to that file, the smokeping user can cause a denial of service to arbitrary PIDs when the service is stopped.
Description Michael Orlitzky 2017-09-16 18:01:56 UTC
Created attachment 494768 [details] smokeping-2.6.11-r1.ebuild
The init script for smokeping gives ownership of its PID file directory to the “smokeping” user:
start() { checkconfig || return 1
checkpath -d -m 0755 -o smokeping:smokeping /run/smokeping
...
This can be exploited by the “smokeping” user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are under the control of the “smokeping” user).
Since smokeping cannot drop privileges itself, there is no way to safely use the PID file that it creates: to run as a restricted user, we need start-stop-daemon to execute smokeping as a restricted user, after which it’s already to late.
I’ve rewritten the init script to work around this by passing “–nodaemon” to smokeping, and by letting OpenRC background it and manage its PID file. Since smokeping insists on writing a PID file (it won’t start otherwise), I’ve modified the ebuild to stick the unsafe PID file in /var/lib/smokeping. Now that /run/smokeping is unused, the tmpfiles.d entry is no longer needed.
Comment 2 Michael Orlitzky 2017-09-16 18:05:07 UTC
One more thing: I dropped the line,
checkpath -d -m 0755 -o smokeping:smokeping /var/cache/smokeping
because /var/cache/smokeping doesn’t appear in the config anywhere (and apparently systemd doesn’t need it). If I messed that up, just add it back.
Comment 3 D’juan McDonald (domhnall) 2017-10-03 06:58:57 UTC
@maintainer(s), ebuild provided, please call for stabilization when ready, thank you.
Gentoo Security Padawan Daj Uan (jmbailey/mbailey_j)
Comment 6 Jeroen Roovers (RETIRED) 2018-02-08 19:44:54 UTC
(In reply to Jeroen Roovers from comment #5) > (In reply to Michael Orlitzky from comment #1)
Created attachment 494770 [details] smokeping.init.5
It looks like this new init.d script does not fix bug #602652.
That said, I have added it in 2.7.1.
Comment 7 nic 2018-03-26 20:08:51 UTC
–nodaemon breaks event logging to syslog bug #651212
Comment 10 Larry the Git Cow 2022-09-18 21:23:37 UTC
The bug has been referenced in the following commit(s):
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2310b0cd4914c79b2e8f3cb424259bb6e635a195
commit 2310b0cd4914c79b2e8f3cb424259bb6e635a195 Author: John Helmert III <[email protected]> AuthorDate: 2022-09-18 21:16:58 +0000 Commit: John Helmert III <[email protected]> CommitDate: 2022-09-18 21:16:58 +0000
net-analyzer/smokeping: treeclean
Bug: https://bugs.gentoo.org/631140
Signed-off-by: John Helmert III <[email protected]\>
net-analyzer/smokeping/Manifest | 1 - net-analyzer/smokeping/files/79_smokeping.conf | 15 — net-analyzer/smokeping/files/smokeping.conf | 1 - net-analyzer/smokeping/files/smokeping.init.5 | 56 --------- net-analyzer/smokeping/files/smokeping.service | 10 – net-analyzer/smokeping/metadata.xml | 12 – net-analyzer/smokeping/smokeping-2.7.3-r1.ebuild | 143 ----------------------- profiles/package.mask | 5 - 8 files changed, 243 deletions(-)
Related news
Gentoo Linux Security Advisory 202209-8 - Multiple vulnerabilities have been discovered in Smokeping, the worst of which could result in root privilege escalation. Versions less than or equal to 2.7.3-r1 are affected.