• Products
  • Openwall GNU/*/Linux server OS
  • Linux Kernel Runtime Guard
  • John the Ripper password cracker
    • Free & Open Source for any platform
    • in the cloud
    • Pro for Linux
    • Pro for macOS
  • Wordlists for password cracking
  • passwdqc policy enforcement
    • Free & Open Source for Unix
    • Pro for Windows (Active Directory)
  • yescrypt KDF & password hashing
  • yespower Proof-of-Work (PoW)
  • crypt_blowfish password hashing
  • phpass ditto in PHP
  • tcb better password shadowing
  • Pluggable Authentication Modules
  • scanlogd port scan detector
  • popa3d tiny POP3 daemon
  • blists web interface to mailing lists
  • msulogin single user mode login
  • php_mt_seed mt_rand() cracker
• Services
• Publications
  • Articles
  • Presentations
• Resources
  • Mailing lists
  • Community wiki
  • Source code repositories (GitHub)
  • Source code repositories (CVSweb)
  • File archive & mirrors
  • How to verify digital signatures
  • OVE IDs
• What’s new

[<prev] [day] [month] [year] [list]

Date: Thu, 4 Aug 2022 12:38:17 +0200 From: Filippo Bonazzi <fbonazzi@…e.de> To: oss-security@…ts.openwall.com Subject: gromox: potential local privilege escalation (CVE-2022-37030)

Hello list,

the following report describes a local privilege escalation vulnerability in Gromox[0] versions 0.5 to 1.27. Any code references in this report are based on version 1.27 in the upstream Git repository[1], and packaging references are based on the 1.27 RPM distributed by upstream[2].

Introduction

Gromox is the central groupware server component of grommunio[3]. It is capable of serving as a replacement for Microsoft Exchange and compatibles.

Among its many features, Gromox provides a PAM module to authenticate non-Gromox processes to an authentication backend such as MySQL or LDAP. The PAM module allows runtime loading of plugins, and its configuration lives in `/etc/gromox/pam` or `/etc/gromox`.

The interaction between this PAM module, its runtime loading of plugins and their configuration causes the vulnerability described in this report.

The Vulnerability

The RPM spec file packages the `/etc/gromox` directory with ownership `root:gromox` and mode 775, i.e. the directory is writeable by the unprivileged `gromox` group.

The directory contains, among others, the configuration file for the PAM module. When the authentication hook of the PAM module is invoked, the module loads the `/etc/gromox/pam.cfg` configuration file, which can contain a path and a list of filenames to be used to load plugins. The plugins are regular .so shared objects, which are then executed by the PAM module.

It is therefore possible for the `gromox` group to effectively have the PAM stack run arbitrary code upon execution of the `pam_gromox.so` module.

Assuming that the PAM stack is run as root, as it is likely, this results in the unprivileged `gromox` group being able to execute arbitrary code as root.

Proof of Concept Exploit

Attached is a proof of concept setup that has been tested on current openSUSE distributions. The only precondition for the exploit is that gromox is installed and a target user is in the `gromox` group.

Upstream Fix

Upstream released version 1.28 of Gromox[4] which removes configuration directives for runtime loading of plugins. Plugins are now loaded from a fixed list, and from root-controlled paths only. This removes the possibility for an unprivileged user to control what will be executed by the Gromox PAM module.

Timeline

2022-07-25: I contacted upstream with the vulnerability report and offered coordinated disclosure. Upstream released version 1.28 on the same day, fixing the issue, and did not request any embargo. 2022-07-26: I reviewed the new version and verified that the issue has been fixed. 2022-08-01: I obtained CVE-2022-37030 from Mitre to track this issue.

References

[0] https://gromox.com/ [1] https://github.com/grommunio/gromox [2] https://download.grommunio.com/community/openSUSE_Tumbleweed/ [3] https://grommunio.com/ [4] https://github.com/grommunio/gromox/releases/tag/gromox-1.28

– Filippo Bonazzi Security Engineer suse.com 8257 4398 947A 2DBE F21D 76E6 937A 63F0 5B36 46D9

Download attachment "gromox-poc.zip" of type "application/zip" (2488 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.