Overview
- System affected: Debian packages of groonga/-httpd 6.1.5-1
- Software-Version: 6.1.5-1
- User-Interaction: Not required
- Impact: Local root
- CVE: CVE-2019-11675
Detailed Description
The path of the logdirectory of groonga-httpd can be manipulated by user groonga:
ls -l /var/log/groonga
total 8
-rw-r--r-- 1 root root 1296 Apr 25 18:44 groonga.log
drwxr-xr-x 2 groonga groonga 4096 Apr 25 18:55 httpd
The files in /var/log/groonga/httpd/*.log are once a day rotated by logrotate as user root with the following config:
/var/log/groonga/httpd/*.log {
daily
missingok
rotate 30
compress
delaycompress
notifempty
create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-httpd
if [ x"$ENABLE" = x"yes" ]; then
/usr/bin/curl --silent --output /dev/null \
"http://127.0.0.1:10041/d/log_reopen"
fi
endscript
}
Due to logrotate is prone to a race-condition it is possible for user “groonga” to replace the directory /var/log/groonga/httpd with a symbolik link to any directory(for example /etc/bash_completion.d). logrotate will place files AS ROOT into /etc/bash_completition.d and set the owner and group to “groonga.groonga”. An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.
Exploit
A proof-of-concept exploit can be found at https://github.com/whotwagner/logrotten
Mitigation
The problem can be mitigated by changing the owner and group of /var/log/groonga to root, or by using the “su option” inside the logrotate-configfile.
Credits
This bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd)