FUN WITH LINUX

Privilege escalation in groonga-httpd (CVE-2019-11675)

7 May 2019

Overview

  • System affected: Debian packages of groonga/-httpd 6.1.5-1
  • Software-Version: 6.1.5-1
  • User-Interaction: Not required
  • Impact: Local root
  • CVE: CVE-2019-11675

Detailed Description

The path of the logdirectory of groonga-httpd can be manipulated by user groonga:

ls -l /var/log/groonga
total 8
-rw-r--r-- 1 root root 1296 Apr 25 18:44 groonga.log
drwxr-xr-x 2 groonga groonga 4096 Apr 25 18:55 httpd

The files in /var/log/groonga/httpd/*.log are once a day rotated by logrotate as user root with the following config:

/var/log/groonga/httpd/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 640 groonga groonga
    sharedscripts
    postrotate
        . /etc/default/groonga-httpd
        if [ x"$ENABLE" = x"yes" ]; then
            /usr/bin/curl --silent --output /dev/null \
                "http://127.0.0.1:10041/d/log_reopen"
        fi
    endscript
}

Due to logrotate is prone to a race-condition it is possible for user “groonga” to replace the directory /var/log/groonga/httpd with a symbolik link to any directory(for example /etc/bash_completion.d). logrotate will place files AS ROOT into /etc/bash_completition.d and set the owner and group to “groonga.groonga”. An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.

Exploit

A proof-of-concept exploit can be found at https://github.com/whotwagner/logrotten

Mitigation

The problem can be mitigated by changing the owner and group of /var/log/groonga to root, or by using the “su option” inside the logrotate-configfile.

Credits

This bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd)

[ Linux  Programming  Sysadmin  C  Security  Debian  CVE  logrotate  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti