Bug#928304: marked as done (groonga-httpd: Privilege escalation due to insecure use of logrotate (CVE-2019-11675))

Mon, 13 May 2019 14:18:45 -0700 

Your message dated Mon, 13 May 2019 21:17:46 +0000
with message-id <e1hqikq-0007av...@fasolo.debian.org>
and subject line Bug#928304: fixed in groonga 6.1.5-1+deb9u1
has caused the Debian Bug report #928304,
regarding groonga-httpd: Privilege escalation due to insecure use of logrotate 
(CVE-2019-11675)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928304
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: groonga-httpd
Version: 6.1.5-1
Severity: critical
Tags: security
Justification: root security hole

Dear Maintainer,

The path of the logdirectory of groonga-httpd can be manipulated by user
groonga:

ls -l /var/log/groonga
total 8
-rw-r--r-- 1 root    root    1296 Apr 25 18:44 groonga.log
drwxr-xr-x 2 groonga groonga 4096 Apr 25 18:55 httpd

The files in /var/log/groonga/httpd/*.log are once a day rotated by
logrotate as user root with the following config:

/var/log/groonga/httpd/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 640 groonga groonga
    sharedscripts
    postrotate
        . /etc/default/groonga-httpd
        if [ x"$ENABLE" = x"yes" ]; then
            /usr/bin/curl --silent --output /dev/null \
                "http://127.0.0.1:10041/d/log_reopen";
        fi
    endscript
}


Due to logrotate is prone to a race-condition(see the link to my
blog below) it is possible for user "groonga" to replace the
directory /var/log/groonga/httpd with a symbolik link to any
directory(for example /etc/bash_completion.d). logrotate will place
files AS ROOT into /etc/bash_completition.d and set the owner and
group to "groonga.groonga". An attacker could simply place a
reverse-shell into this file. As soon as root logs in, a reverse
shell will be executed then.

You can find an exploit for this bug at my blog:
https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges

(This exploit won't work well with lvm or docker but works reliable
if the filesystem is directly on the disk)

Mitigation:

You could mitigate the problem by changing the owner and group of
/var/log/groonga to root, or by using the "su option" inside the
logrotate-configfile. 


-- System Information:
Debian Release: 9.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages groonga-httpd depends on:
ii  curl                   7.52.1-5+deb9u9
ii  groonga-server-common  6.1.5-1
ii  init-system-helpers    1.48
ii  libc6                  2.24-11+deb9u4
ii  libgroonga0            6.1.5-1
ii  libpcre3               2:8.39-3
ii  libssl1.1              1.1.0j-1~deb9u1
ii  lsb-base               9.20161125
ii  zlib1g                 1:1.2.8.dfsg-5

groonga-httpd recommends no packages.

groonga-httpd suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: groonga
Source-Version: 6.1.5-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
groonga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kentaro Hayashi <haya...@clear-code.com> (supplier of updated groonga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 May 2019 22:33:11 +0900
Source: groonga
Architecture: source
Version: 6.1.5-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Groonga Project <packa...@groonga.org>
Changed-By: Kentaro Hayashi <haya...@clear-code.com>
Closes: 928304
Changes:
 groonga (6.1.5-1+deb9u1) stretch; urgency=medium
 .
   * debian/groonga-httpd.logrotate
     debian/groonga-server-gqtp.logrotate
     - Mitigate privilege escalation by changing the owner and group of logs
       with "su" option. Reported by Wolfgang Hotwagner.
       (Closes: #928304) (CVE-2019-11675)
Checksums-Sha1:
 8642ffd596164c39234a80dcf7f40d4fed9550b2 3096 groonga_6.1.5-1+deb9u1.dsc
 d160fb76fcfe99d270c957a898b20efdf9356968 14197733 groonga_6.1.5.orig.tar.gz
 1515d87e19fa8d23e5861ebe306e64935c39a224 195 groonga_6.1.5.orig.tar.gz.asc
 2e05db4782db0e966122ed29b2ac04d79d0158f2 95616 
groonga_6.1.5-1+deb9u1.debian.tar.xz
 725ffe75677315927382d6bda62dbdd69988ba42 6998 
groonga_6.1.5-1+deb9u1_source.buildinfo
Checksums-Sha256:
 f4752b8e0606b3c5de5aef9dafe882434976cbb147c50147b82a78e57c192907 3096 
groonga_6.1.5-1+deb9u1.dsc
 bd404dca8860b4bb7af72d77020c95b32926f8976fecfe3ae2b9f8792e26105e 14197733 
groonga_6.1.5.orig.tar.gz
 117a37fbb4a0d6aa050030b68a653989a2902809ae6b747924e7d35b28cab12c 195 
groonga_6.1.5.orig.tar.gz.asc
 f8d6ca18f697c68686a5af81257d7d5d9491798a24b139adab0e0dd83dfd4e72 95616 
groonga_6.1.5-1+deb9u1.debian.tar.xz
 2b33f96ba5ab986280ae228f367e75112d3a790a23d265931c57a6944c47ae09 6998 
groonga_6.1.5-1+deb9u1_source.buildinfo
Files:
 5cc21365c9a1ea46b44ccbc1f32dcf67 3096 database optional 
groonga_6.1.5-1+deb9u1.dsc
 2563f0b631c41e212d89309a7ff71d31 14197733 database optional 
groonga_6.1.5.orig.tar.gz
 2c2c48cf003f70ba68234389eecd65f9 195 database optional 
groonga_6.1.5.orig.tar.gz.asc
 d7310e2e8ed2806bff0460e3e819bec0 95616 database optional 
groonga_6.1.5-1+deb9u1.debian.tar.xz
 70221a38ae10396c60f290f6ca03e285 6998 database optional 
groonga_6.1.5-1+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcZ6y2T2+nE0h+6Bk9/t1xWbtIOMFAlzUJ1YACgkQ9/t1xWbt
IOM+YRAAhr5YdOwe8oxe6Dzt5AZq7p0k+lLRXGe6ya/O1M9R1/MIRJ+qe3yoLVV1
sqIp+Mch65xN5ISRuem7bwpX6XpuVwhsJ8ZRsOAeWvR9Vi+5MGc3r9SU+fvdTFrr
V8SYuR8l9Mjf31d47naVx0hQNjeZ0pCMCjr/lNRHtxMVrfg6+CKhFXkks3mNpKV1
crLPm5+LO66iG2A6aGZIAsjQCeoZee0WWFKMW/wBLGfD49j91z0nD5Vjc03o451o
Pg/BL/aDcD6LCC5ITI+wo4lLglSopHe+uc6LwY8WIOFCgfnZrAJZi1DZoh7Yrv2c
XYNaUqpLfK+wQXiLEjR/VB1V6MOgAVcW8Bkz21y1bEHjkxqvlxiwnd7HV7rQjVqB
bRgiLYwldy9C6cw472h6PFiVJVFt/S53l9xXLPXbaX0l+HIkuW+YShzDXDKdgRl6
v1syHYNtI/nFC+bKnaluAGz9ZJ2eOb/S6yGTzg2Re0eVehYCydBruc6A1LvySCju
cUYpSlCdcL70aN75MzSKC8CtTa9PfkbwZ2nkgC2iVZa1gJTtal/lWkJjNNo8sAJ/
7Z4VbUhJoso9KY0SwNBcdAkupopAN468mge2c7UHZy3T8hGtPeuu4n4VspplIgFM
FyTN0QfIKfrHfH/4+C2qBpXNwl/13CGkSFLuiJk6bgWdRSVuWtw=
=6guE
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to