michael orlitzky

CVE-2016-20015: net-analyzer/smokeping root privilege escalation via service “restore”

posted 2022-09-21

Product
Gentoo Linux net-analyzer/smokeping package
Versions affected
all
Published on
2022-09-21
Fixed in
commit 2310b0cd (removal of the package)
Bug report
https://bugs.gentoo.org/602652
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-20015
Acknowledgements
John Helmert III for following up on the issue, for removing the vulnerable package, and for requesting the CVE.

Summary

The service script for the Gentoo net-analyzer/smokeping package has a “restore” function that runs chown smokeping:smokeping, as root, on paths that are controlled by the smokeping user. If the smokeping user can alter the target path quickly enough, he can exploit the chown to take ownership of any file on the system.

Details

The OpenRC service script for smokeping at /etc/init.d/smokeping has a “restore” function,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
restore() {
  ebegin "Restoring smokeping rrd files from XML dump files"
  if service_started "${myservice}" ; then
    eerror "You need to stop smokeping before restoring files!"
    return 1
  fi
  for f in $(find /var/lib/smokeping -name '*.xml' -print) ; do
    f_rrd=$(dirname $f)/$(basename $f .xml).rrd
    mv -f "${f_rrd}" "${f_rrd}.bak"
    chown root:0 "${f_rrd}.bak"
    rrdtool restore "$f" "${f_rrd}"
    chown smokeping:smokeping "${f_rrd}"
  done
  eend $?
}

that executes as root. Between the lines rrdtool restore "$f" "${f_rrd}" and chown smokeping:smokeping "${f_rrd}", the smokeping user has a window of opportunity to replace "${f_rrd}" with a symlink to a path of his choosing. This is made possible by the smokeping ebuild, which gives him control of /var/lib/smokeping:

1
2
3
4
5
6
7
src_install() {
  ...
  # Create the files in /var for rrd file storage
  keepdir /var/lib/${PN}/.simg
  fowners smokeping:smokeping /var/lib/${PN}
  ...
}

If he is successful, the final call to chown smokeping:smokeping "${f_rrd}" will follow the symlink, giving the smokeping user ownership of the target. This is an instance of the problem described in the article End root chowning now (make /etc/init.d great again).

Resolution

The net-analyzer/smokeping package has been removed from Gentoo along with its vulnerable OpenRC service script.