michael orlitzky

CVE-2017-14483: dev-python/flower privilege escalation via PID file manipulation

posted 2017-09-15

Product

Gentoo Linux dev-python/flower package

Versions affected

dev-python/flower-0.9.1 and earlier

Published on

2017-09-15

Bug report

https://bugs.gentoo.org/631020

MITRE

CVE-2017-14483

Acknowledgements

Zac Medico for the fix, and Aleksandr Wagner for the CVE

Summary

The Gentoo dev-python/flower package before 0.9.1 gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).

Details

Before the dev-python/flower OpenRC service starts, a call to checkpath gives ownership of the PID file directory to the runtime $user.

start_pre() {
  checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}"
}

That can be exploited by $user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by $user).

Resolution

Fortunately, the call to checkpath in the service script is superfluous. The problem is resolved by deleting the start_pre() function, and then storing the PID file in the root-owned directory /run.