michael orlitzky

CVE-2017-14483: Gentoo dev-python/flower privilege escalation via PID file manipulation

Product
Gentoo Linux dev-python/flower package
Versions affected
dev-python/flower-0.9.1 and earlier
Published on
2017-09-15
Author
Michael Orlitzky
Bug report
https://bugs.gentoo.org/631020
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14483
Acknowledgements
Zac Medico for the fix, and Aleksandr Wagner for the CVE

Summary

The Gentoo dev-python/flower package before 0.9.1 gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).

Details

Before the dev-python/flower OpenRC service starts, a call to checkpath gives ownership of the PID file directory to the runtime $user.

1
2
3
start_pre() {
  checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}"
}

That can be exploited by $user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by $user).

Resolution

Fortunately, the call to checkpath in the service script is superfluous. The problem is resolved by deleting the start_pre() function, and then storing the PID file in the root-owned directory /run.