michael orlitzky

CVE-2017-14730: app-admin/logstash-bin root privilege escalation via init script

Product
Gentoo Linux app-admin/logstash-bin package
Versions affected
app-admin/logstash-bin-5.4.3-r1 and earlier
Published on
2017-09-25
Author
Michael Orlitzky
Fixed in
versions 5.5.3 and 5.6.1, commits bbd6cb3 and 18f97c8
Bug report
https://bugs.gentoo.org/628558
Pull request
https://github.com/gentoo/gentoo/pull/5665
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14730
Acknowledgements
Tomáš Mózes and Ferenc Erki (the maintainers) for fixing the vulnerability

Summary

The Gentoo app-admin/logstash-bin package before version 5.5.3 allows its local unprivileged user to gain root by creating a hard link in a directory on which >chown is called recursively by the OpenRC service script.

Details

The full details, exploit, and mitigation are discussed in my article, End root chowning now (make /etc/init.d great again).