michael orlitzky

CVE-2017-16659: mail-filter/assp root privilege escalation by user-owned daemon

Product
Gentoo Linux mail-filter/assp package
Versions affected
all versions
Published on
2017-11-07
Author
Michael Orlitzky
Fixed in
none
Bug report
https://bugs.gentoo.org/629442
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16659

Summary

All versions of the Gentoo mail-filter/assp package allow the local unprivileged assp user to gain root by modifying the /usr/share/assp/assp.pl script, which is launched as root by its OpenRC service script.

Details

The init script for ASSP launches the perl script /usr/share/assp/assp.pl as root,

1
2
3
4
5
6
7
8
start() {
  ebegin "Starting ASSP"
  start-stop-daemon -b -m --start --quiet \
                    --startas /usr/share/assp/assp.pl \
                    --pidfile /var/run/assp/asspd.pid \
                    -- /var/lib/assp/ 2<&1 >> /var/log/assp/assp.log
  eend $?
}

However, the ebuilds for mail-filter/assp give ownership of that script to the assp user and group,

1
2
3
4
5
6
src_install() {
  ...
  # Lock down the files/data
  fowners assp:assp -R /usr/share/assp
  fperms 770 /usr/share/assp
  ..

As a result, the assp user can modify /usr/share/assp/assp.pl to perform whatever commands he likes. The next time that ASSP is started using its service script, those commands will be executed as root.