michael orlitzky

CVE-2017-16659: mail-filter/assp root privilege escalation by user-owned daemon

posted 2017-11-07

Product

Gentoo Linux mail-filter/assp package

Versions affected

all versions

Published on

2017-11-07

Fixed in

none

Bug report

https://bugs.gentoo.org/629442

MITRE

CVE-2017-16659

Summary

All versions of the Gentoo mail-filter/assp package allow the local unprivileged assp user to gain root by modifying the /usr/share/assp/assp.pl script, which is launched as root by its OpenRC service script.

Details

The init script for ASSP launches the perl script /usr/share/assp/assp.pl as root,

start() {
  ebegin "Starting ASSP"
  start-stop-daemon -b -m --start --quiet \
                    --startas /usr/share/assp/assp.pl \
                    --pidfile /var/run/assp/asspd.pid \
                    -- /var/lib/assp/ 2<&1 >> /var/log/assp/assp.log
  eend $?
}

However, the ebuilds for mail-filter/assp give ownership of that script to the assp user and group,

src_install() {
  ...
  # Lock down the files/data
  fowners assp:assp -R /usr/share/assp
  fperms 770 /usr/share/assp
  ..

As a result, the assp user can modify /usr/share/assp/assp.pl to perform whatever commands he likes. The next time that ASSP is started using its service script, those commands will be executed as root.