michael orlitzky

CVE-2017-18240: Gentoo app-admin/collectd privilege escalation via PID file manipulation

Note: the app-admin/collectd package has been renamed to app-metrics/collectd.

Product
Gentoo Linux app-admin/collectd package
Versions affected
app-admin/collectd-5.7.2 and earlier
Published on
2018-04-15
Author
Michael Orlitzky
Fixed in
commit 9a70b58, version 5.7.2-r1
Bug report
https://bugs.gentoo.org/628540
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18240
Acknowledgements
Thomas Deutschmann for the fix and Christopher Díaz Riveros who requested the CVE.

Summary

The Gentoo app-admin/collectd package before 5.7.2-r1 gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).

Details

Before the app-admin/collectd OpenRC service starts, a call to checkpath gives ownership of the PID file directory to the runtime $COLLECTD_USER:

1
2
3
4
5
6
7
8
9
10
start_pre() {
  if [ "${RC_CMD}" != "restart" ]; then
    configtest || return 1
  fi

  checkpath --directory \
    --mode 0770 \
    --owner ${COLLECTD_USER}:${COLLECTD_GROUP} \
    "$(dirname "${COLLECTD_PIDFILE}")"
}

That can be exploited by $COLLECTD_USER to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by $COLLECTD_USER).

Resolution

The collectd daemon is able to run in the foreground whence OpenRC can manage its PID file. A new version of the OpenRC service script achieves that with the -f flag:

1
2
3
4
command="/usr/sbin/collectd"
command_args="${COLLECTD_OPTS} -C \"${COLLECTD_CONFIGFILE}\" -f"
command_background=true
command_user="${COLLECTD_USER}"

This results in a root-owned PID file, after which the ownership/permission changes on its directory are obsolete and have been removed.