michael orlitzky

CVE-2017-18284: app-backup/burp privilege escalation via PID file manipulation

posted 2018-06-23

Product

Gentoo Linux app-backup/burp package

Versions affected

2.1.31 and earlier

Published on

2018-06-23

Fixed in

commits f9cf5c23, 88b7eff0, and 5cd39164

Bug report

https://bugs.gentoo.org/628770

MITRE

CVE-2017-18284

Acknowledgements

Marek Szuba for the fix and Christopher Díaz Riveros who requested the CVE.

Summary

The Gentoo app-backup/burp package gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).

Details

Before the burp OpenRC or systemd service starts, a tmpfiles.d entry gives ownership of its PID file directory to the runtime burp user in /usr/lib64/tmpfiles.d/burp.conf:

d /run/burp 0755 burp burp -

That can be exploited by the burp user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by burp).

Resolution

The burp daemon creates its PID file as root, so the configuration was updated to store it in /run (which is writable only by root) instead of /run/burp. The systemd service runs in the foreground and no longer uses a PID file at all.

The fix is present in app-backup/burp-2.1.32.