michael orlitzky

CVE-2017-18284: Gentoo app-backup/burp privilege escalation via PID file manipulation

Product
Gentoo Linux app-backup/burp package
Versions affected
2.1.31 and earlier
Published on
2018-06-23
Author
Michael Orlitzky
Fixed in
commits f9cf5c23, 88b7eff0, and 5cd39164
Bug report
https://bugs.gentoo.org/628770
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18284
Acknowledgements
Marek Szuba for the fix and Christopher Díaz Riveros who requested the CVE.

Summary

The Gentoo app-backup/burp package gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).

Details

Before the burp OpenRC or systemd service starts, a tmpfiles.d entry gives ownership of its PID file directory to the runtime burp user in /usr/lib64/tmpfiles.d/burp.conf:

1
d /run/burp 0755 burp burp -

That can be exploited by the burp user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by burp).

Resolution

The burp daemon creates its PID file as root, so the configuration was updated to store it in /run (which is writable only by root) instead of /run/burp. The systemd service runs in the foreground and no longer uses a PID file at all.

The fix is present in app-backup/burp-2.1.32.