michael orlitzky

CVE-2017-20147: net-analyzer/smokeping privilege escalation via PID file manipulation

posted 2022-09-21

Product
Gentoo Linux net-analyzer/smokeping package
Versions affected
2.7.0 and earlier
Published on
2022-09-21
Fixed in
version 2.7.1, commits d610d259, ce54bd13, and 2310b0cd
Bug report
https://bugs.gentoo.org/631140
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-20147
Acknowledgements
Jeroen Roovers for merging the fixed OpenRC service script; John Helmert III for following up on the issue and for requesting the CVE.

Summary

The Gentoo net-analyzer/smokeping package gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).

Details

Before the smokeping OpenRC service starts, a call to checkpath gives ownership of its PID file directory to the runtime user smokeping in /etc/init.d/smokeping:

1
2
3
4
5
start() {
  checkconfig || return 1

  checkpath -d -m 0755 -o smokeping:smokeping /run/smokeping
  ...

That can be exploited by the smokeping user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by smokeping).

Resolution

An updated OpenRC service script uses,

1
2
3
command_args="--nodaemon"
command_background="true"
pidfile="/run/${RC_SVCNAME}.pid"

causing smokeping to launch in the foreground and OpenRC's start-stop-daemon to background it and create a PID file at the safe location /run/${RC_SVCNAME}.pid.

The fixed service script was installed alongside net-analyzer/smokeping-2.7.1, but the net-analyzer/smokeping package has since been removed from Gentoo entirely.