michael orlitzky

CVE-2017-20148: app-admin/logcheck root privilege escalation via recursive chown

posted 2022-09-21

Product
Gentoo Linux app-admin/logcheck package
Versions affected
all
Published on
2022-09-21
Fixed in
commit c1517666 (removal of the package)
Bug report
https://bugs.gentoo.org/630752
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-20148
Acknowledgements
Manuel Rüger for noticing that the problem exists in the cron job; John Helmert III for following up on the issue, for removing the vulnerable package, and for requesting the CVE.

Summary

The post-install routine for the Gentoo app-admin/logcheck package runs chown -R logcheck:logcheck on /var/lib/logcheck. If the package is ever reinstalled, the logcheck user can place a hardlink in that directory that exploits the chown to take ownership of sensitive files. A similar vulnerability exists in the package's (Gentoo-specific) cron job.

Details

The ebuild for logcheck creates the /var/lib/logcheck directory at install-time, but then uses the post-install phase to “correct” its ownership:

1
2
3
4
5
6
7
8
9
10
src_install() {
  ...
  keepdir /var/lib/logcheck
  ...
}

pkg_postinst() {
  chown -R logcheck:logcheck /etc/logcheck /var/lib/logcheck || die
  readme.gentoo_print_elog
}

This is safe the first time the package is installed, since /var/lib/logcheck will still be owned by root when chown is called. But if the package is ever reinstalled, the recursive chown will affect any files under /var/lib/logcheck that the logcheck user has created in the meantime. In particular, the logcheck user can exploit the situation by creating hardlinks to sensitive files, because the recursive call to chown will affect the target of any such link. This is an instance of the problem described in the article End root chowning now (make pkg_postinst great again).

A similar problem exists in the Gentoo-specific cron job that app-admin/logcheck installs,

1
2
3
4
5
6
7
8
9
10
#!/bin/bash

set -e

if [ ! -d /var/lock/logcheck ]; then
	mkdir -p /var/lock/logcheck
fi
chown -R logcheck:logcheck /var/lock/logcheck

su -s /bin/bash -c /usr/sbin/logcheck logcheck

It was likely intended that the chown be executed only once, after the first successful mkdir. Credit for spotting this goes to Manuel Rüger.

Resolution

The app-admin/logcheck package (and its cron job) have been removed from Gentoo.