michael orlitzky

CVE-2017-18225: Gentoo net-im/jabberd2 root privilege escalation via user-owned executables

Product
Gentoo Linux net-im/jabberd2 package
Versions affected
all versions
Published on
2018-04-15
Author
Michael Orlitzky
Fixed in
commit b50a3068
Bug report
https://bugs.gentoo.org/629412
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18225
Acknowledgements
Thomas Deutschmann for the fix and Christopher Díaz Riveros who requested the CVE.

Summary

All versions of the Gentoo net-im/jabberd2 package allow the local unprivileged jabber user to gain root by modifying the /usr/bin/{jabberd,router,sm,c2s,s2s} executables that are launched, as root, by the OpenRC service script.

Details

The ebuilds for all versions of net-im/jabberd2 in Gentoo give ownership of their executables to the jabber runtime user:

1
2
3
4
src_install() {
  ...
  fowners jabber:jabber /usr/bin/{jabberd,router,sm,c2s,s2s} \
          /var/spool/jabber/{fs,db}

Thus the jabber user is able to modify or replace those executables to do his bidding. That is problematic because the executables are in the system PATH, where anyone (notably, root) can run them. In particular, the OpenRC service script launches one or more of those executables as root after parsing jabberd.cfg.

Resolution

The net-im/jabberd2 package was removed from Gentoo on 2018-03-03.