michael orlitzky

CVE-2017-18225: net-im/jabberd2 root privilege escalation via user-owned executables

posted 2018-04-15

Product

Gentoo Linux net-im/jabberd2 package

Versions affected

all versions

Published on

2018-04-15

Fixed in

commit b50a3068

Bug report

https://bugs.gentoo.org/629412

MITRE

CVE-2017-18225

Acknowledgements

Thomas Deutschmann for the fix and Christopher Díaz Riveros who requested the CVE.

Summary

All versions of the Gentoo net-im/jabberd2 package allow the local unprivileged jabber user to gain root by modifying the /usr/bin/{jabberd,router,sm,c2s,s2s} executables that are launched, as root, by the OpenRC service script.

Details

The ebuilds for all versions of net-im/jabberd2 in Gentoo give ownership of their executables to the jabber runtime user:

src_install() {
  ...
  fowners jabber:jabber /usr/bin/{jabberd,router,sm,c2s,s2s} \
          /var/spool/jabber/{fs,db}

Thus the jabber user is able to modify or replace those executables to do his bidding. That is problematic because the executables are in the system PATH, where anyone (notably, root) can run them. In particular, the OpenRC service script launches one or more of those executables as root after parsing jabberd.cfg.

Resolution

The net-im/jabberd2 package was removed from Gentoo on 2018-03-03.