michael orlitzky

CVE-2017-18226: net-im/jabberd2 privilege escalation via PID file manipulation

posted 2018-04-15

Product

Gentoo Linux net-im/jabberd2 package

Versions affected

all versions

Published on

2018-04-15

Fixed in

commit b50a3068

Bug report

https://bugs.gentoo.org/631068

MITRE

CVE-2017-18226

Acknowledgements

Thomas Deutschmann for the fix and Christopher Díaz Riveros who requested the CVE.

Summary

The Gentoo net-im/jabberd2 package gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).

Details

Before the net-im/jabberd2 OpenRC service starts, a call to checkpath gives ownership of the PID file directory to the runtime jabber user:

start_pre() {
    checkpath -d -o jabber /var/run/jabber
}

That can be exploited by the jabber user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by jabber).

Resolution

The net-im/jabberd2 package was removed from Gentoo on 2018-03-03.