michael orlitzky

CVE-2017-18226: Gentoo net-im/jabberd2 privilege escalation via PID file manipulation

Product
Gentoo Linux net-im/jabberd2 package
Versions affected
all versions
Published on
2018-04-15
Author
Michael Orlitzky
Fixed in
commit b50a3068
Bug report
https://bugs.gentoo.org/631068
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18226
Acknowledgements
Thomas Deutschmann for the fix and Christopher Díaz Riveros who requested the CVE.

Summary

The Gentoo net-im/jabberd2 package gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).

Details

Before the net-im/jabberd2 OpenRC service starts, a call to checkpath gives ownership of the PID file directory to the runtime jabber user:

1
2
3
start_pre() {
    checkpath -d -o jabber /var/run/jabber
}

That can be exploited by the jabber user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by jabber).

Resolution

The net-im/jabberd2 package was removed from Gentoo on 2018-03-03.