michael orlitzky

CVE-2020-36657: app-misc/uptimed root privilege escalation via recursive chown

posted 2023-02-10

Product
Gentoo Linux app-misc/uptimed package
Versions affected
0.4.6 and earlier
Published on
2023-02-10
Fixed in
commits https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=106d5ab4 and https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5865dc98
Bug report
https://bugs.gentoo.org/630810
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36657
Acknowledgements
John Helmert III (ajak) for the fix and for requesting the CVE.

Summary

Before version 0.4.6-r1 and upon installation, the Gentoo app-misc/uptimed package would recursively chown the /var/spool/uptimed directory to uptimed:uptimed. When the package is reinstalled or upgraded, this allows the uptimed user to gain root privileges through a hardlink attack, as described in the article End root chowning now (make pkg_postinst great again).

Details

Before version 0.4.6-r1, the pkg_postinst phase of the app-misc/uptimed package would run,

1
2
3
4
pkg_postinst() {
  einfo "Fixing permissions in /var/spool/${PN}"
  chown -R uptimed:uptimed /var/spool/${PN}
  ...

If that code is re-run (say, upon an upgrade), it can call chown on files that the uptimed user controls. And that can be exploited with hardlinks, for example:

  1. Install app-misc/uptimed
  2. Run sudo su -s /bin/sh -c 'ln /etc/passwd /var/spool/uptimed/x' uptimed
  3. Reinstall app-misc/uptimed
  4. The file /etc/passwd is owned by uptimed:uptimed

This is one instance of the general problem described in the article End root chowning now (make pkg_postinst great again).

Resolution

The dangerous pkg_postinst phase was removed in app-misc/uptimed-0.4.6-r1, and the older vulnerable versions have been removed. There was no ostensible need to “fix” the permissions in the first place.