michael orlitzky

CVE-2017-20147: net-analyzer/smokeping privilege escalation via PID file manipulation

posted 2022-09-21

Product

Gentoo Linux net-analyzer/smokeping package

Versions affected

2.7.0 and earlier

Published on

2022-09-21

Fixed in

version 2.7.1, commits d610d259, ce54bd13, and 2310b0cd

Bug report

https://bugs.gentoo.org/631140

MITRE

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-20147

Acknowledgements

Jeroen Roovers for merging the fixed OpenRC service script; John Helmert III for following up on the issue and for requesting the CVE.

Summary

The Gentoo net-analyzer/smokeping package gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).

Details

Before the smokeping OpenRC service starts, a call to checkpath gives ownership of its PID file directory to the runtime user smokeping in /etc/init.d/smokeping:

start() {
  checkconfig || return 1

  checkpath -d -m 0755 -o smokeping:smokeping /run/smokeping
  ...

That can be exploited by the smokeping user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by smokeping).

Resolution

An updated OpenRC service script uses,

command_args="--nodaemon"
command_background="true"
pidfile="/run/${RC_SVCNAME}.pid"

causing smokeping to launch in the foreground and OpenRC's start-stop-daemon to background it and create a PID file at the safe location /run/${RC_SVCNAME}.pid.

The fixed service script was installed alongside net-analyzer/smokeping-2.7.1, but the net-analyzer/smokeping package has since been removed from Gentoo entirely.