Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 15 Feb 2021 12:50:49 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-26720: avahi-daemon: 'avahi' to 'root' user privilege
 escalation through Debian specific if-up script avahi-daemon-check-dns.sh

Hello list,

the avahi-daemon package [1] in Debian Linux contains a Debian specific
script installed in

    /usr/lib/avahi/avahi-daemon-check-dns.sh

This script is run as 'root' via the if-up.d script in

    /etc/network/if-up.d/avahi-daemon

There are security issues in the code of the main shell script in this
context. The $RUNDIR "/run/avahi-daemon" is owned by the unprivileged
avahi:avahi user/group. This fact is also enforced in the script via its
`ensure_rundir()` function.

In line 136

    `touch ${DISABLE_TAG}`

symlinks are followed in "/run/avahi-daemon/disabled-for-unicast-local".
Thus the unprivileged 'avahi' user can trigger an arbitrary file to be
created or an arbitrary file's timestamp updated when this script runs.

Similarly in line 94

    `cat /etc/resolv.conf | grep "nameserver" | sort > ${TMP_CACHE} || return 0`

symlinks are followed in "/run/avahi-daemon/checked_nameservers.<PID>",
which is a predictable path. Content from /etc/resolv.conf will be
written to this location. This would allow for denial of service by
overwriting arbitrary existing files.

SUSE Linux distributions ship an outdated copy of this script in the avahi
package [2] that is also affected by these issues.

To fix these issues I consider it best to run the script as the avahi
user and group by dropping privileges in
"/etc/network/if-up.d/avahi-daemon" via tools like `setpriv` or `su`.

I privately reported this issue to the Debian security team on 2021-01-29. If
I understood correctly then Debian Linux will not ship this script in future
releases any more. A bugfix for Debian Buster will be included in the next
point release [3]. Affected packages in maintained SUSE Linux distributions
will also receive bugfixes [4].

[1]: https://packages.debian.org/buster/avahi-daemon
[2]: https://build.opensuse.org/package/show/openSUSE:Factory/avahi
[3]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982796
[4]: https://bugzilla.suse.com/show_bug.cgi?id=1180827

Cheers

Matthiag

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.