Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 4 Aug 2022 12:38:17 +0200
From: Filippo Bonazzi <fbonazzi@...e.de>
To: oss-security@...ts.openwall.com
Subject: gromox: potential local privilege escalation (CVE-2022-37030)

Hello list,

the following report describes a local privilege escalation vulnerability in
Gromox[0] versions 0.5 to 1.27. Any code references in this report are based on
version 1.27 in the upstream Git repository[1], and packaging references are
based on the 1.27 RPM distributed by upstream[2].

# Introduction

Gromox is the central groupware server component of grommunio[3]. It is capable
of serving as a replacement for Microsoft Exchange and compatibles.

Among its many features, Gromox provides a PAM module to authenticate non-Gromox
processes to an authentication backend such as MySQL or LDAP. The PAM module
allows runtime loading of plugins, and its configuration lives in
`/etc/gromox/pam` or `/etc/gromox`.

The interaction between this PAM module, its runtime loading of plugins and
their configuration causes the vulnerability described in this report.

# The Vulnerability

The RPM spec file packages the `/etc/gromox` directory with ownership
`root:gromox` and mode 775, i.e. the directory is writeable by the unprivileged
`gromox` group.

The directory contains, among others, the configuration file for the PAM module.
When the authentication hook of the PAM module is invoked, the module loads the
`/etc/gromox/pam.cfg` configuration file, which can contain a path and a list of
filenames to be used to load plugins. The plugins are regular .so shared objects,
which are then executed by the PAM module.

It is therefore possible for the `gromox` group to effectively have the PAM
stack run arbitrary code upon execution of the `pam_gromox.so` module.

Assuming that the PAM stack is run as root, as it is likely, this results in the
unprivileged `gromox` group being able to execute arbitrary code as root.

# Proof of Concept Exploit

Attached is a proof of concept setup that has been tested on current openSUSE
distributions.
The only precondition for the exploit is that gromox is installed and a target
user is in the `gromox` group.

# Upstream Fix

Upstream released version 1.28 of Gromox[4] which removes configuration
directives for runtime loading of plugins. Plugins are now loaded from a fixed
list, and from root-controlled paths only. This removes the possibility for an
unprivileged user to control what will be executed by the Gromox PAM module.

# Timeline

2022-07-25: I contacted upstream with the vulnerability report and offered
             coordinated disclosure.
	    Upstream released version 1.28 on the same day, fixing the issue,
	    and did not request any embargo.
2022-07-26: I reviewed the new version and verified that the issue has been
             fixed.
2022-08-01: I obtained CVE-2022-37030 from Mitre to track this issue.

# References

[0] https://gromox.com/
[1] https://github.com/grommunio/gromox
[2] https://download.grommunio.com/community/openSUSE_Tumbleweed/
[3] https://grommunio.com/
[4] https://github.com/grommunio/gromox/releases/tag/gromox-1.28

-- 
Filippo Bonazzi
Security Engineer                        suse.com
8257 4398 947A 2DBE F21D 76E6 937A 63F0 5B36 46D9

Download attachment "gromox-poc.zip" of type "application/zip" (2488 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.