oss-sec mailing list archives
Re: pesign: Local privilege escalation on pesign systemd service
From: Matthias Gerstner <mgerstner () suse de>
Date: Wed, 1 Feb 2023 11:05:49 +0100
Hi, On Tue, Jan 31, 2023 at 12:59:19PM -0300, Marco Benatto wrote:
a local privilege escalation vulnerability was found in pesign. This vulnerability has been identified by CVE-2022-3560.
I would like to add some more details about the vulnerability: The project ships a systemd service file that starts a pesign daemon instance but also runs a StartPost script: ``` ExecStart=/usr/bin/pesign --daemonize ExecStartPost=/usr/libexec/pesign/pesign-authorize ``` This pesign-authorize script is run with root privileges and grants a dynamic list of users and groups recursively full access to /etc/pki/pesign*/ and /run/pesign via POSIX access control lists. The list of users is found in the root controlled files /etc/pesign/users and /etc/pesign/groups. By default only pesign:pesign are configured. # The Vulnerability Since the pesign-authorize script is run at every start of the pesign service unit, the directory trees /etc/pki/pesign* and /run/pesign will already be controlled by the unprivileged pesign:pesign user and group. The script does not take precautions to prevent symlink attacks being staged by a compromised unprivileged user account. A simple demonstration of the attack would be this: ``` root# sudo -u pesign -g pesign ln -s /root /etc/pki/pesign/attack root# systemctl restart pesign root# getfactl /root # file: root/ # owner: root # group: root user::rwx user:pesign:rwx group::--- group:pesign:rwx mask::rwx other::--- ``` Therefore in a default configuration of pesign there is a local pesign user or pesign group to root escalation that can be achieved at every pesign.service unit start. I reproduced this on Fedora 35 using pesign version 113 release 18.fc35. # Timeline - 2022-10-11: I reported this to secalert () redhat com offering coordinated disclosure. - 2022-10-18: RedHat security assigned the CVE for the issue - 2022-12-21: RedHat security communicated a coordinated release date for 2023-01-31. - 2023-01-27: RedHat security shared the patch with us and informed the distros mailing list about issue and the upcoming release - 2023-01-31: the issue has been published Cheers Matthias -- Matthias Gerstner <matthias.gerstner () suse de> Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
Attachment:
signature.asc
Description:
Current thread:
- pesign: Local privilege escalation on pesign systemd service Marco Benatto (Jan 31)
- Re: pesign: Local privilege escalation on pesign systemd service Matthias Gerstner (Feb 01)