oss-sec mailing list archives
CVE-2021-26720: avahi-daemon: 'avahi' to 'root' user privilege escalation through Debian specific if-up script avahi-daemon-check-dns.sh
From: Matthias Gerstner <mgerstner () suse de>
Date: Mon, 15 Feb 2021 12:50:49 +0100
Hello list, the avahi-daemon package [1] in Debian Linux contains a Debian specific script installed in /usr/lib/avahi/avahi-daemon-check-dns.sh This script is run as 'root' via the if-up.d script in /etc/network/if-up.d/avahi-daemon There are security issues in the code of the main shell script in this context. The $RUNDIR "/run/avahi-daemon" is owned by the unprivileged avahi:avahi user/group. This fact is also enforced in the script via its `ensure_rundir()` function. In line 136 `touch ${DISABLE_TAG}` symlinks are followed in "/run/avahi-daemon/disabled-for-unicast-local". Thus the unprivileged 'avahi' user can trigger an arbitrary file to be created or an arbitrary file's timestamp updated when this script runs. Similarly in line 94 `cat /etc/resolv.conf | grep "nameserver" | sort > ${TMP_CACHE} || return 0` symlinks are followed in "/run/avahi-daemon/checked_nameservers.<PID>", which is a predictable path. Content from /etc/resolv.conf will be written to this location. This would allow for denial of service by overwriting arbitrary existing files. SUSE Linux distributions ship an outdated copy of this script in the avahi package [2] that is also affected by these issues. To fix these issues I consider it best to run the script as the avahi user and group by dropping privileges in "/etc/network/if-up.d/avahi-daemon" via tools like `setpriv` or `su`. I privately reported this issue to the Debian security team on 2021-01-29. If I understood correctly then Debian Linux will not ship this script in future releases any more. A bugfix for Debian Buster will be included in the next point release [3]. Affected packages in maintained SUSE Linux distributions will also receive bugfixes [4]. [1]: https://packages.debian.org/buster/avahi-daemon [2]: https://build.opensuse.org/package/show/openSUSE:Factory/avahi [3]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982796 [4]: https://bugzilla.suse.com/show_bug.cgi?id=1180827 Cheers Matthiag -- Matthias Gerstner <matthias.gerstner () suse de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Felix Imendörffer
Attachment:
signature.asc
Description:
Current thread:
- CVE-2021-26720: avahi-daemon: 'avahi' to 'root' user privilege escalation through Debian specific if-up script avahi-daemon-check-dns.sh Matthias Gerstner (Feb 15)