[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#606543: clamav-freshclam: affected by privilege escalation vulnerability in logrotate



Hi,

> On Fri, Dec 10, 2010 at 9:43 AM, Michael Tautschnig <mt@debian.org> wrote:
> >> These lines from this package's maintainer scripts suggest that it likely
> >> is affected by the vulnerability:
> >>
> >> ---------------------------------------------------------------------------
> >> chmod 640 $FRESHCLAMLOGFILE
> >> chown "$dbowner":adm $FRESHCLAMLOGFILE
> >> ---------------------------------------------------------------------------
> >>
> >
> > What is wrong about these two lines? And even from ...
> 
> It suggests the daemon itself creates the file. Copytruncate suggests
> logrotate also creates the file.

As noted in my reply to this mail, in this specific case it actually
doesn't (it's just the file, not the directory)--but generally, that was
the point, yes.

> Logrotate runs as root, so if the attacker (running as daemon user)
> creates the symlink, logrotate might overwrite an arbitrary file (I
> guess).

Essentially, that's it, or at least close to it. As already mentioned,
I don't recall all the details anymore, but my proof of concept somehow
used a hardlink to /etc/shadow that was made daemon-user-writable by
logrotate, thus allowing the daemon user to change the root password.
Or something. Also, almost certainly this vulnerability does not
depend on copytruncate.

Florian


Reply to: