Re: Bug#606543: clamav-freshclam: affected by privilege escalation vulnerability in logrotate
Hi,
> On Fri, Dec 10, 2010 at 9:43 AM, Michael Tautschnig <mt@debian.org> wrote:
> >> These lines from this package's maintainer scripts suggest that it likely
> >> is affected by the vulnerability:
> >>
> >> ---------------------------------------------------------------------------
> >> chmod 640 $FRESHCLAMLOGFILE
> >> chown "$dbowner":adm $FRESHCLAMLOGFILE
> >> ---------------------------------------------------------------------------
> >>
> >
> > What is wrong about these two lines? And even from ...
>
> It suggests the daemon itself creates the file. Copytruncate suggests
> logrotate also creates the file.
As noted in my reply to this mail, in this specific case it actually
doesn't (it's just the file, not the directory)--but generally, that was
the point, yes.
> Logrotate runs as root, so if the attacker (running as daemon user)
> creates the symlink, logrotate might overwrite an arbitrary file (I
> guess).
Essentially, that's it, or at least close to it. As already mentioned,
I don't recall all the details anymore, but my proof of concept somehow
used a hardlink to /etc/shadow that was made daemon-user-writable by
logrotate, thus allowing the daemon user to change the root password.
Or something. Also, almost certainly this vulnerability does not
depend on copytruncate.
Florian
Reply to: