Bug 13481

Summary: chkrootkit new security issue CVE-2014-0476
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: pterjan, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/601240/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: chkrootkit-0.49-8.mga4.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 6699    

Description David Walser 2014-06-04 16:02:57 CEST 
A security issue in chkrootkit has been announced today (June 4):
http://openwall.com/lists/oss-security/2014/06/04/9

Details on reproducing the issue are included in that post.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated chkrootkit package fixes security vulnerability:

The chkrootkit script contains a flaw that allows a local attacker to create
an executable in /tmp that will be run by the user running chkrootkit (usually
root), allowing the attacker to escalate privileges (CVE-2014-0476).

The Mageia 3 update also eliminates the false positive identification of a
rootkit in /sbin/init (mga#6699).

References:
http://openwall.com/lists/oss-security/2014/06/04/9
https://bugs.mageia.org/show_bug.cgi?id=6699
https://bugs.mageia.org/show_bug.cgi?id=13481
========================

Updated packages in core/updates_testing:
========================
chkrootkit-0.49-6.1.mga3
chkrootkit-0.49-8.1.mga4

from SRPMS:
chkrootkit-0.49-6.1.mga3.src.rpm
chkrootkit-0.49-8.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-04 16:03:06 CEST

Blocks: (none) => 6699
Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-06-04 17:35:25 CEST 
Testing complete mga3 32 & 64

From openwall..
--------------
Steps to reproduce:

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.
--------------

Created a file /tmp/update as below and made it executable

$ cat /tmp/update
#!/bin/bash
touch /tmp/vulnerable

$ chmod a+x /tmp/update

Before
------
$ ll /tmp/update
-rwxr-xr-x 1 claire claire 34 Jun  4 16:16 /tmp/update*
$ ll /tmp/vulnerable
ls: cannot access /tmp/vulnerable: No such file or directory

# chkrootkit
(for mga3 noted the false positive on Suckit)
...
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
...

$ ll /tmp/update
-rwxr-xr-x 1 claire claire 34 Jun  4 16:16 /tmp/update*
$ ll /tmp/vulnerable
-rw-r--r-- 1 root root 0 Jun  4 16:20 /tmp/vulnerable

Can see it has run the executable with the privileges of the user running chkrootkit (root) and created /tmp/vulnerable owned by root.


After
-----
Installed the update and removed /tmp/vulnerable

# rm /tmp/vulnerable

$ ll /tmp/update
-rwxr-xr-x 1 claire claire 34 Jun  4 16:16 /tmp/update*
$ ll /tmp/vulnerable
ls: cannot access /tmp/vulnerable: No such file or directory

# chkrootkit
(for mga3 checked it fixed the false positive on Suckit.
...
Searching for Suckit rootkit... nothing found
...

$ ll /tmp/update
-rwxr-xr-x 1 claire claire 34 Jun  4 16:16 /tmp/update*
$ ll /tmp/vulnerable
ls: cannot access /tmp/vulnerable: No such file or directory

Clean up..
$ rm /tmp/update

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

David Walser 2014-06-04 17:56:38 CEST

URL: (none) => http://lwn.net/Vulnerabilities/601240/

Comment 2 claire robinson 2014-06-04 18:03:46 CEST 
Testing complete mga4 32 & 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 3 claire robinson 2014-06-04 20:02:03 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 4 Pascal Terjan 2014-06-04 22:45:31 CEST 
http://advisories.mageia.org/MGASA-2014-0249.html

Status: NEW => RESOLVED
CC: (none) => pterjan
Resolution: (none) => FIXED