Bug 14207

Summary: Isodumper creates a root owned log in users /home - potential security issue
Product: Mageia Reporter: claire robinson <eeeemail>
Component: RPM PackagesAssignee: papoteur <yvesbrungard>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: geiger.david68210, luigiwalser
Version: 4   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA3TOO
Source RPM: isodumper CVE:
Status comment:
Bug Depends on: 12702    
Bug Blocks:    

Description claire robinson 2014-10-01 17:04:53 CEST 
Isodumper currently creates a root owned log in users home directory
~/.isodumper/isodumper.log

This is a potential security issue which can be used to overwrite system files etc.

# echo "Not the real one" > /tmp/passwd

$ ll /tmp/passwd
-rw-r--r-- 1 root root 17 Oct  1 15:50 /tmp/passwd
$ cat /tmp/passwd
Not the real one


$ ll .isodumper
ls: cannot access .isodumper: No such file or directory
$ mkdir .isodumper
$ ln -s /tmp/passwd .isodumper/isodumper.log
$ ll .isodumper/isodumper.log
lrwxrwxrwx 1 claire claire 11 Oct  1 15:53 .isodumper/isodumper.log -> /tmp/passwd
$ cat .isodumper/isodumper.log
Not the real one

$ isodumper

# ll /tmp/passwd
-rw-r--r-- 1 root root 5880 Oct  1 16:02 /tmp/passwd
# head /tmp/passwd
Backup in: /home/claire/SanDiskCruzerGator.iso
Image: /mnt/Storage/ISOs/Mageia3/Mageia-3-dual-CD/Mageia-3-dual-CD.iso
Target Device: SanDisk Cruzer Gator (/dev/sdc) 1907Mb
Executing copy from /dev/sdc to /home/claire/SanDiskCruzerGator.iso
Wrote: 1% 20447232 bytes
Wrote: 2% 40370176 bytes
Wrote: 3% 60293120 bytes
Wrote: 4% 80216064 bytes
Wrote: 5% 100139008 bytes
Wrote: 6% 120061952 bytes


Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2014-10-01 17:06:21 CEST 
The file is actually overwritten as soon as isodumper is started.
claire robinson 2014-10-01 17:08:02 CEST

CC: (none) => luigiwalser

claire robinson 2014-10-01 17:08:36 CEST

Whiteboard: (none) => MGA3TOO

Comment 2 claire robinson 2014-10-01 17:11:46 CEST 
Sorry Daniel. Assigned incorrectly to you.

Assignee: napcok => yves.brungard_mageia

Comment 3 David Walser 2014-10-01 17:37:06 CEST 
On Mageia 4 and newer, you will see that this only works if the file you're pointing at is also owned by you.  If it's the real /etc/passwd owned by root (or anything else owned by someone else) the kernel has protection against this type of issue.

This issue may be valid in Mageia 3, but we have an update in progress there already.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 4 claire robinson 2014-10-01 17:39:53 CEST 
The test n comment 0 was performed on Mga4.

Status: RESOLVED => REOPENED
Resolution: INVALID => (none)

Comment 5 David Walser 2014-10-01 17:44:28 CEST 
# cat /proc/sys/fs/protected_symlinks
1

Do you get something different?
Comment 6 David Walser 2014-10-01 17:45:11 CEST 
Ahh, your home directory doesn't have the sticky bit set, so this protection fails.
Comment 7 David Walser 2014-10-01 17:45:42 CEST 
Ouch.  I guess this is the next wave of security vulnerabilities.  It was announced today that SDDM has the same issue.
Comment 8 claire robinson 2014-10-01 17:47:57 CEST 
A possible solution would be to store the log elsewhere or save it in /home with the correct attributes or a temporary mitigation may be to timestamp the log file.
Comment 9 David Walser 2014-10-01 17:51:17 CEST 
See:
https://bugzilla.suse.com/show_bug.cgi?id=897788

If you chown it afterward, there's a race condition.

isodumper needs to drop privileges back to the user account before it creates the log or writes to it.
Comment 10 David Walser 2014-10-01 17:59:55 CEST 
It's been a while since I ran it, but don't you have to put in a root password to give isodumper root privleges?  Does it use polkit?  I can't remember how this works.
Comment 11 claire robinson 2014-10-01 18:01:02 CEST 
polkit, yes.
Comment 12 David Walser 2014-10-01 18:03:44 CEST 
OK, so depending on the configuration it might not require a root password, so this is still bad.
Comment 13 papoteur 2014-10-01 22:09:31 CEST 
The log file is not an important feature.
I can write it in /var/log.
Or I can suppress it.
Have you a preferred option?
papoteur 2014-10-01 22:15:44 CEST

CC: (none) => geiger.david68210

Comment 14 claire robinson 2014-10-02 12:56:07 CEST 
/var/log is the simplest solution I think, however you want to handle it though.
Comment 15 papoteur 2014-10-04 20:55:35 CEST 
Hi,
I have a fix, which consists in changing to group and user id before creating the directory and writing the log file.
I'm waiting for David_david to package it.
Papoteur
Comment 16 papoteur 2014-10-04 20:56:29 CEST 
Is the vulnerability also in Mageia 3?
claire robinson 2014-10-06 12:59:58 CEST

Blocks: (none) => 12702

David Walser 2014-10-22 23:07:21 CEST

Blocks: 12702 => (none)

Comment 17 David GEIGER 2014-10-23 10:20:00 CEST 
Hi, 

A new patch for mga3 and mga4 is now ready for testing !!

Was corrected the following issues:

- Fix security issue writing log file.



Updated packages in core/updates_testing:
========================
isodumper-0.23-1.1.mga3.noarch
isodumper-0.23-1.2.mga4.noarch

Source RPMs:
isodumper-0.23-1.1.mga3.src.rpm
isodumper-0.23-1.2.mga4.src.rpm
Comment 18 David Walser 2014-11-14 22:17:06 CET 
Fixed in http://advisories.mageia.org/MGAA-2014-0187.html

Status: REOPENED => RESOLVED
Depends on: (none) => 12702
Resolution: (none) => FIXED