Bug#1023688: marked as done (improper permissions on fcgiwrap systemd socket lead to privilege escalation to www-data under default config)

Fri, 09 Dec 2022 04:21:22 -0800 

Your message dated Fri, 09 Dec 2022 12:19:45 +0000
with message-id <[email protected]>
and subject line Bug#1023688: fixed in fcgiwrap 1.1.0-13
has caused the Debian Bug report #1023688,
regarding improper permissions on fcgiwrap systemd socket lead to privilege 
escalation to www-data under default config
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1023688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023688
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: fcgiwrap
Version: 1.1.0-12
Severity: critical
Tags: patch, security

On a default installation of Debian 11 (bullseye) with other releases probably 
also affected, systemd socket file /lib/systemd/system/fcgiwrap.socket from 
package fcgiwrap contains no Mode= configuration parameter, making systemd pick 
the default 0666. The socket is therefore world accessible and any user on the 
system may, when package fcgiwrap is installed, elevate privileges and execute 
code as www-data user by communicating with the socket via fastcgi protocol. 
www-data is specified as User= and Group= in 
/lib/systemd/system/fcgiwrap.service, also supplied by package fcgiwrap.

Proof of concept terminal recording: http://upload.sijanec.eu/f.mp4

Solution: add SocketMode=0660, SocketUser=www-data, Group=www-data to 
/lib/systemd/system/fcgiwrap.socket --- this would, however, break existing 
configurations that rely on /run/fcgiwrap.socket being world connectable.

Is this intended behaviour? Doesn't it break user's expectations, as suddenly 
everyone can influence httpd (nginx slaves also run under www-data, for 
example)?

----- BEGIN PATCH -----
Author: Anton Luka Šijanec <[email protected]>
Description: Modify default user/group and listening mode of socket
Forwarded: no

--- a/systemd/fcgiwrap.socket
+++ b/systemd/fcgiwrap.socketfixed
@@ -3,6 +3,9 @@ Description=fcgiwrap Socket

 [Socket]
 ListenStream=/run/fcgiwrap.sock
+Mode=0660
+SocketUser=www-data
+SockerGroup=www-data

 [Install]
 WantedBy=sockets.target
----- END PATCH -----

Attachments:
root@host:~# ls -lah /run/fcgiwrap.socket
srw-rw-rw- 1 root root 0 Nov  8 19:42 /run/fcgiwrap.socket

=> /lib/systemd/system/fcgiwrap.socket
[Unit]
Description=fcgiwrap Socket

[Socket]
ListenStream=/run/fcgiwrap.socket

[Install]
WantedBy=sockets.target



=> /lib/systemd/system/fcgiwrap.service
[Unit]
Description=Simple CGI Server
After=nss-user-lookup.target
Requires=fcgiwrap.socket

[Service]
Environment=DAEMON_OPTS=-f
EnvironmentFile=-/etc/default/fcgiwrap
ExecStart=/usr/sbin/fcgiwrap ${DAEMON_OPTS}
User=www-data
Group=www-data

[Install]
Also=fcgiwrap.socket

-- 
Anton Luka Šijanec <[email protected]>
F4C3E3A4DFB7254397A9F993E76135F49802CD14
http://splet.sijanec.eu/pgp-key.txt

--- End Message ---
--- Begin Message --- 
Source: fcgiwrap
Source-Version: 1.1.0-13
Done: Jordi Mallach <[email protected]>

We believe that the bug you reported is fixed in the latest version of
fcgiwrap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <[email protected]> (supplier of updated fcgiwrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Dec 2022 12:47:07 +0100
Source: fcgiwrap
Architecture: source
Version: 1.1.0-13
Distribution: unstable
Urgency: medium
Maintainer: Debian fcgiwrap Maintainers <[email protected]>
Changed-By: Jordi Mallach <[email protected]>
Closes: 1023688
Changes:
 fcgiwrap (1.1.0-13) unstable; urgency=medium
 .
   [ Jordi Mallach ]
   * Tighten permissions and ownership of fcgiwrap socket.
     This was previously mode 0666, thus writable by any user,
     which could lead to trivial privilege escalation to www-data.
     Thanks to Anton Luka Šijanec. (Closes: #1023688)
   * Bump debhelper compat to v13 and use debhelper-compat to declare it.
   * Set Rules-Requires-Root to no.
   * Update copyright years.
   * Make systemd the main dependency, with spawn-fcgi as the alternative.
   * Add missing ${misc:Pre-Depends} to handle init-system-helpers requirement.
   * Update Standards-Version to 4.6.1, with no changes needed.
   * Add a NEWS.Debian entry pointing out that the socket permission change
     might break existing setups if they relied on a world-writable socket.
   * Change all references to /var/run to just /run.
 .
   [ Debian Janitor ]
   * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse.
   * Trim trailing whitespace.
Checksums-Sha1:
 8af9db691e39164e9ad6c4c6f6d2c009e15fcf93 2062 fcgiwrap_1.1.0-13.dsc
 872d532db7d3c122b96a1fddfd4d05abd7e583ef 11932 fcgiwrap_1.1.0-13.debian.tar.xz
 89bb7dc9847b21160830f5d57e9754c3230a91c7 6747 fcgiwrap_1.1.0-13_amd64.buildinfo
Checksums-Sha256:
 b12a802ea117dc6bf9b49149092626a1d3314a99ea683fd4bfeac3f68b401853 2062 
fcgiwrap_1.1.0-13.dsc
 f1de4b450fcdaae611454948a209fb2c09fbd8cf035cf29f80d4b0ca51292db0 11932 
fcgiwrap_1.1.0-13.debian.tar.xz
 94e9c1fc5a45a763947942d73dea767f99310c3d6da10fc97755873fde701dec 6747 
fcgiwrap_1.1.0-13_amd64.buildinfo
Files:
 166814bde4efceabb7ad5d36fed4ca58 2062 web optional fcgiwrap_1.1.0-13.dsc
 21b2e836f795e8b2ca43830693e5f855 11932 web optional 
fcgiwrap_1.1.0-13.debian.tar.xz
 c5eadb67b8409b02451e291917703c30 6747 web optional 
fcgiwrap_1.1.0-13_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE6BdUhsApKYN8KGoWJVAvb8vjywQFAmOTI0MACgkQJVAvb8vj
ywRDzA/+KluvHLZVqAOlpaTqqK1MmK0ukdfk/YfMz+SjEBabXGYZB4gBybYDMYzQ
g73BYTtOxfZOHKxEaMATMSvdAy+2MiOex/NGg8kpBYNap0GTKKjKymelvFOBn5SR
GVEXyU16vl4NcBEZ7iI069hefUh4r3GjdunN8kkd5OH3eo7ig7wt10vK/Klj7jGG
RULAtrfsXnVQZWA/cIHW2ZJiQxTAjMYKDoRQ7QzOKxEpnNQ2+VIKgGUx/T+K1qwk
6m4+zx/79A1+KoT06F1lFWuE67KB1znyu71PjooP1Xvj6iF51r48Z+ZBCsKz9w/J
a6xfcYCJaYtS8CWdgKNZND1oi1z7Xa6LXKzMlIZv380in3P7kTkTlPZ4PC7VsyFA
XaI8Ry+vTW5AQ0hq1x1wjMCI0xJ0btgJn4M3fd7HLVrHBZNDI6CJX08LZ4l5S7Bi
rqLanTYlAv/Ym2yt8jsrPqMhhIfU2pVEnCNbyBRCww9Tccyy149snGQ62OzPQlHr
T1jOpabIa3fLBifGsODP7ipxdMUAp4+K1Ak5wmalvQMxxLfmkmw5M5AWKzcC/S6w
JY6WiLNTL3yz1A/tEn0WejSQExzKJC+EBNmKLhsVe4Mop1BqEmYbzFMW6YtPZ1pv
TOchmqSut1ydDyZcDmJni8p3A81bLmwt2AOxFP9yUlc1Zol/J04=
=dKWi
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to