CVE-2017-20148 The ebuild package through Logcheck for Gentoo has an insecure recursive chown calls that gives root privilege escalation.

The ebuild allows to set the USER variable to any user to get root privileges.

The insecure recursive chown calls are:

logcheck() { ... if [ "$UID" != "0" ]; then if [ "$EUID" != "0" ]; then if [ "$EUID" != "0" ]; then if [ "$EUID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$EUID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0" ]; then if [ "$UID" != "0

Solution

A simple fix would be to fix the USER variable in logcheck() to something else, like "root" or "euser", to avoid this problem.

The ebuild allows to set the USER variable to any user to get root privileges. A simple fix would be to fix the USER variable in logcheck() to something else, like "root" or "euser", to avoid this problem.

Installing RCE on Docker¶

File: /usr/local/etc/logcheck.conf logcheck() {

if [ "$EUID" != "0" ]; then
if [ "$EUID" != "0" ]; then
if [ "$EUID" != "0" ]; then

Security Recommendation:

Recursive chown calls should be avoided to prevent this particular vulnerability from being exploited.
The fix for the issue is simply to avoid recursive chown calls within a log check function, and to be a little more selective with what data you allow the user to modify.

Timeline

Published on: 09/20/2022 18:15:00 UTC
Last modified on: 09/25/2022 16:15:00 UTC

Solution

Installing RCE on Docker¶

File: /usr/local/etc/logcheck.conf logcheck() {

Security Recommendation:

Timeline

References