CVE-2022-45473 - How World-Writable Log Permissions in drachtio-server .8.18 Open the Door to Attacks

Security mistakes don’t always involve fancy code bugs—sometimes, it’s as simple as getting file permissions wrong. A perfect example is CVE-2022-45473, found in version .8.18 of drachtio-server, a popular SIP application server used for VoIP solutions.

In this post, I’ll explain what this vulnerability is all about, how it can be exploited, and why world-writable log files and folders are a serious problem. You'll also see code snippets and links to references so you can dig deeper.

What’s the Issue?

By default, when drachtio-server .8.18 gets installed, it sets the permissions for its log directory and file like this:

- /var/log/drachtio (the directory) is set to 0777 (rwxrwxrwx)
- /var/log/drachtio/drachtio.log (the main log) is set to 0666 (rw-rw-rw-)

This means any user on the system can read, write, and (in the case of the directory) even delete or add files.

Let’s check how it looks on a typical install

$ ls -ld /var/log/drachtio
drwxrwxrwx 2 root root 4096 Nov 18 12:00 /var/log/drachtio

$ ls -l /var/log/drachtio/drachtio.log
-rw-rw-rw- 1 root root 21488 Nov 18 12:05 /var/log/drachtio/drachtio.log

Exploit Example

Let’s see how a regular system user could abuse the loose permissions.

Step 1: Tricking the System with a Symlink

Suppose you want to overwrite /etc/passwd (where Linux user accounts are stored). A legitimate user *should never* be able to do this.

But with 0666 and 0777 permissions, you can try

# Remove the existing log file
rm /var/log/drachtio/drachtio.log

# Make a symlink to /etc/passwd
ln -s /etc/passwd /var/log/drachtio/drachtio.log

When drachtio-server writes a log entry, the log function writing to drachtio.log could actually write to /etc/passwd, corrupting or overwriting it. This could lock users out or open bigger attack paths.

Malicious processes could simply

echo "" > /var/log/drachtio/drachtio.log    # Erase all evidence

or even

rm /var/log/drachtio/drachtio.log

Related Code In drachtio-server

If you dive into the drachtio-server source code, you’ll see log file creation is handled in C++, typically like:

log_file.open("/var/log/drachtio/drachtio.log", std::ios::out | std::ios::app);

But no permissions are set safely, depending instead on the system umask. If the install script or init script does not set a strict umask (like 0022 or 0027), you get world-writable files.

How to Fix It

The best practice: Log files and directories should only be writable by the process user (e.g., drachtio or root), not everyone.

You can fix permissions like so

chmod 075 /var/log/drachtio           # Only owner and group can write/read/exec
chmod 064 /var/log/drachtio/drachtio.log   # Only owner can write, group can read
chown drachtio:drachtio /var/log/drachtio/drachtio.log

References

- CVE-2022-45473 NIST Details
- drachtio-server GitHub
- oss-security disclosure (OpenWall)

Summary

CVE-2022-45473 is a reminder that something as simple as careless log file permissions can have big consequences. Even if you don’t use drachtio-server, check your server app log directories and make sure random users can’t write to them. It only takes a minute—and can save you from an easy breach.

Timeline

Published on: 11/18/2022 18:15:00 UTC
Last modified on: 11/28/2022 22:12:00 UTC