The admin-side optional utility daemons svnwcsub.py and irkerbridge.py are vulnerable to a local privilege escalation vulnerability via symlink attack. Summary: ======== svnwcsub.py and irkerbridge.py take a --pidfile option which creates a file containing the process id they are running as. Both of them do not take steps to ensure that the file they have been directed at is not a symlink. If the pid file is in a directory writeable by unprivileged users, the destination could be replaced by a symlink allowing for privilege escalation. Both are optional extra tools that are not installed by default and do not create a pid file by default. Known vulnerable: ================= svnwcsub.py and irkerbridge.py included with Subversion 1.8.0 - 1.8.1, when --pidfile is passed, due to an underlying problem in daemonize.py. svnwcsub.py included with Subversion 1.8.0 - 1.8.2 when run in foreground mode (as opposed to daemon mode) when --pidfile is passed. Known fixed: ============ daemonize.py included with Subversion 1.8.2 or newer. svnwcsub.py included with Subversion 1.8.3. Subversion 1.7.x and earlier do not include these files and are not vulnerable. Details: ======== The pid file is often used by scripts to be able to determine if a specific service is running and to determine which process to kill to stop a service. If the pid file is created in a directory writable by unprivileged directories, they could replace it with a symlink. If that is done while the service is stopped, the service may overwrite the target of the symlink with a one line containing its pid when it starts. This may lead to privilege escalation, depending on the target of the symlink. If that is done while the service is running, the stop script may kill the wrong process. In effect the unprivileged user would be able to kill a process they do not have permissions to kill when a privileged script depends on the pid file. Both svnwcsub.py and irkerbridge.py use the daemonize.py module to help implement the pidfile feature. This module does not properly ensure that the pid file is being created new every time and as such are vulnerable. The daemonize.py script has been fixed to resolve this issue and the fixed version is included in Subversion 1.8.2. svnwcsub.py also supports the --pidfile option when running in the foreground and does not depend upon the daemonize.py module to support that functionality. The foreground implementation of --pidfile is also vulnerable. Severity: ========= CVSSv2 Base Score: 2.4 CVSSv2 Base Vector: AV:L/AC:H/Au:S/C:N/I:P/A:P We consider this to be a low risk vulnerability. The tools are not installed by default so most installations are not likely to be vulnerable. Unless the pid file is created in a directory with permissions for unprivileged users the vulnerability cannot be exploited. The init scripts provided with Subversion places the pid file in /var/run or a subdirectory under /var/run, which is not typically writable by unprivileged users. The svnwcsub and irkerbridge services do not run as root by default and so the potential privilege escalation is limited. In svnwcsub, a file in one of the managed working copies or in their metadata (.svn) areas may be truncated and replaced with single line containing a pid number. The attacker would need to have local access to the machine that the tools were running on in order to exploit the vulnerability. Recommendations: ================ We recommend that users using svnwcsub.py and irkerbridge.py upgrade their installations with the files (including daemonize.py) as included in Subversion 1.8.3 or newer. Administrators can mitigate the vulnerability without upgrading by refraining from pointing the pid file at a directory where unprivileged users have write access (e.g. /tmp). Instead the pidfile should be placed in a directory where only the daemon has access to create, modify, and delete files. Alternatively, the pid file may be disabled altogether by removing the --pidfile option from the invocation. References: =========== CVE-2013-4262 (Subversion) Reported by: ============ Daniel Shahaf, Apache Infrastructure Patches: ======== Patch for Subversion 1.8: [[[ Index: tools/server-side/svnpubsub/daemonize.py =================================================================== --- tools/server-side/svnpubsub/daemonize.py (revision 1516272) +++ tools/server-side/svnpubsub/daemonize.py (working copy) @@ -143,7 +143,14 @@ class Daemon(object): if daemon_accepting.signalled: # the daemon is up and running, so save the pid and return success. if self.pidfile: - open(self.pidfile, 'w').write('%d\n' % pid) + # Be wary of symlink attacks + try: + os.remove(self.pidfile) + except OSError: + pass + fd = os.open(self.pidfile, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0444) + os.write(fd, '%d\n' % pid) + os.close(fd) return DAEMON_STARTED # some other signal popped us out of the pause. the daemon might not Index: tools/server-side/svnpubsub/svnwcsub.py =================================================================== --- tools/server-side/svnpubsub/svnwcsub.py (revision 1516272) +++ tools/server-side/svnpubsub/svnwcsub.py (working copy) @@ -465,7 +465,15 @@ def handle_options(options): # Otherwise, we should write this (foreground) PID into the file. if options.pidfile and not options.daemon: pid = os.getpid() - open(options.pidfile, 'w').write('%s\n' % pid) + # Be wary of symlink attacks + try: + os.remove(options.pidfile) + except OSError: + pass + fd = os.open(options.pidfile, os.O_WRONLY | os.O_CREAT | os.O_EXCL, + 0444) + os.write(fd, '%d\n' % pid) + os.close(fd) logging.info('pid %d written to %s', pid, options.pidfile) if options.gid: ]]]