Vulnerability

Affected software: MySQL Governor below 1.2-50 and any later version if not used with CloudLinux kernel 3.10.0-962.3.2.lve1.5-26.9 or later.

db_governor automatically sets fs.suid_dumpable=1 during installation, which opens security holes. According to Linux kernel documentation, fs.suid_dumpable should not be used on production systems:

1 - (debug) - all processes dump core when possible. The core dump is owned by the current user and no security is applied. This is intended for system debugging situations only. Ptrace is unchecked. This is insecure as it allows regular users to examine the memory contents of privileged processes.

Due to this setting, You can perform an attack against other applications, e.g. LiteSpeed lscgid process, which spawns lsphp. Here is what lscgid does:

135 935216 11:25:05.616651 setuid(1013) = 0
====> start of attack vector
136 935216 11:25:05.616701 chdir("/usr/local/bin/") = 0
137 935216 11:25:05.616755 write(1, "0E\16\0", 4) = 4
====> end of attack vector
138 935216 11:25:05.616814 execve("/usr/local/bin/lsphp",...

Process is already in LVE, changes uid to 1013 and executes lsphp. Due to fs.suid_dumpable=1, after setuid() process retains dumpable flag, so You're able to ptrace() it and modify its execution flow before execve() occurs. That is how intercepted process looks like:

COMMAND    PID  USER  FD TYPE             DEVICE SIZE/OFF    NODE NAME
lscgid 1631229 ztest cwd  DIR              9,125  4096        121 /tmp/lshttpd
lscgid 1631229 ztest rtd  DIR              9,127  4096    2500411 /
lscgid 1631229 ztest txt  REG              9,127 56096    1452439 /usr/local/lsws/bin/lscgid.5.3.8
(...)
lscgid 1631229 ztest DEL  REG                0,4     0            /SYSV000015b3
lscgid 1631229 ztest  0u unix 0xffff92628a042200   0t0   36520988 /tmp/lshttpd/APVH_ztest_Suphp.sock
lscgid 1631229 ztest  1u unix 0xffff92628a040cc0   0t0   36519936 /usr/local/lsws/admin/cgid/cgid.sock.454
lscgid 1631229 ztest  2w  REG              9,127     0    1710932 /usr/local/lsws/logs/stderr.log
lscgid 1631229 ztest  3r  CHR              10,58   0t0      21541 /dev/lve

As You can see, it is still named lscgid, but its uid is already ztest and is being ptraced by ztest from within CageFS due to fs.suid_dumpable=1. Now You have control over directory handle /tmp/lshttpd which is potentially outside CageFS, but also You have access to process memory, potentially allowing You to extract e.g. secret key for use with open socket /usr/local/lsws/admin/cgid/cgid.sock.454. You can also write directly to stderr.log. In general, You can escalate further.

Exploit

No exploit was created for that vulnerability, only simple ptrace() PoC.

Solution

Update CloudLinux kernel to 3.10.0-962.3.2.lve1.5-26.9 or later and MySQL Governor to 1.2-50 or later.

Timeline

  • 2019-08-01 - Vulnerability reported to vendor.
  • 2019-08-02 - Response from vendor, task MYSQLG-419 assigned.
  • 2019-12-04 - CloudLinux kernel 3.10.0-962.3.2.lve1.5-26.9 released with CLKRN-523 required for fix.
  • 2020-01-14 - MySQL Governor 1.2-50 released with MYSQLG-419 vulnerability fixed.