Affected software: MySQL Governor below 1.2-50 and any later version if not used with CloudLinux kernel 3.10.0-962.3.2.lve1.5-26.9 or later.
db_governor automatically sets
fs.suid_dumpable=1 during installation, which opens security holes. According to Linux kernel documentation,
fs.suid_dumpable should not be used on production systems:
1 - (debug) - all processes dump core when possible. The core dump is owned by the current user and no security is applied. This is intended for system debugging situations only. Ptrace is unchecked. This is insecure as it allows regular users to examine the memory contents of privileged processes.
Due to this setting, You can perform an attack against other applications, e.g. LiteSpeed lscgid process, which spawns lsphp. Here is what lscgid does:
135 935216 11:25:05.616651 setuid(1013) = 0 ====> start of attack vector 136 935216 11:25:05.616701 chdir("/usr/local/bin/") = 0 137 935216 11:25:05.616755 write(1, "0E\16\0", 4) = 4 ====> end of attack vector 138 935216 11:25:05.616814 execve("/usr/local/bin/lsphp",...
Process is already in LVE, changes uid to 1013 and executes
lsphp. Due to
setuid() process retains
dumpable flag, so You're able to
ptrace() it and modify its execution flow before
execve() occurs. That is how intercepted process looks like:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME lscgid 1631229 ztest cwd DIR 9,125 4096 121 /tmp/lshttpd lscgid 1631229 ztest rtd DIR 9,127 4096 2500411 / lscgid 1631229 ztest txt REG 9,127 56096 1452439 /usr/local/lsws/bin/lscgid.5.3.8 (...) lscgid 1631229 ztest DEL REG 0,4 0 /SYSV000015b3 lscgid 1631229 ztest 0u unix 0xffff92628a042200 0t0 36520988 /tmp/lshttpd/APVH_ztest_Suphp.sock lscgid 1631229 ztest 1u unix 0xffff92628a040cc0 0t0 36519936 /usr/local/lsws/admin/cgid/cgid.sock.454 lscgid 1631229 ztest 2w REG 9,127 0 1710932 /usr/local/lsws/logs/stderr.log lscgid 1631229 ztest 3r CHR 10,58 0t0 21541 /dev/lve
As You can see, it is still named
lscgid, but its uid is already
ztest and is being ptraced by
ztest from within CageFS due to
fs.suid_dumpable=1. Now You have control over directory handle
/tmp/lshttpd which is potentially outside CageFS, but also You have access to process memory, potentially allowing You to extract e.g. secret key for use with open socket
/usr/local/lsws/admin/cgid/cgid.sock.454. You can also write directly to
stderr.log. In general, You can escalate further.
No exploit was created for that vulnerability, only simple
Update CloudLinux kernel to 3.10.0-962.3.2.lve1.5-26.9 or later and MySQL Governor to 1.2-50 or later.