В , an implementation of the NTP protocol used to synchronize precise time in various distributions Linux, vulnerability () that allows you to overwrite any file on the system with access to the local non-privileged user chrony. The vulnerability can only be exploited through the chrony user, which reduces its severity. However, the issue compromises the isolation level in chrony and could be exploited if another vulnerability is found in code that runs after privilege reset.
The vulnerability is caused by the insecure creation of a pid file, which was created at a stage when chrony had not yet reset privileges and is executed as root. At the same time, the /run/chrony directory, into which the pid file is written, was created with permissions 0750 via systemd-tmpfiles or when chronyd was started in relation to the “chrony” user and group. Thus, if you have access to the chrony user, you can replace the /run/chrony/chronyd.pid pid file with a symbolic link. The symbolic link can point to any system file, which will be overwritten when chronyd is started.
root# systemctl stop chronyd.service
root# sudo -u chrony /bin/bash
chrony$ cd /run/chrony
chrony$ ln -s /etc/shadow chronyd.pid
chrony$ exit
root# /usr/sbin/chronyd -n
^C
# instead of the contents of /etc/shadow, the process ID of chronyd will be saved
root# cat /etc/shadow
15287
Vulnerability in issue . Vulnerability package updates are available for . In the process of preparing an update for , и .
SUSE and openSUSE problem , since the symbolic link for chrony is created directly in the /run directory, without the use of additional subdirectories.
Source: opennet.ru
