Vulnerabilities > CVE-2018-12029 - Race Condition vulnerability in multiple products
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201807-02.NASL description The remote host is affected by the vulnerability described in GLSA-201807-02 (Passenger: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in Passenger. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could escalate privileges, execute arbitrary code, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 111225 published 2018-07-23 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111225 title GLSA-201807-02 : Passenger: Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1399.NASL description Two flaws were discovered in ruby-passenger for Ruby Rails and Rack support that allowed attackers to spoof HTTP headers or exploit a race condition which made privilege escalation under certain conditions possible. CVE-2015-7519 Remote attackers could spoof headers passed to applications by using an underscore character instead of a dash character in an HTTP header as demonstrated by an X_User header. CVE-2018-12029 A vulnerability was discovered by the Pulse Security team. It was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor. If the symlink target was to a file which would be executed by root such as root last seen 2020-06-01 modified 2020-06-02 plugin id 110725 published 2018-06-28 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110725 title Debian DLA-1399-1 : ruby-passenger security update
References
- https://blog.phusion.nl/passenger-5-3-2
- https://blog.phusion.nl/passenger-5-3-2
- https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html
- https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html
- https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc
- https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc
- https://security.gentoo.org/glsa/201807-02
- https://security.gentoo.org/glsa/201807-02