Topic: Root compromise
i found vulnerability in iredapd that can be exploited to gain root access.
Problem:
When plugins got loaded by iredAPD, it automatically compiles source .py files into .pyc files for faster loading in the future. But unfortunately the compiled file permission is world writable (666 mode). Since iredAPD run as root (root privilege for iredapd is too much), attacker can replace PYC plugins file with maliciously crafted PYC files to execute code with root privilege.
Attacker can prepare malicious PYC file on his own test box, then upload it to victim box and replace the original pyc file with his own.
It is easy to make PYC file by modifying original plugin .py file on attacker box, and then force it to apply plugins by sending mail or directly talking to port 7777. The first 8 byte of malicious pyc file must be exactly the same with the original pyc file on the victim box because modification time of .py file is recorded as header.
this vuln is tested successfully on iRedOS 0.6.0, the result is normal user gain root privilege.
Fix:
chmod 600 to /opt/iredapd/src/plugins/*.pyc and plugins-rr/*.pyc
To make it even more secure, on my production box, i do some modification of iredapd.py and iredapd-rr.py to make it run as non-root user. Line with --THIS IS MY CODE-- is my code to drop root privilege to normal user.
# Run this program as daemon.
if run_as_daemon == 'yes':
daemon.daemonize()
run_as_user = cfg.get('general','run_as_user','iredapd') # --THIS IS MY CODE --
uid = pwd.getpwnam(run_as_user)[2] # --THIS IS MY CODE --
try:
# Write pid number into pid file.
f = open(cfg.get('general', 'pid_file', '/var/run/iredapd.pid'), 'w')
f.write(str(os.getpid()))
f.close()
os.setuid(uid); # --THIS IS MY CODE --
add this line:
import pwd
on top file after "import os" line.
In file iredapd.ini and iredapd-rr.ini, add this one line:
run_as_user = iredapd
don't forget to add iredapd user.
restart iredapd and enjoy.. here is output of "ps aux" on my production box (iredapd is no longer run as root anymore):
iredapd 428 0.0 0.1 10780 3960 ? S 15:16 0:00 python /opt/iredapd/src/iredapd.py /opt/iredapd/etc/iredapd.ini
iredapd 22917 0.0 0.1 10780 3964 ? S Jul19 0:03 python /opt/iredapd/src/iredapd-rr.py /opt/iredapd/etc/iredapd-rr.ini
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.
