Exploit Discovered - Published CVE-2017-18285

Business News (Hunt Valley, Maryland) - Mar 26, 2019

Exploit Discovered - Published CVE-2017-18285: Gentoo app-backup/burp root privilege escalation via writable config

Product - Gentoo Linux app-backup/burp package,  Versions affected 2.1.32 and earlier
Published on 2019-03-26
Author Michael Orlitzky, PhD
Partially addressed in commits 25a4b59e and 5cd39164. Fully fixed in commits 4b3a76d6, 2faf0fcb, and version 2.1.32-r1.
Acknowledgements -     Marek Szuba for the fix and Christopher Díaz Riveros who requested the CVE.

== Summary ==

Prior to version 2.1.32-r1, the Gentoo app-backup/burp package gives ownership of its configuration directory to the daemon's runtime group. That can be exploited by the runtime user (and other members of the group) to gain root privileges, because the OpenRC service script grants the group write access to a path defined in the main burp configuration file.

The general principle behind this exploit is explained in the article Configuration should be owned and writable only by root.

== Learn More ==

Complete details here: http://michael.orlitzky.com/cves/cve-2017-18285.xhtml

Track it here at NIST's National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2017-18285

== What is CVE? ==

Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cybersecurity vulnerabilities, and is the industry standard for vulnerability and exposure identifiers.

The process of creating a CVE Entry begins with the discovery of a potential security vulnerability.  The MITRE Corporation currently maintains CVE and this public website, oversees the CNAs and CVE Board, and provides impartial technical guidance throughout the process to ensure CVE serves the public interest.

== About Metro Data, Inc. ==

Founded in 1994, Metro Data, Inc. is a leading information systems & services firm that works exclusively with business clients to develop and apply customized technology solutions that accomplish a client's strategic goals.

Businesses have chosen Metro Data, Inc. to help keep pace with the ever-changing technology landscape.  Metro Data, Inc.’s "end-to-end" experience helps their customers to secure their systems, reduce costs, and improve their business information systems performance.

== About the CVE Author, Michael J. Orlitzky ==

Dr. Mike has been with Metro Data, Inc. for over 20 years.  He holds a PhD in Mathematics.  He has been globally recognized for his work in discovering (and fixing) vulnerabilities in operating systems and application software.  His research has been published in professional journals and he's been acknowledged by industry and academic peers for his work.

Under no circumstances should you send an email to ackbar@viabit.com .

 For more information, call 410-667-3600