OSSEC - local root privilege escalation via symlink attack


This local privilege escalation bug was found in the few seconds it took to run `grep` against the source. I first discovered it between 2009-2010 if I had to guess. Someone in the public #cPanel channel on EFnet mentioned "OSSEC", which I'd never heard of. Curious, I downloaded it, unpacked the source, and ran `grep -r /tmp .` (not the ideal way to run grep, but that's how it went). About a second or two later, I see this amongst the output:

cat /etc/hosts.deny | grep -v "ALL:${IP}$"> /tmp/hosts.deny.$$
cat /tmp/hosts.deny.$$ > /etc/hosts.deny

I typed out a quick theory in the channel that it looked like there was a possibility of a symlink attack against /tmp/hosts.deny, and by using the "twist" option in hosts.deny, one could trivially get root.

It wasn't until 2014 when I had reason to work with OSSEC that I remembered my finding. This time I would install OSSEC and try to validate my finding. It was little surprise that it worked, or that the flawed code was still there years later. Then I saw the security vendors that used OSSEC. After the patch was issued, one of them called me at work and requested I write an article for them about using OSSEC and its benefits. While they weren't willing to compensate me for my time, they offered to place a link to my boss's business on their website. I didn't write the article.


Local users could escalate privileges to root.