RubySec

Providing security resources for the Ruby community

CVE-2018-12029 (passenger): CHMOD race vulnerability

ADVISORIES

GEM

passenger

SEVERITY

CVSS v3.x: 7.0 (High)

CVSS v2.0: 4.4 (Medium)

UNAFFECTED VERSIONS

  • < 3.0.0

PATCHED VERSIONS

  • >= 5.3.2

DESCRIPTION

The file system access race condition allows for local privilege escalation and affects the Nginx module for Passenger versions 5.3.1, all the way back to 3.0.0 (the chown command entered the code in 2010).

The vulnerability was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor.

If the symlink target was to a file which would be executed by root such as root’s crontab file, then privilege escalation was possible.