CVE-2017-11746 in Tenshi
Summary
by MITRE
Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tenshi.pid modification before a root script executes a "kill `cat /pathname/tenshi.pid`" command.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/02/2019
The vulnerability identified as CVE-2017-11746 resides within the Tenshi monitoring tool version 0.15, presenting a significant privilege escalation risk through improper file handling during process management. This issue demonstrates a classic race condition vulnerability where the timing of file operations creates an exploitable window for malicious local users to manipulate system processes. The flaw occurs specifically during the tool's execution lifecycle when it creates a tenshi.pid file after dropping privileges from root to a non-root account, establishing a critical timing gap that adversaries can exploit.
The technical implementation of this vulnerability stems from the insecure handling of process identifier files within the privilege transition mechanism. When Tenshi drops privileges to execute its monitoring functions, it generates a tenshi.pid file that contains the process identifier of the root-level script. This pid file becomes the target for manipulation by local users who possess access to the non-root account. The vulnerability manifests when a root script subsequently executes a command that reads this pid file and uses its contents to issue kill signals to processes. The attacker can modify the tenshi.pid file contents before the root script executes its kill command, effectively redirecting the termination signal to arbitrary processes rather than the intended target.
This vulnerability directly maps to CWE-367, which describes Time-of-Check to Time-of-Use (TOCTOU) race conditions, and represents a specific instance of privilege escalation through improper file access control. The operational impact extends beyond simple process termination, as attackers can potentially target critical system processes, causing service disruption, data corruption, or system instability. The vulnerability exploits the fundamental principle of least privilege by allowing local users to manipulate files that should only be accessible to privileged processes, creating a pathway for unauthorized process control.
The attack vector requires local system access and involves a sophisticated understanding of process management and timing attacks. An attacker must first gain access to the non-root account used by Tenshi, then carefully time their modification of the tenshi.pid file to coincide with the root script execution window. This creates a complex attack scenario that combines file system manipulation with process control, making it particularly dangerous in environments where multiple users share system resources. The vulnerability can be exploited to target critical system processes, potentially leading to complete system compromise or denial of service conditions.
Mitigation strategies should focus on eliminating the race condition through proper file access controls and privilege management. The most effective approach involves implementing file permissions that prevent modification of the tenshi.pid file by non-root users, ensuring that only the root process can write to this critical file. Additionally, the system should employ atomic operations for pid file handling, preventing the window where manipulation is possible. Security configurations should enforce stricter access controls using capabilities-based approaches or mandatory access controls to prevent unauthorized file modifications. The implementation of proper file locking mechanisms or using secure temporary file creation methods would eliminate the vulnerability entirely, as these approaches ensure that file operations cannot be interrupted by malicious modifications between check and use phases. Organizations should also consider implementing process monitoring and alerting systems to detect unauthorized pid file modifications, providing additional layers of defense against this type of attack.