| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130301001904.GB23550@turbonegro.localdomain> Date: Thu, 28 Feb 2013 19:19:04 -0500 From: Technion <technion@...ware.net> To: bugtraq@...urityfocus.com Subject: rpi-update tmpfile vulnerability Raspberry Pi Firmware Updater Vulnerability Application: https://github.com/Hexxeh/rpi-update/ Version Tested: Github source as of 10ad1e975a (10th Feb commit) Vulnerability #1: A malicious user can clobber any file due to insecure tmp file handling. Example: Any unprivileged user can create the following symlink, either from a shell account, or by malicious web content such as PHP scripts. pi@...pberrypi ~ $ ln -s /etc/passwd /tmp/updateScript.sh Once in place, the symlink is awaiting the administrator to run an update: pi@...pberrypi ~ $ sudo rpi-update ... pi@...pberrypi ~ $ cat /etc/passwd #!/bin/bash if mv "./testfile.sh.tmp" "./testfile.sh"; then rm -- "$0" exec env UPDATE_SELF=0 /bin/bash "./testfile.sh" "" else echo " !!! Failed!" fi As of this point, the pi is quite unusable due to the corrupted password database. Note that the attacker cannot customise the content, for example, to set a UID0 account. Vulnerability #2: The installation recommends the following command: sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update Although the selfupdate functionality utilises SSL to ensure the integrity of the download, the installation process uses a URL shortening service without SSL to download the bash script, which the user is then encouraged to run as the root user. Fix and Vendor Response A pull request detailing exploit #1 and including a simple patch was submitted February 6th. The patch has not yet been accepted. Workaround By running rpi-update with the self update feature disabled, the affected code is not executed. Example: sudo UPDATE_SELF=0 rpi-update If you would like to update the application manually, or perform an initial installation safely, use the following commands: wget https://github.com/Hexxeh/rpi-update/raw/master/rpi-update sudo cp rpi-update /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update Note that applying the patch in my pull request will not be a complete solution, as it will be reverted after the first automatic update. technion@...ware.net
Powered by blists - more mailing lists