Bug 12616 (CVE-2021-33393)

Summary: Authenticated RCE via pakfire.cgi system call
Product: IPFire Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact:
Severity: Security    
Priority: Will affect all users CC: michael.tremer, trregen222
Version: 2Keywords: Security
Hardware: all   
OS: All   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=12619

Description Peter Müller 2021-05-15 18:46:52 UTC
Further information will be provided as soon as this bug has been marked private.
Comment 1 Peter Müller 2021-05-16 18:43:03 UTC
All right, this bug is private by now, so here we go:

Someone published an exploit on May 14th, 2021 for running arbitrary commands as "nobody" on fully patched IPFire machines by manipulating package names provided to Pakfire for installation. The exploits requires valid admin credentials to the web interface.

https://github.com/MucahitSaratar/ipfire-2-25-auth-rce

Apparently, the author of this tried to get in touch with us via Twitter: https://twitter.com/0x00deadbeef/status/1393984652503920641

Stefan provided a workaround for this: https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=d06b0ef16f08c663acaa9725206650893fc1cd74

That makes injecting commands via Pakfire calls impossible, however, a more elegant solution would be to rewrite the Pakfire CGI towards not accepting input not recoginised as being a package name.
Comment 2 Peter Müller 2021-05-16 18:46:03 UTC
In https://twitter.com/0x00deadbeef/status/1393984652503920641, that person claims: "@ipfire from bobody [sic] to root!!"

At least to me, the meaning of this is unclear. The screenshot attached to this tweed only shows the output of "id", executed as "root".
Comment 3 Peter Müller 2021-05-16 19:54:04 UTC
The root exploit chain has now been reported by the author in #12619.
Comment 4 Peter Müller 2021-05-17 19:53:40 UTC
https://www.exploit-db.com/exploits/49869

Well, there we are. So much for responsible disclosure. :-/
Comment 5 Peter Müller 2021-05-18 17:12:17 UTC
@Michael: Do you plan to merge ttps://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=d06b0ef16f08c663acaa9725206650893fc1cd74 into Core Update 157 as well?
Comment 6 Peter Müller 2021-05-22 11:03:33 UTC
This vulnerability won't be fixed in upcoming Core Update 157, as almost any of our CGI files are vulnerable, and we need a bit more time to fix them all.

Core Update 158 will contain these changes.
Comment 7 Michael Tremer 2021-06-18 10:00:37 UTC
The changes have now been merged into next, scheduled to be release with Core Update 158. Thanks to everyone who helped to work on it.

We will need to double-check all of them so that we can be certain they won't break anything.