|Summary:||Authenticated RCE via pakfire.cgi system call|
|Product:||IPFire||Reporter:||Peter MÃ¼ller <peter.mueller>|
|Component:||---||Assignee:||Stefan Schantl <stefan.schantl>|
|Status:||CLOSED FIXED||QA Contact:|
|Priority:||Will affect all users||CC:||michael.tremer, trregen222|
Description Peter MÃ¼ller 2021-05-15 18:46:52 UTC
Further information will be provided as soon as this bug has been marked private.
Comment 1 Peter MÃ¼ller 2021-05-16 18:43:03 UTC
All right, this bug is private by now, so here we go: Someone published an exploit on May 14th, 2021 for running arbitrary commands as "nobody" on fully patched IPFire machines by manipulating package names provided to Pakfire for installation. The exploits requires valid admin credentials to the web interface. https://github.com/MucahitSaratar/ipfire-2-25-auth-rce Apparently, the author of this tried to get in touch with us via Twitter: https://twitter.com/0x00deadbeef/status/1393984652503920641 Stefan provided a workaround for this: https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=d06b0ef16f08c663acaa9725206650893fc1cd74 That makes injecting commands via Pakfire calls impossible, however, a more elegant solution would be to rewrite the Pakfire CGI towards not accepting input not recoginised as being a package name.
Comment 2 Peter MÃ¼ller 2021-05-16 18:46:03 UTC
In https://twitter.com/0x00deadbeef/status/1393984652503920641, that person claims: "@ipfire from bobody [sic] to root!!" At least to me, the meaning of this is unclear. The screenshot attached to this tweed only shows the output of "id", executed as "root".
Comment 3 Peter MÃ¼ller 2021-05-16 19:54:04 UTC
The root exploit chain has now been reported by the author in #12619.
Comment 4 Peter MÃ¼ller 2021-05-17 19:53:40 UTC
https://www.exploit-db.com/exploits/49869 Well, there we are. So much for responsible disclosure. :-/
Comment 5 Peter MÃ¼ller 2021-05-18 17:12:17 UTC
@Michael: Do you plan to merge ttps://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=d06b0ef16f08c663acaa9725206650893fc1cd74 into Core Update 157 as well?
Comment 6 Peter MÃ¼ller 2021-05-22 11:03:33 UTC
This vulnerability won't be fixed in upcoming Core Update 157, as almost any of our CGI files are vulnerable, and we need a bit more time to fix them all. Core Update 158 will contain these changes.
Comment 7 Michael Tremer 2021-06-18 10:00:37 UTC
The changes have now been merged into next, scheduled to be release with Core Update 158. Thanks to everyone who helped to work on it. We will need to double-check all of them so that we can be certain they won't break anything.
Comment 8 Peter MÃ¼ller 2021-07-11 09:55:30 UTC
Comment 9 Peter MÃ¼ller 2021-07-19 21:37:03 UTC