| Summary: | /usr/local/bin/backupctrl allows privilege escalation due to executing /var/ipfire/backup/bin/backup/backup.pl, which is writeable by "nobody" | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Mücahit Saratar <trregen222> |
| Component: | --- | Assignee: | Michael Tremer <michael.tremer> |
| Status: | CLOSED FIXED | QA Contact: | |
| Severity: | Security | ||
| Priority: | Will affect all users | CC: | arne.fitzenreiter, michael.tremer, peter.mueller, stefan.schantl |
| Version: | 2 | Keywords: | Security |
| Hardware: | all | ||
| OS: | All | ||
| See Also: | https://bugzilla.ipfire.org/show_bug.cgi?id=12616 | ||
| Attachments: |
report of vulnerability
video of poc video of poc2 |
||
Hi,
thanks for getting in touch.
The first part of your exploit chain ("Authenticated RCE via pakfire.cgi system call") is already filed in #12616 and will be discussed there.
Thank you for providing the second part, which I am currently skimming through.
I will commend on this further as soon as this bug has been marked private.
Thanks, and best regards,
Peter Müller
Hi mr. Peter, how much time you give me to make publish seccond part? and this is 0-day, right? Thanks. with my respects, - Mücahit Saratar Hi, > how much time you give me to make publish seccond part? well, you already made the authenticated RCE via pakfire.cgi public. Would you please hold back the second part of your exploit chain until we have released Core Update 157, so we can offer a fixed version to IPFire users first? Unless you oppose, we'd mention those vulnerabilities and your name on the release notes of Core Update 157. After the release, both this and bug #12616 will be made public again, so everything is transparent to our community. > and this is 0-day, right? Given the definition in https://en.wikipedia.org/wiki/Zero-day_(computing): > A zero-day (also known as 0-day) is a computer-software vulnerability unknown to those who should be interested in its mitigation (including the vendor of the target software). Since we are now aware of those vulnerabilities, I guess they are not _exactly_ 0-days anymore. :-) However, we will treat them serious, and indeed, there is no fix available to IPFire users, yet. Thanks again for reporting. Thanks, and best regards, Peter Müller Hi, sure. you can use my name. i can't found vulnerability and exploit for this version. i defined 0-day until i shared. i will not share second part until released core 157. with my respects - Mücahit Saratar https://patchwork.ipfire.org/project/ipfire/list/?series=2056 cleans up the dump of dangerous file permissions within /var/ipfire/ (and somewhere else, partially), but does not fully solve this vulnerability. Michael is currently working on the latter. Hi,
> i will not share second part until released core 157.
Thank you. We will let you know how things go in this bug. :-)
Thanks, and best regards,
Peter Müller
Created attachment 895 [details]
video of poc
Hi,
can i share only this video? seenable just the fetching binary from localhost.
i requested cve number for only rce.(din't any response). i didn't report privilege escalation to they.
This video doesn't play for me. Created attachment 896 [details] video of poc2 Hi, i converted to mp4.i again trying to upload. i can play first video on https://bugzilla.ipfire.org/attachment.cgi?id=895 with my respects - Mücahit Saratar Thanks. This seems to be a problem with my browser. Both files play with VLC. Just a quick update on this one: The patchset I mentioned earlier has been merged and is part of Core Update 157 (testing). Unfortunately, I failed to ship the changed backup CGI file properly, so the testing update as it is available today won't fix this issue. To do so, patch https://patchwork.ipfire.org/patch/4352/ is available. It has not been merged, yet, but that is only a matter of time. After it has, I will set this bug to MODIFIED, and ON_QA later, as soon as a newly built version Core Update 157 (testing) is available to our users. These changes should now be included in the build. Could anybody except me (Mücahit, preferred, as he reported this vulnerability) please confirm that Core Update 157 fixes this? For everybody's information: This bug has been assigned CVE-2021-33393. A Metasploit module ("exploit/linux/http/ipfire_pakfire_exec") is available at https://github.com/rapid7/metasploit-framework/pull/15239.
@Michael: Since Core Update 157 will be released within the next days, fixing this vulnerability, I guess we can/should make this bug public now. (In reply to Peter Müller from comment #17) > @Michael: Since Core Update 157 will be released within the next days, > fixing this vulnerability, I guess we can/should make this bug public now. Sorry, I forgot to do this. |
Created attachment 894 [details] report of vulnerability we editing packet file to "<packet file>;arbitrary os command". command will run as no body and we can write to /var/ipfire/backup/bin/backup/backup.pl. when /usr/local/bin/backupctrl is run, then /var/ipfire/backup/bin/backup/backup.pl is will run. the suid bit of backupctrl is enabled. we change backup.pl to malicus program eg.(setuid(0) && system("/bin/sh")) we drop the root shell.