Bug 12619 - /usr/local/bin/backupctrl allows privilege escalation due to executing /var/ipfire/backup/bin/backup/backup.pl, which is writeable by "nobody"
Summary: /usr/local/bin/backupctrl allows privilege escalation due to executing /var/i...
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all All
: Will affect all users Security
Assignee: Michael Tremer
QA Contact:
URL:
Keywords: Security
Depends on:
Blocks:
 
Reported: 2021-05-16 19:40 UTC by Mücahit Saratar
Modified: 2021-06-28 18:01 UTC (History)
4 users (show)

See Also:


Attachments
report of vulnerability (2.24 KB, text/markdown)
2021-05-16 19:40 UTC, Mücahit Saratar
Details
video of poc (196.99 KB, video/webm)
2021-05-17 21:18 UTC, Mücahit Saratar
Details
video of poc2 (3.52 MB, video/mp4)
2021-05-18 11:58 UTC, Mücahit Saratar
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mücahit Saratar 2021-05-16 19:40:31 UTC
Created attachment 894 [details]
report of vulnerability

we editing packet file to "<packet file>;arbitrary os command". command will run as no body and we can write to /var/ipfire/backup/bin/backup/backup.pl. when /usr/local/bin/backupctrl is run, then /var/ipfire/backup/bin/backup/backup.pl is will run. the suid bit of backupctrl is enabled. we change backup.pl to malicus program eg.(setuid(0) && system("/bin/sh")) we drop the root shell.
Comment 1 Peter Müller 2021-05-16 19:48:30 UTC
Hi,

thanks for getting in touch.

The first part of your exploit chain ("Authenticated RCE via pakfire.cgi system call") is already filed in #12616 and will be discussed there.

Thank you for providing the second part, which I am currently skimming through.

I will commend on this further as soon as this bug has been marked private.

Thanks, and best regards,
Peter Müller
Comment 2 Mücahit Saratar 2021-05-16 20:04:42 UTC
Hi mr. Peter,

how much time you give me to make publish seccond part?
and this is 0-day, right?
Thanks.

with my respects,
- Mücahit Saratar
Comment 3 Peter Müller 2021-05-16 20:13:14 UTC
Hi,

> how much time you give me to make publish seccond part?

well, you already made the authenticated RCE via pakfire.cgi public.

Would you please hold back the second part of your exploit chain until we have released Core Update 157, so we can offer a fixed version to IPFire users first?

Unless you oppose, we'd mention those vulnerabilities and your name on the release notes of Core Update 157. After the release, both this and bug #12616 will be made public again, so everything is transparent to our community.

> and this is 0-day, right?

Given the definition in https://en.wikipedia.org/wiki/Zero-day_(computing):

> A zero-day (also known as 0-day) is a computer-software vulnerability unknown to those who should be interested in its mitigation (including the vendor of the target software).

Since we are now aware of those vulnerabilities, I guess they are not _exactly_ 0-days anymore. :-) However, we will treat them serious, and indeed, there is no fix available to IPFire users, yet.

Thanks again for reporting.

Thanks, and best regards,
Peter Müller
Comment 4 Mücahit Saratar 2021-05-16 20:24:26 UTC
Hi,

sure. you can use my name.
i can't found vulnerability and exploit for this version. i defined 0-day until i shared.
i will not share second part until released core 157.

with my respects
- Mücahit Saratar
Comment 5 Peter Müller 2021-05-17 19:16:21 UTC
https://patchwork.ipfire.org/project/ipfire/list/?series=2056 cleans up the dump of dangerous file permissions within /var/ipfire/ (and somewhere else, partially), but does not fully solve this vulnerability.

Michael is currently working on the latter.
Comment 6 Peter Müller 2021-05-17 19:17:02 UTC
Hi,

> i will not share second part until released core 157.

Thank you. We will let you know how things go in this bug. :-)

Thanks, and best regards,
Peter Müller
Comment 7 Mücahit Saratar 2021-05-17 21:18:43 UTC
Created attachment 895 [details]
video of poc

Hi, 

can i share only this video? seenable just the fetching binary from localhost.
i requested cve number for only rce.(din't any response). i didn't report privilege escalation to they.
Comment 8 Michael Tremer 2021-05-18 08:53:58 UTC
This video doesn't play for me.
Comment 9 Mücahit Saratar 2021-05-18 11:58:15 UTC
Created attachment 896 [details]
video of poc2

Hi,

i converted to mp4.i again trying to  upload. i can play first video on https://bugzilla.ipfire.org/attachment.cgi?id=895

with my respects
- Mücahit Saratar
Comment 10 Michael Tremer 2021-05-18 12:00:18 UTC
Thanks. This seems to be a problem with my browser. Both files play with VLC.
Comment 11 Peter Müller 2021-05-22 11:01:58 UTC
Just a quick update on this one: The patchset I mentioned earlier has been merged and is part of Core Update 157 (testing). Unfortunately, I failed to ship the changed backup CGI file properly, so the testing update as it is available today won't fix this issue.

To do so, patch https://patchwork.ipfire.org/patch/4352/ is available. It has not been merged, yet, but that is only a matter of time.

After it has, I will set this bug to MODIFIED, and ON_QA later, as soon as a newly built version Core Update 157 (testing) is available to our users.
Comment 12 Michael Tremer 2021-05-25 10:28:07 UTC
These changes should now be included in the build.
Comment 15 Peter Müller 2021-05-25 19:59:09 UTC
Could anybody except me (Mücahit, preferred, as he reported this vulnerability) please confirm that Core Update 157 fixes this?
Comment 16 Peter Müller 2021-06-20 11:02:07 UTC
For everybody's information: This bug has been assigned CVE-2021-33393. A Metasploit module ("exploit/linux/http/ipfire_pakfire_exec") is available at https://github.com/rapid7/metasploit-framework/pull/15239.
Comment 17 Peter Müller 2021-06-20 11:02:49 UTC
@Michael: Since Core Update 157 will be released within the next days, fixing this vulnerability, I guess we can/should make this bug public now.
Comment 19 Michael Tremer 2021-06-28 18:01:16 UTC
(In reply to Peter Müller from comment #17)
> @Michael: Since Core Update 157 will be released within the next days,
> fixing this vulnerability, I guess we can/should make this bug public now.

Sorry, I forgot to do this.