Author Topic: TC busybox vulnerable CVE-2014-9645 (Read 4095 times)

ewindisch · « **on:** February 09, 2015, 11:27:45 AM »

Busybox modprobe allows loading arbitrary modules. This may be triggered via syscalls that load modules automatically based on /proc/sys/kernel/modprobe.

See this:
http://www.openwall.com/lists/oss-security/2015/01/26/1

hiro · « **Reply #1 on:** February 09, 2015, 02:01:22 PM »

I would be curious where in tc ifconfig or mount gets run with user-defined content, or are there other ways to exploit this?

hiro · « **Reply #2 on:** February 09, 2015, 02:02:59 PM »

Quote from: ewindisch on February 09, 2015, 11:27:45 AM

syscalls that load modules automatically based on /proc/sys/kernel/modprobe.

Can you elaborate about those syscalls? I fail to understand. Sorry.

ewindisch · « **Reply #3 on:** February 09, 2015, 03:01:33 PM »

A PoC for userland module loading is provided here: https://lkml.org/lkml/2013/3/4/70

The above issue in CryptoAPI has been fixed, but with a vulnerable busybox modprobe will load arbitrary module modules.

hiro · « **Reply #4 on:** February 09, 2015, 03:14:48 PM »

well modprobe doesn't point to a suid busybox here, so it would still relies on cryptoAPI or other helper being "broken", right?

ewindisch · « **Reply #5 on:** February 09, 2015, 04:02:06 PM »

Yes, the kernel or a userland application must in some way facilitate this; However, the fact is that the kernel *does* facilitate this as in the CryptoAPI example. The kernel may under certain circumstances call (as root) the binary pointed to by /proc/sys/kernel/modprobe, which on TC is busybox's modprobe.

hiro · « **Reply #6 on:** February 09, 2015, 04:19:26 PM »

uuuhh, it's true, I wasn't sure if the crypto api is used or not.
trying it out with that POC is straightforward.
we are affected

curaga · « **Reply #7 on:** February 10, 2015, 11:02:33 AM »

Can you test 6.1rc1, as it has updated busybox?

hiro · « **Reply #8 on:** February 10, 2015, 11:14:18 AM »

I've upgraded my boot files, have yet to reboot. But it really is trivial to test. Do rmmod ac; lsmod|grep ac; then run the compiled POC with ac as argument; lsmod|grep ac will show ac got loaded.

curaga · « **Reply #9 on:** February 10, 2015, 11:28:07 AM »

True, but I'm not on TC at the moment.

hiro · « **Reply #10 on:** February 10, 2015, 12:30:17 PM »

yep, rc is still vulnerable with new busybox.

curaga · « **Reply #11 on:** February 10, 2015, 01:35:37 PM »

Oh, so then there is no busybox release with the fix...

ewindisch · « **Reply #12 on:** February 13, 2015, 01:45:47 PM »

I suppose I should note that the Crypto API had its *own* vulnerability recently fixed in the kernel. It's possible TC is vulnerable to that still. The vuln exploited by that PoC exploit was never fixed upstream until around December 2014...

Tiny Core Linux

News:

Author Topic: TC busybox vulnerable CVE-2014-9645 (Read 4095 times)

ewindisch

TC busybox vulnerable CVE-2014-9645

hiro

Re: TC busybox vulnerable CVE-2014-9645

hiro

Re: TC busybox vulnerable CVE-2014-9645

ewindisch

Re: TC busybox vulnerable CVE-2014-9645

hiro

Re: TC busybox vulnerable CVE-2014-9645

ewindisch

Re: TC busybox vulnerable CVE-2014-9645

hiro

Re: TC busybox vulnerable CVE-2014-9645

curaga

Re: TC busybox vulnerable CVE-2014-9645

hiro

Re: TC busybox vulnerable CVE-2014-9645

curaga

Re: TC busybox vulnerable CVE-2014-9645

hiro

Re: TC busybox vulnerable CVE-2014-9645

curaga

Re: TC busybox vulnerable CVE-2014-9645

ewindisch

Re: TC busybox vulnerable CVE-2014-9645