Tiny Core Linux
Tiny Core Base => TCB Bugs => Topic started by: ewindisch on February 09, 2015, 02:27:45 PM
-
Busybox modprobe allows loading arbitrary modules. This may be triggered via syscalls that load modules automatically based on /proc/sys/kernel/modprobe.
See this:
http://www.openwall.com/lists/oss-security/2015/01/26/1
-
I would be curious where in tc ifconfig or mount gets run with user-defined content, or are there other ways to exploit this?
-
syscalls that load modules automatically based on /proc/sys/kernel/modprobe.
Can you elaborate about those syscalls? I fail to understand. Sorry.
-
A PoC for userland module loading is provided here: https://lkml.org/lkml/2013/3/4/70
The above issue in CryptoAPI has been fixed, but with a vulnerable busybox modprobe will load arbitrary module modules.
-
well modprobe doesn't point to a suid busybox here, so it would still relies on cryptoAPI or other helper being "broken", right?
-
Yes, the kernel or a userland application must in some way facilitate this; However, the fact is that the kernel *does* facilitate this as in the CryptoAPI example. The kernel may under certain circumstances call (as root) the binary pointed to by /proc/sys/kernel/modprobe, which on TC is busybox's modprobe.
-
uuuhh, it's true, I wasn't sure if the crypto api is used or not.
trying it out with that POC is straightforward.
we are affected :(
-
Can you test 6.1rc1, as it has updated busybox?
-
I've upgraded my boot files, have yet to reboot. But it really is trivial to test. Do rmmod ac; lsmod|grep ac; then run the compiled POC with ac as argument; lsmod|grep ac will show ac got loaded.
-
True, but I'm not on TC at the moment.
-
yep, rc is still vulnerable with new busybox.
-
Oh, so then there is no busybox release with the fix...
-
I suppose I should note that the Crypto API had its *own* vulnerability recently fixed in the kernel. It's possible TC is vulnerable to that still. The vuln exploited by that PoC exploit was never fixed upstream until around December 2014...