Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Raspberry Pi Firmware Updater File Clobber

🗓️ 04 Mar 2013 00:00:00Reported by TechnionType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 38 Views

Raspberry Pi Firmware Updater Vulnerability, File Clobber, Insecure tmp Handling, SSL Vulnerabilit

Code
`Raspberry Pi Firmware Updater Vulnerability  
  
Application:  
https://github.com/Hexxeh/rpi-update/  
  
Version Tested:  
Github source as of 10ad1e975a (10th Feb commit)  
  
Vulnerability #1:  
A malicious user can clobber any file due to insecure tmp file handling.   
  
Example:  
  
Any unprivileged user can create the following symlink, either from   
a shell account, or by malicious web content such as PHP scripts.  
pi@raspberrypi ~ $ ln -s /etc/passwd /tmp/updateScript.sh  
  
Once in place, the symlink is awaiting the administrator to run an update:  
pi@raspberrypi ~ $ sudo rpi-update  
...  
pi@raspberrypi ~ $ cat /etc/passwd  
#!/bin/bash  
if mv "./testfile.sh.tmp" "./testfile.sh"; then  
rm -- "$0"  
exec env UPDATE_SELF=0 /bin/bash "./testfile.sh" ""  
else  
echo " !!! Failed!"  
fi  
  
As of this point, the pi is quite unusable due to the corrupted password database.  
Note that the attacker cannot customise the content, for example, to set  
a UID0 account.  
  
Vulnerability #2:  
The installation recommends the following command:  
sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update  
  
Although the selfupdate functionality utilises SSL to ensure the integrity of the download, the installation process uses a URL shortening service without SSL to download the bash script, which the user is then encouraged to run as the root user.  
  
Fix and Vendor Response  
A pull request detailing exploit #1 and including a simple patch was submitted February 6th. The patch has not yet been accepted.  
  
Workaround  
By running rpi-update with the self update feature disabled, the affected code is not executed. Example:  
sudo UPDATE_SELF=0 rpi-update  
  
If you would like to update the application manually, or perform an initial installation safely, use the following commands:  
wget https://github.com/Hexxeh/rpi-update/raw/master/rpi-update  
sudo cp rpi-update /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update  
  
Note that applying the patch in my pull request will not be a complete solution, as it will be reverted after the first automatic update.  
  
[email protected]  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Mar 2013 00:00Current
0.1Low risk
Vulners AI Score0.1
raspberry pifirmware updatervulnerabilityinsecure tmp handlingurl shorteningsslexploitpatchworkaround
38