Date: Thu, 29 Jun 2017 11:33:54 +0200 From: Michael Scherer <misc@...b.org> To: oss-security@...ts.openwall.com Subject: rkhunter: [CVE-2017-7480] Potential RCE after MiTM due to clear text download without signature Hi, while evaluating various security solutions, I looked at rkhunter, and found that it do download by default various files over http and parse them with bash: For example, it download mirrors.dat over http, using no signature and just a version verification that can be faked: # cat /var/lib/rkhunter/db/mirrors.dat Version:2007060601 mirror=http://rkhunter.sourceforge.net mirror=http://rkhunter.sourceforge.net So I will assume that a attacker can inject a file with MITM without much problem. And it turn out that since rkhunter is in bash, it parse the file as bash. So adding something like: mirror=$(sleep 455) in the file result into "rkhunter --update" doing this: \_ /bin/sh /usr/bin/rkhunter --update \_ /bin/sh /usr/bin/rkhunter --update \_ sleep 455 It also :nd on a few packages (if not all), rkhunter --update is run by cron, as root, so without much limitation. Upstream have been warned 2 months ago, and I also did warned RH product security, who assigned CVE-2017-7480 to it. Unfortunaly, half of the upstream developpers seems to have disappeared and the software is in maintenance mode, so no fix is avaliable yet, except "turn off mirror update". Upstream told me to publish it, but I didn't found time earlier. -- Michael Scherer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.