Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20170629093354.GA4211@sisay.ephaone.org>
Date: Thu, 29 Jun 2017 11:33:54 +0200
From: Michael Scherer <misc@...b.org>
To: oss-security@...ts.openwall.com
Subject: rkhunter: [CVE-2017-7480] Potential RCE after MiTM due to clear
 text download without signature

Hi,

while evaluating various security solutions, I looked at
rkhunter, and found that it do download by default various
files over http and parse them with bash:


For example, it download mirrors.dat over http, using no signature and
just a version verification that can be faked:

# cat /var/lib/rkhunter/db/mirrors.dat
Version:2007060601
mirror=http://rkhunter.sourceforge.net
mirror=http://rkhunter.sourceforge.net

So I will assume that a attacker can inject a file with MITM without
much problem.

And it turn out that since rkhunter is in bash, it parse the file as
bash.

So adding something like:

mirror=$(sleep 455)

in the file result into "rkhunter --update" doing this:

\_ /bin/sh /usr/bin/rkhunter --update
\_ /bin/sh /usr/bin/rkhunter --update
\_ sleep 455

It also :nd on a few packages (if not all), rkhunter --update is run by cron,
as root, so without much limitation.

Upstream have been warned 2 months ago, and I also did warned
RH product security, who assigned CVE-2017-7480  to it.

Unfortunaly, half of the upstream developpers seems to have disappeared and the
software is in maintenance mode, so no fix is avaliable yet, except "turn off
mirror update". Upstream told me to publish it, but I didn't found time earlier.


-- 
Michael Scherer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.