New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allwinner legacy kernel: local privileges escalation to root (sun8i) #282

Closed
ThomasKaiser opened this Issue Apr 30, 2016 · 13 comments

Comments

Projects
None yet
4 participants
@ThomasKaiser
Member

ThomasKaiser commented Apr 30, 2016

Please have a look at http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390;

The file is still present in the newer sun8i BSP variant and I would assume sun7i and others are also affected?

Don't know how to deal with it.

@ThomasKaiser

This comment has been minimized.

Show comment
Hide comment
@ThomasKaiser

ThomasKaiser Apr 30, 2016

Member

Hmm... sun7i doesn't have it but sun8i is affected:

tk@bananapim3:~$ id
uid=1000(tk) gid=1000(tk) groups=1000(tk),20(dialout),27(sudo),29(audio),44(video),46(plugdev),108(netdev)
tk@bananapim3:~$ echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug 
tk@bananapim3:~$ id
uid=0(root) gid=0(root) groups=0(root),20(dialout),27(sudo),29(audio),44(video),46(plugdev),108(netdev),1000(tk)
Member

ThomasKaiser commented Apr 30, 2016

Hmm... sun7i doesn't have it but sun8i is affected:

tk@bananapim3:~$ id
uid=1000(tk) gid=1000(tk) groups=1000(tk),20(dialout),27(sudo),29(audio),44(video),46(plugdev),108(netdev)
tk@bananapim3:~$ echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug 
tk@bananapim3:~$ id
uid=0(root) gid=0(root) groups=0(root),20(dialout),27(sudo),29(audio),44(video),46(plugdev),108(netdev),1000(tk)
@zador-blood-stained

This comment has been minimized.

Show comment
Hide comment
@zador-blood-stained

zador-blood-stained Apr 30, 2016

Member

I saw this on IRC yesterday. Even though this is more Local Privileges Escalation than a backdoor, IMO it should be disabled.

Member

zador-blood-stained commented Apr 30, 2016

I saw this on IRC yesterday. Even though this is more Local Privileges Escalation than a backdoor, IMO it should be disabled.

@ThomasKaiser

This comment has been minimized.

Show comment
Hide comment
@ThomasKaiser

ThomasKaiser Apr 30, 2016

Member

I agree that it should be disabled. Based on my understanding this privilege escalation combined with any other small bug might lead to an network enabled exploit (I would assume a php, nginx or apache process redirected to /proc/sunxi_debug/sunxi_debug could also become root this way?)

Member

ThomasKaiser commented Apr 30, 2016

I agree that it should be disabled. Based on my understanding this privilege escalation combined with any other small bug might lead to an network enabled exploit (I would assume a php, nginx or apache process redirected to /proc/sunxi_debug/sunxi_debug could also become root this way?)

@zador-blood-stained

This comment has been minimized.

Show comment
Hide comment
@zador-blood-stained

zador-blood-stained Apr 30, 2016

Member

I would assume a php, nginx or apache process redirected to /proc/sunxi_debug/sunxi_debug could also become root this way?

Yes, most likely.

Removing sunxi_debug.o from this line (and deleting file sunxi_debug.c) may be the simplest solution if it doesn't break compilation.

Member

zador-blood-stained commented Apr 30, 2016

I would assume a php, nginx or apache process redirected to /proc/sunxi_debug/sunxi_debug could also become root this way?

Yes, most likely.

Removing sunxi_debug.o from this line (and deleting file sunxi_debug.c) may be the simplest solution if it doesn't break compilation.

@ThomasKaiser

This comment has been minimized.

Show comment
Hide comment
@ThomasKaiser

ThomasKaiser Apr 30, 2016

Member

Can you try it out? At least whether the build fails or not? My main build host is still busy doing other stuff and the 2nd host is also down (for yet unknown reasons -- too far away to look after it)

Member

ThomasKaiser commented Apr 30, 2016

Can you try it out? At least whether the build fails or not? My main build host is still busy doing other stuff and the 2nd host is also down (for yet unknown reasons -- too far away to look after it)

@zador-blood-stained

This comment has been minimized.

Show comment
Hide comment
@zador-blood-stained

zador-blood-stained Apr 30, 2016

Member

Build succeeds, so this should work

Member

zador-blood-stained commented Apr 30, 2016

Build succeeds, so this should work

@ThomasKaiser

This comment has been minimized.

Show comment
Hide comment
@ThomasKaiser

ThomasKaiser Apr 30, 2016

Member

Could you also provide debs to be able to test? :-)

Member

ThomasKaiser commented Apr 30, 2016

Could you also provide debs to be able to test? :-)

@zador-blood-stained

This comment has been minimized.

Show comment
Hide comment

@ThomasKaiser ThomasKaiser changed the title from Allwinner legacy backdoor? to Allwinner legacy kernel: local privileges escalation to root (sun8i) Apr 30, 2016

@ThomasKaiser

This comment has been minimized.

Show comment
Hide comment
@ThomasKaiser

ThomasKaiser Apr 30, 2016

Member

Fix confirmed to work by 'original submitter' KotCzarny himself :) http://irclog.whitequark.org/linux-sunxi/2016-04-30#16321288

So please push the fix. And I hope Igor checks download log and in case no one downloaded BPi M2+ 5.10 images we could simply re-release the M2+ image with fix included (otherwise we would've to increase version number already to 5.11 if I understand correctly?)

Member

ThomasKaiser commented Apr 30, 2016

Fix confirmed to work by 'original submitter' KotCzarny himself :) http://irclog.whitequark.org/linux-sunxi/2016-04-30#16321288

So please push the fix. And I hope Igor checks download log and in case no one downloaded BPi M2+ 5.10 images we could simply re-release the M2+ image with fix included (otherwise we would've to increase version number already to 5.11 if I understand correctly?)

@zador-blood-stained

This comment has been minimized.

Show comment
Hide comment
@zador-blood-stained

zador-blood-stained Apr 30, 2016

Member

It's in my repository already, so it's a matter of merging my branch into this.

Member

zador-blood-stained commented Apr 30, 2016

It's in my repository already, so it's a matter of merging my branch into this.

@kotc

This comment has been minimized.

Show comment
Hide comment
@kotc

kotc Apr 30, 2016

@ThomasKaiser : happy to help, thanks for quick response!

kotc commented Apr 30, 2016

@ThomasKaiser : happy to help, thanks for quick response!

@ThomasKaiser

This comment has been minimized.

Show comment
Hide comment
@ThomasKaiser

ThomasKaiser Apr 30, 2016

Member

@kotc: Thx for bringing this to our attention. Since we're rolling out a new major release this weekend this was almost perfectly timed. I also thought about fixing the issue for all of the many loboris images out there (already cloned his kernel repo since he didn't maintain it for maybe half a year) but thought again about. Users better switch to Armbian instead :)

Member

ThomasKaiser commented Apr 30, 2016

@kotc: Thx for bringing this to our attention. Since we're rolling out a new major release this weekend this was almost perfectly timed. I also thought about fixing the issue for all of the many loboris images out there (already cloned his kernel repo since he didn't maintain it for maybe half a year) but thought again about. Users better switch to Armbian instead :)

@igorpecovnik

This comment has been minimized.

Show comment
Hide comment
@igorpecovnik

igorpecovnik Apr 30, 2016

Member

Bugs and problems usually arise when I do travel :) No downloads, so we can stay on 5.10 but I guess we will have an update to 5.11 in any case very soon since it's almost impossible to bring such update without any more or less serious problem.

Merged, so closing.

Member

igorpecovnik commented Apr 30, 2016

Bugs and problems usually arise when I do travel :) No downloads, so we can stay on 5.10 but I guess we will have an update to 5.11 in any case very soon since it's almost impossible to bring such update without any more or less serious problem.

Merged, so closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment