Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170629093354.GA4211@sisay.ephaone.org>
Date: Thu, 29 Jun 2017 11:33:54 +0200
From: Michael Scherer <misc@...b.org>
To: oss-security@...ts.openwall.com
Subject: rkhunter: [CVE-2017-7480] Potential RCE after MiTM due to clear
 text download without signature

Hi,

while evaluating various security solutions, I looked at
rkhunter, and found that it do download by default various
files over http and parse them with bash:


For example, it download mirrors.dat over http, using no signature and
just a version verification that can be faked:

# cat /var/lib/rkhunter/db/mirrors.dat
Version:2007060601
mirror=http://rkhunter.sourceforge.net
mirror=http://rkhunter.sourceforge.net

So I will assume that a attacker can inject a file with MITM without
much problem.

And it turn out that since rkhunter is in bash, it parse the file as
bash.

So adding something like:

mirror=$(sleep 455)

in the file result into "rkhunter --update" doing this:

\_ /bin/sh /usr/bin/rkhunter --update
\_ /bin/sh /usr/bin/rkhunter --update
\_ sleep 455

It also :nd on a few packages (if not all), rkhunter --update is run by cron,
as root, so without much limitation.

Upstream have been warned 2 months ago, and I also did warned
RH product security, who assigned CVE-2017-7480  to it.

Unfortunaly, half of the upstream developpers seems to have disappeared and the
software is in maintenance mode, so no fix is avaliable yet, except "turn off
mirror update". Upstream told me to publish it, but I didn't found time earlier.


-- 
Michael Scherer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.