- 发布于
CVE-2024-25817
- 作者
- Name
- CuB3y0nd
- GitHub
- @CuB3y0nd
0x01 Summary
eza
1 exists heap overflow vulnerability in Ubuntu for Raspberry Pi series system (Must be ubuntu-raspi
kernel) for special .git
directory.
0x02 Details
The vulnerability seems to be triggered by the .git
directory in some projects. This issue may be related to specific files, and the directory structure also plays a role in triggering the vulnerability. Files/folders that may be involved in triggering the vulnerability include .git/HEAD
, .git/refs
, and .git/objects
.
0x03 PoC I - If you have Raspberry Pi 4B bare metal machine
You just need install any one of Ubuntu for Raspberry Pi series system in your bare metal machine.
1x01 Tested platform info
Configuration in Raspberry Pi 4B
bare metal machine:
eza version: v0.17.3 [+git]
Linux lux 5.15.0-1045-raspi #48-Ubuntu SMP PREEMPT Tue Jan 16 13:24:44 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
Important
So far I have only tested the Ubuntu 22.04.3 LTS Server
and confirmed that this vulnerability exists. I haven’t tested other System/Raspberry Pi yet.
.git
directory that can triggers this vulnerability
1x02 The Refer to the .git
directory from umami.
1x03 Steps
Install eza
in Raspberry Pi. Process can refer to the official wiki.
Clone the repository contains a specific .git
folder that can trigger this vulnerability.
git clone https://github.com/umami-software/umami.git
You can move the .git
directory to a new place for easier testing.
mkdir suspicious && mv umami/.git suspicious && rm -rf umami
Then, executing the following command will trigger the vulnerability.
eza -l --git umami
Note
The picture shows my test environment. In actual testing, the vulnerability can be triggered by just using the above command.
0x04 PoC II - Emulate Raspberry Pi via Qemu
1x01 Pre requisites
- Qemu 5.1+
- Ubuntu for Raspberry Pi image file 2
- Relevant kernel boot files
- Relevant Device Tree Blob files
1x02 Step by step guide to extract kernel boot files from img file
Mount the image file.
sudo mkdir /mnt/rpi
sudo losetup -f --show -P <path-to-ubuntu-raspi-image-file>
sudo mount /dev/loop<no>p1 /mnt/rpi
Copy kernel boot
and all dtb
files to a local directory.
mkdir kernel
cp /mnt/rpi/vmlinuz kernel
cp /mnt/rpi/*.dtb kernel
Unmount the image file.
sudo umount /mnt/rpi
sudo losetup -d /dev/loop<no>
1x03 Resize the SD card image
qemu-img resize <path-to-ubuntu-raspi-image-file> 8G
1x04 Command to emulate
You could write this command to a start.sh
shell file.
qemu-system-aarch64 \
-M raspi3b \
-append "rw earlyprintk root=/dev/mmcblk0p2 rootdelay=1 dwc_otg.lpm_enable=0 rootfstype=ext4 loglevel=8 console=ttyAMA0,115200" \
-dtb ./kernel/bcm2710-rpi-3-b.dtb \
-kernel ./kernel/vmlinuz \
-sd "<path-to-ubuntu-raspi-image-file>" \
-smp 4 \
-m 1G \
-device usb-mouse \
-device usb-kbd \
-net "user,hostfwd=tcp::5022-:22" \
-no-reboot \
-serial stdio
Tip
Change the type of Raspberry Pi hardware to simulate by adjusting the -dtb
parameter.
-dtb
type should match to -M
parameter.
Available -M
parameters can be check through qemu-system-aarch64 -machine help |grep raspi
command.
The Qemu official currently does not support emulating Raspberry Pi 4/5.
Continue to complete the reproduction according to the steps of PoC I
.
0x05 Impact
Arbitrary code execution.
0x06 Severity using CVSS
Severity: High 8.4
Vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0x07 Weaknesses
- Heap-based Buffer Overflow (CWE-122)
- Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
- Missing Release of Memory after Effective Lifetime (CWE-401)
- Improper Resource Shutdown or Release (CWE-404)
- Improper Initialization (CWE-665)
0x08 GitHub Advisories
- GitHub Advisories.3
0x09 NVD
- National Vulnerability Database.4