CVE-2024-25817

0x01 Summary

eza ¹ exists heap overflow vulnerability in Ubuntu for Raspberry Pi series system (Must be ubuntu-raspi kernel) for special .git directory.

0x02 Details

The vulnerability seems to be triggered by the .git directory in some projects. This issue may be related to specific files, and the directory structure also plays a role in triggering the vulnerability. Files/folders that may be involved in triggering the vulnerability include .git/HEAD, .git/refs, and .git/objects.

0x03 PoC I - If you have Raspberry Pi 4B bare metal machine

You just need install any one of Ubuntu for Raspberry Pi series system in your bare metal machine.

1x01 Tested platform info

Configuration in Raspberry Pi 4B bare metal machine:

eza version: v0.17.3 [+git]

Linux lux 5.15.0-1045-raspi #48-Ubuntu SMP PREEMPT Tue Jan 16 13:24:44 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux

PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

1x02 The .git directory that can triggers this vulnerability

Refer to the .git directory from umami.

1x03 Steps

Install eza in Raspberry Pi. Process can refer to the official wiki.

Clone the repository contains a specific .git folder that can trigger this vulnerability.

git clone https://github.com/umami-software/umami.git

You can move the .git directory to a new place for easier testing.

mkdir suspicious && mv umami/.git suspicious && rm -rf umami

Then, executing the following command will trigger the vulnerability.

eza -l --git umami

0x04 PoC II - Emulate Raspberry Pi via Qemu

1x01 Pre requisites

• Qemu 5.1+
• Ubuntu for Raspberry Pi image file ²
• Relevant kernel boot files
• Relevant Device Tree Blob files

1x02 Step by step guide to extract kernel boot files from img file

Mount the image file.

sudo mkdir /mnt/rpi
sudo losetup -f --show -P <path-to-ubuntu-raspi-image-file>
sudo mount /dev/loop<no>p1 /mnt/rpi

Copy kernel boot and all dtb files to a local directory.

mkdir kernel
cp /mnt/rpi/vmlinuz kernel
cp /mnt/rpi/*.dtb kernel

Unmount the image file.

sudo umount /mnt/rpi
sudo losetup -d /dev/loop<no>

1x03 Resize the SD card image

qemu-img resize <path-to-ubuntu-raspi-image-file> 8G

1x04 Command to emulate

You could write this command to a start.sh shell file.

qemu-system-aarch64 \
  -M raspi3b \
  -append "rw earlyprintk root=/dev/mmcblk0p2 rootdelay=1 dwc_otg.lpm_enable=0 rootfstype=ext4 loglevel=8 console=ttyAMA0,115200" \
  -dtb ./kernel/bcm2710-rpi-3-b.dtb \
  -kernel ./kernel/vmlinuz \
  -sd "<path-to-ubuntu-raspi-image-file>" \
  -smp 4 \
  -m 1G \
  -device usb-mouse \
  -device usb-kbd \
  -net "user,hostfwd=tcp::5022-:22" \
  -no-reboot \
  -serial stdio

Available -M parameters can be check through qemu-system-aarch64 -machine help |grep raspi command.

The Qemu official currently does not support emulating Raspberry Pi 4/5.

Continue to complete the reproduction according to the steps of PoC I.

0x05 Impact

Arbitrary code execution.

0x06 Severity using CVSS

Severity: High 8.4
Vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0x07 Weaknesses

• Heap-based Buffer Overflow (CWE-122)
• Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
• Missing Release of Memory after Effective Lifetime (CWE-401)
• Improper Resource Shutdown or Release (CWE-404)
• Improper Initialization (CWE-665)

0x08 GitHub Advisories

• GitHub Advisories.³

0x09 NVD

• National Vulnerability Database.⁴