CVE-2017-16544: A Busybox autocompletion vulnerability (opens in new tab)

(twistlock.com)

49 pointszelivans8y ago14 comments

14 comments

11 comments · 2 top-level

zaarn8y ago· 6 in thread

This is quite ungood considering how many devices (read: routers, IoT) have busybox (or some zombie-like corpse of it) installed on them.

zelivansOP8y ago

Hi, I'm the author of the article. To stress your point, there really are so many embedded devices using Busybox, and most of them were never designed to be updated (or nobody cares enough to update them).

Also I never got to fuzzing networking applets (wget is the most obvious) but this is definitely something I plan to look into, if no one did that before, there are definitely vulnerabilities there too.

ericfrederich8y ago

When you ssh to your device are you not running Busybox shell on the device? I don't understand why this is less of a problem?

1 more reply

jlgaddis8y ago

It could be good for me. We ($work) have some embedded devices running BusyBox that we only have limited (i.e. non-root) access to. I'm looking forward for a way to escalate privileges on these devices as a result of this!

helper8y ago

How do you get privilege escalation from shell escape sequences?

2 more replies

helper8y ago

The vulnerability is that you can play tricks on interactive users' output. In general people (besides nerds) aren't shelling into these devices so it really doesn't seem like that big of a deal.

zaarn8y ago

I quite often shell into such devices. I think just playing tricks is a start and can easily escalate into something more serious.

Alpine also uses Busybox by default (IIRC) and people will use that definitely so it's definitely a problem.

Busybox is not only used in embedded devices.

flipp3r8y ago· 3 in thread

I find these type of vulnerabilities very interesting.

I've also seen a sysop once using curl or wget in such a way that it would print out the response, while checking for an image file; it outputted all kinds of special characters. Then, afer some magic character was printed, their terminal would start interpreting the rest of the output as commands. The commands were gibberish, nothing happened, but very dangerous nonetheless.

TheDong8y ago

> Then, afer some magic character was printed, their terminal would start interpreting the rest of the output as commands. The commands were gibberish, nothing happened, but very dangerous nonetheless.

By commands, you probably mean "escape sequences", which are not the same as running executables and isn't very dangerous.

If a terminal actually executed commands based on data printed to stdout, that would be a very significant vulnerability. It seems far more likely that the gibberish you're talking about is the usual mess of escape sequences.

wolfgang428y ago

> "escape sequences", which are not the same as running executables and isn't very dangerous.

Unless your terminal has support for something like setting the answerback string, in which case the escape sequence could set it and then send an ENQ immediately before ending, causing the answerback to be typed into a shell prompt and executed. (Escape sequences aren't always as innocent as you might expect.) I don't know if any modern terminal emulators support this, but I believe it's been a vector in the past.

Edit: The article mentions some alternative vectors, specifically the screen dumping escape sequence (potentially allowing overwriting arbitrary files) and window title reporting (which behaves similarly to the answerback exploit I mention above), and links to [1] which gives more details on such exploits.

[1]: https://www.proteansec.com/linux/blast-past-executing-code-t...

flipp3r8y ago

> If a terminal actually executed commands based on data printed to stdout, that would be a very significant vulnerability. It seems far more likely that the gibberish you're talking about is the usual mess of escape sequences.

Well, this is what happened. It was a few years ago on some IBM copy of Linux, don't know the exact system or shell. It was like Linux except most of the things you'd expect to exist on a Linux box were missing.

j / k navigate · click thread line to collapse

14 comments

11 comments · 2 top-level

zaarn8y ago· 6 in thread

This is quite ungood considering how many devices (read: routers, IoT) have busybox (or some zombie-like corpse of it) installed on them.

zelivansOP8y ago

ericfrederich8y ago

When you ssh to your device are you not running Busybox shell on the device? I don't understand why this is less of a problem?

1 more reply

jlgaddis8y ago

helper8y ago

How do you get privilege escalation from shell escape sequences?

2 more replies

helper8y ago

The vulnerability is that you can play tricks on interactive users' output. In general people (besides nerds) aren't shelling into these devices so it really doesn't seem like that big of a deal.

zaarn8y ago

I quite often shell into such devices. I think just playing tricks is a start and can easily escalate into something more serious.

Alpine also uses Busybox by default (IIRC) and people will use that definitely so it's definitely a problem.

Busybox is not only used in embedded devices.

flipp3r8y ago· 3 in thread

I find these type of vulnerabilities very interesting.

TheDong8y ago

By commands, you probably mean "escape sequences", which are not the same as running executables and isn't very dangerous.

wolfgang428y ago

> "escape sequences", which are not the same as running executables and isn't very dangerous.

[1]: https://www.proteansec.com/linux/blast-past-executing-code-t...

flipp3r8y ago

j / k navigate · click thread line to collapse