Unboxing Busybox: Claroty and JFrog discover 14 vulnerabilities

INVITED RESEARCH: Embedded devices with limited memory and storage resources are likely to benefit from a tool like BusyBox, which is marketed as the Swiss Army Knife of Embedded Linux. BusyBox is a software suite of Unix utilities, called applets, which are bundled together as a single executable file.

In BusyBox, you can find a full-fledged shell, a DHCP client / server, and small utilities like cp, ls, grep and others. You are also likely to find many OT and IoT devices running BusyBox, including Programmable Logic Controllers (PLCs), Human Machine Interfaces (HMIs), and Popular Remote Terminal Units (RTUs), many of which now run Linux.

As part of our commitment to improve the security of open source software, Claroty’s Team82 and JFrog collaborated on a vulnerability research project examining BusyBox. Using static and dynamic techniques, Claroty’s Team82 and JFrog discovered 14 vulnerabilities affecting the latest version of BusyBox.

In most cases, the expected impact of these issues is a denial of service (DoS). However, in rarer cases, these issues can also lead to information leaks and possibly remote code execution.

We’ll provide details about the vulnerabilities, explain who is affected, discuss our research methodology, and suggest fixes and workarounds for these issues.

In addition to disclosing the vulnerabilities, Team82 is also releasing its custom AFL fuzzing harnesses, which were responsible for triggering many of the mentioned vulnerabilities. Hopefully this will help other researchers find and disclose even more issues.

Research methodology
To research BusyBox, we used both static and dynamic analysis approaches. First of all, a manual review of the BusyBox source code was carried out using a top-down approach (following user input to specific management of the applet). We also looked for obvious vulnerabilities in logic / memory corruption.

The next approach was fuzzy. We have compiled BusyBox with ASan and implemented an AFL harness for each BusyBox applet. Each harness was then optimized by removing unnecessary parts of the code, running multiple cycles of fuzz on the same process (persistent mode), and running multiple instances of fuzz in parallel.

We started by fuzzing all the daemon applets including HTTP, Telnet, DNS, DHCP, NTP, etc. Numerous code changes were required in order to effectively fuzz network-based inputs. For example, the main change we made was to replace all recv functions with entries from STDIN in order to support fuzzy entries. Similar changes were made when we also modified the non-server applets.
We prepared a few examples for each applet and ran hundreds of fuzzy BusyBox instances for a few days. This gave us tens of thousands of crashes to assess. We had to create crash classes with the same root cause to help reduce the amount of crashes we had in our sample. Later, we minimized each group rep in order to work with a small subset of unique crash entries.

To accomplish these tasks, we developed an automatic tool that digested all crash data and categorized it based on the crash analysis report which mainly includes crash stack trace, registers, and crash code. assembly of the relevant code area. For example, we merged cases with similar crash stack traces because they generally had the same problematic root cause.

Finally, we researched each unique crash and minimized its input vector in order to understand the root cause, which allowed us to create a proof of concept (PoC) that exploits the vulnerability responsible for the crash. Additionally, we have tested our PoCs on several versions of BusyBox to understand when bugs were introduced into the source code.

Threat analysis and mitigation advice
To assess the threat level posed by these vulnerabilities, we inspected JFrog’s database of over 10,000 embedded firmware images (consisting only of publicly available firmware, not images uploaded to JFrog’s Artifactory. ). We found that 40% of them contained a BusyBox executable file linked to one of the affected applets, making these issues prevalent among Linux-based embedded firmware.

All 14 vulnerabilities were fixed in BusyBox 1.34.0 (direct download link) and users are urged to upgrade immediately.

If upgrading BusyBox is not possible (due to specific version compatibility needs), BusyBox 1.33.1 and earlier versions can be compiled without the vulnerable functionality (applets) as a workaround.

Vulnerability details
Because the affected applets are not daemons, each vulnerability can only be exploited if the vulnerable applet is fed with untrusted data (usually via a command line argument). Specifically, here are the conditions that must occur for each vulnerability to be triggered:

Applies if the attacker can control all parameters passed to man.
man is built by the default BusyBox configuration, but does not ship with the default BusyBox binary from Ubuntu.

Applies if the attacker can provide a crafted compressed file, which will be decompressed using unlzma.

Note that even though the unlzma applet is not available, but CONFIG_FEATURE_SEAMLESS_LZMA (enabled by default) is enabled, other applets such as tar, unzip, rpm, dpkg, lzma, and man can also reach vulnerable code during manipulating a file with the .lzma filename suffix.

unlzma is built by the default BusyBox configuration and ships with the default BusyBox binary from Ubuntu.

Applies if the attacker can provide a command line to ash that contains the special characters $, {,} or #. ash is built by the default BusyBox configuration and ships with the default BusyBox binary from Ubuntu.

Applies if the attacker can supply a silent command line containing the special character x03 (delimiter). hush is built by the default BusyBox configuration, but does not ship with Ubuntu’s default BusyBox binary.

Applies if the attacker can supply a silent command line containing the special character &.

CVE-2021-42378, CVE-2021-42386:
Applies if the attacker can supply an arbitrary pattern to awk (the pattern is the first positional argument this applet takes). awk is built by the default BusyBox configuration and ships with the default BusyBox binary from Ubuntu.


iTWire TV offers unique value to the tech industry by providing a range of video interviews, news, views and reviews, and also offers vendors the ability to promote your business and marketing messages.

We work with you to develop the message and conduct the product interview or review in a safe and collaborative manner. Unlike other YouTube Tech channels, we create a story around your post and post it on the ITWire homepage, linked to your post.

Additionally, your maintenance post message can be displayed in up to 7 different post views on our iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.

We also provide 3 videos in one recording / sitting if you need them so that you have a series of videos to promote to your customers. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.

Get the latest tech news, views, interviews, reviews, product promotions and events. Plus fun videos from our readers and customers.


Source link