rkhunter: [CVE-2017-7480] Potential RCE after MiTM due to clear text download without signature

[Michael Scherer <misc () zarb org>]

Hi,

while evaluating various security solutions, I looked at
rkhunter, and found that it do download by default various
files over http and parse them with bash:


For example, it download mirrors.dat over http, using no signature and
just a version verification that can be faked:

# cat /var/lib/rkhunter/db/mirrors.dat
Version:2007060601
mirror=http://rkhunter.sourceforge.net
mirror=http://rkhunter.sourceforge.net

So I will assume that a attacker can inject a file with MITM without
much problem.

And it turn out that since rkhunter is in bash, it parse the file as
bash.

So adding something like:

mirror=$(sleep 455)

in the file result into "rkhunter --update" doing this:

\_ /bin/sh /usr/bin/rkhunter --update
\_ /bin/sh /usr/bin/rkhunter --update
\_ sleep 455

It also :nd on a few packages (if not all), rkhunter --update is run by cron,
as root, so without much limitation.

Upstream have been warned 2 months ago, and I also did warned
RH product security, who assigned CVE-2017-7480  to it.

Unfortunaly, half of the upstream developpers seems to have disappeared and the
software is in maintenance mode, so no fix is avaliable yet, except "turn off
mirror update". Upstream told me to publish it, but I didn't found time earlier.


-- 
Michael Scherer