mark :: blog
And not because she's set the alarm for the wrong time, or used a
'crazy frog' sound theme, but because it had a remote root exploit.
It's fixed now.
It all started when I bought her a Chumby for Christmas. A Chumby
is a little bedside device that can act as an alarm clock as well as
running flash-lite applets. What made it especially appealing is that
you can write your own applets if you want, and the whole thing is
Linux-based and designed to be hackable: they correctly abide by the
GPL and have their sources available, you can build and install your
own software, you can even enable ssh and have a remote shell if you
want to. And with NTP the clock is always at the right time, since
I really don't like having out-of-sync clocks around the house.
So it was time to connect another device to my wireless network: a
device designed to be left on and permanently connected to the
network, and having a connected microphone, in the bedroom. A quick
look around the OS and I found that it had a web server accessible by
default, and a pair of CGI scripts, written in shell script, running
as root, that didn't correctly escape their input. (Hint: writing
secure CGI scripts in shell is non-trivial).
With a bit of careful manipulation (to get around some character
handling in the code) I had a remote root shell on a default Chumby and
could stream audio from the microphone remotely. Oops. Not too big a
deal though as it's unlikely you're going to have it directly
connected to the internet, although with some social engineering, if
you know someone with a Chumby, you could do a cunning cross-site
scripting attack and get a reverse shell that way.
I contacted the Chumby folks and they dealt with this like an ideal
vendor; acknowledging the issue, keeping in contact, and doing a security update.
Good for them. I like this device and vendor so much I'm going to buy
another Chumby, and a few colleagues from work are too.
But how many other devices do we connect to our networks without
thinking about them, and how many folks outside of the security
paranoid have properly secured and segmented wireless networks? I've
got a IP wireless network CCTV camera and a VOIP phone system both
which seem to be running Linux (and both which seem to have
vulnerabilities) to worry about next although harder since both are
closed systems which haven't released their source.
So for CVE database: CVE-2010-0418 is "Chumby One before 1.0.4 and
Chumby Classic before 1.7.2 allows remote attackers to execute
arbitrary commands via shell metacharacters in a carefully crafted
request to the web interface". Reported 29 Dec 2009, vendor responded
29 Dec 2009, tested fix 3 Feb 2010, public and updates 4 Mar 2010.
Created: 05 Mar 2010
Tagged as: devices, security
(new comments disabled)
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.