Mark J Cox, mark@awe.com  
   
mark :: blog


And not because she's set the alarm for the wrong time, or used a 'crazy frog' sound theme, but because it had a remote root exploit. It's fixed now.

It all started when I bought her a Chumby for Christmas. A Chumby is a little bedside device that can act as an alarm clock as well as running flash-lite applets. What made it especially appealing is that you can write your own applets if you want, and the whole thing is Linux-based and designed to be hackable: they correctly abide by the GPL and have their sources available, you can build and install your own software, you can even enable ssh and have a remote shell if you want to. And with NTP the clock is always at the right time, since I really don't like having out-of-sync clocks around the house.

So it was time to connect another device to my wireless network: a device designed to be left on and permanently connected to the network, and having a connected microphone, in the bedroom. A quick look around the OS and I found that it had a web server accessible by default, and a pair of CGI scripts, written in shell script, running as root, that didn't correctly escape their input. (Hint: writing secure CGI scripts in shell is non-trivial).

With a bit of careful manipulation (to get around some character handling in the code) I had a remote root shell on a default Chumby and could stream audio from the microphone remotely. Oops. Not too big a deal though as it's unlikely you're going to have it directly connected to the internet, although with some social engineering, if you know someone with a Chumby, you could do a cunning cross-site scripting attack and get a reverse shell that way.

I contacted the Chumby folks and they dealt with this like an ideal vendor; acknowledging the issue, keeping in contact, and doing a security update. Good for them. I like this device and vendor so much I'm going to buy another Chumby, and a few colleagues from work are too.

But how many other devices do we connect to our networks without thinking about them, and how many folks outside of the security paranoid have properly secured and segmented wireless networks? I've got a IP wireless network CCTV camera and a VOIP phone system both which seem to be running Linux (and both which seem to have vulnerabilities) to worry about next although harder since both are closed systems which haven't released their source.

So for CVE database: CVE-2010-0418 is "Chumby One before 1.0.4 and Chumby Classic before 1.7.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a carefully crafted request to the web interface". Reported 29 Dec 2009, vendor responded 29 Dec 2009, tested fix 3 Feb 2010, public and updates 4 Mar 2010.

Created: 05 Mar 2010
Tagged as: ,

3 comments (new comments disabled)

Title: Re: My wifes alarm clock kept me awake at night
Posted by: Adam Williamson
Time: Fri, 05 Mar 2010 20:19

"My alarm clock has a root vulnerability" sounds like a fairly good answer to the question "How do you know when you're over-engineering?", to me. =) (Joking aside, though, the Chumby does look neat, and I'm not surprised at the response you got, given how clued-in the guy who runs the company is: http://www.bunniestudios.com/blog/?p=918

Title: Re: My wifes alarm clock kept me awake at night
Posted by: Máirín Duffy
Time: Fri, 05 Mar 2010 21:22

Oh wow... that is scary It reminded me of this story I heard recently: http://abclocal.go.com/wpvi/story?section=news/local&id=7284767 "A suburban Philadelphia school district used the webcams in school-issued laptops to spy on students at home, potentially catching them and their families in compromising situations, a family claims in a federal lawsuit." More and more devices have built-in mics and cameras... :(

Title: Re: My wifes alarm clock kept me awake at night
Posted by: Warinda
Time: Sun, 28 Mar 2010 07:09

Hello there Mark! :>

       


Hi! I'm Mark Cox. This blog gives my thoughts and opinions on my security work, open source, fedora, home automation, and other topics.

pics from my twitter:


popular tags: [all], apache, apacheweek, cve, cvss, fedora, ha, metrics, microsoft, redhat, security, trips


Subscribe to RSS feed