Hi, While doing an analysis of the busybox source code, I identified some fault injection vulnerabilities in login.c that can be used by an attacker with physical access to the device. The device would need to present a login shell via UART or some other interface but the attacker does not need to know the password.
This set of vulnerabilities have been verified by both simulating the faults using binary patching and actual fault injection testing. I was able to bypass a root login on a device running the login applet of busybox 1.35.0. The main vulnerability here is that there are no fault injection countermeasures in the busybox source code. I understand that this might be out of your threat model (local physical attacker) but still wanted to give you a heads up. An attacker can glitch line 513 in login.c to bypass the login. Additionally there are various points in correct_password.c that can also be attacked by using fault injection. Attacking this in a completely unmodified system is still something I'm exploring now (I manually added trigger points for an easier fault injection campaign). I believe this can also be used to escalate privileges by glitching sulogin.c. This vulnerability might also be present in the Linux login utils which is something I'm also in the process of verifying. Regards, Yashin Mehaboobe
_______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
