Am 19.07.21 um 16:10 schrieb Richard Braun: > On Mon, Jul 19, 2021 at 01:28:54PM +0000, Tommy Murphy wrote: >>> From: Richard Braun <[email protected]> >>> Sent: Monday 19 July 2021 12:26 >>> To: Tommy Murphy <[email protected]> >>> Cc: OpenOCD <[email protected]>; Ooi, Cinly >>> <[email protected]> >>> Subject: Re: Potential NULL byte injection >>> >>> Without the issue, the impact of >>> a malicious/faulty input is restricted to what openocd can do. With it, >>> it's restricted to what the operating system allows the hacked program >>> to do, and without sandboxing, it can basically rm -rf or whatever. >> >> Perhaps you can you illustrate how NULL byte injection can be used to make >> openocd execute rm -rf? > > No, I can't. I was a bit too quick and assumed the kind of dangerous > commands mentioned by Cinly could be somehow added and then used, > as he says, but that doesn't seem true, so my bad. > > But even if that was true, the issue reduces down to the fact that there > can be dangerous commands or not, and the injection becomes irrelevant. > > And there already are dangerous commands. See the Jim-TCL command index > [1], and in particular exec. So OpenOCD is already an exploit vector and > users must trust/check any script they use, making the scripts more a > part of OpenOCD than user input. > > So, while the injection is a non-issue, that discovery (at least to me) > is a bit scary. > Hm, if I see it correctly, OpenOCD can put your HW on fire, without exploiting security holes in it. Just execute legal commands on target and mis-configure some SoC internals. And OOCD was able to execute external commands, so we are probably still able to execute sudo from it - in a direct way, without exploiting it.
I would agree, this can be a nasty bug and potentially could be fixed. Patches are welcome. -- Regards, Oleksij
