Hyland 160x1200

Hyland 160x1200

Hyland 705x108

Monday, 29 November 2021 10:13

Unboxing Busybox: Claroty and JFrog uncovers 14 vulnerabilities

By Claroty

GUEST RESEARCH: Embedded devices with limited memory and storage resources are likely to leverage a tool such as BusyBox, which is marketed as the Swiss Army Knife of embedded Linux. BusyBox is a software suite of Unix utilities, known as applets, that are packaged as a single executable file.

Within BusyBox you can find a full-fledged shell, a DHCP client/server, and small utilities such as cp, ls, grep, and others. You’re also likely to find many OT and IoT devices running BusyBox, including popular programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs)—many of which now run on Linux.

As part of our commitment to improving open-source software security, Claroty’s Team82 and JFrog collaborated on a vulnerability research project examining BusyBox. Using static and dynamic techniques, Claroty’s Team82 and JFrog discovered 14 vulnerabilities affecting the latest version of BusyBox.

In most cases, the expected impact of these issues is denial of service (DoS). However, in rarer cases, these issues can also lead to information leaks and possibly remote code execution.

We will provide details about the vulnerabilities, elaborate on who is affected, discuss our research methodology and suggest fixes and workarounds for these issues.

In addition to disclosing the vulnerabilities, Team82 is also open-sourcing its custom AFL fuzzing harnesses, which were responsible for triggering many of the mentioned vulnerabilities. Hopefully this will help fellow researchers find and disclose even more issues.

Research methodology
To research BusyBox, we used static and dynamic analysis approaches. First, a manual review of the BusyBox source code was conducted in a top-down approach (following user input up to specific applet handling). We also looked for obvious logical/memory corruption vulnerabilities.

The next approach was fuzzing. We compiled BusyBox with ASan and implemented an AFL harness for each BusyBox applet. Each harness was subsequently optimised by removing unnecessary parts of the code, running multiple fuzzing cycles on the same process (persistent mode), and running multiple fuzzed instances in parallel.

We started from fuzzing all the daemon applets, including HTTP, Telnet, DNS, DHCP, NTP etc. Many code changes were required in order to effectively fuzz network-based input. For example, the main modification we performed was to replace all recv functions with input from STDIN in order to support fuzzed inputs. Similar changes were done when we fuzzed non-server applets as well.
We prepared a couple of examples for each applet and ran hundreds of fuzzed BusyBox instances for a few days. This gave us tens of thousands of crashes to evaluate. We had to create classes of crashes with the same root cause to help reduce the volume of crashes we had in our sample set. Later, we minimised each group representative in order to work with a small subset of unique crash inputs.

To fulfil these tasks, we developed automatic tooling that digested all crash data and classified it based on the crash analysis report which mainly includes the crash stack trace, registers, and assembly code of the relevant code area. For example, we merged cases with similar crash stack traces because they usually had the same problematic root cause.

Finally, we researched each unique crash and minimised its input vector in order to understand the root cause, which allowed us to create a proof-of-concept (PoC) that exploits the vulnerability responsible for the crash. In addition, we tested our PoCs against several BusyBox versions to understand when the bugs were introduced to the source code.

Threat analysis and mitigation advice
To assess the threat level posed by these vulnerabilities, we inspected JFrog’s database of more than 10,000 embedded firmware images (comprised of only publicly available firmware, and not images uploaded to JFrog’s Artifactory). We found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues widespread among Linux-based embedded firmware.

All 14 vulnerabilities have been fixed in BusyBox 1.34.0 (direct download link) and users are urged to immediately upgrade.

If upgrading BusyBox is not possible (due to specific version compatibility needs), BusyBox 1.33.1 and earlier versions can be compiled without the vulnerable functionality (applets) as a workaround.

Details of the vulnerabilities
Since the affected applets are not daemons, each vulnerability can only be exploited if the vulnerable applet is fed with untrusted data (usually through a command-line argument). Specifically, these are the conditions that must occur for each vulnerability to be triggered:

Applies if the attacker can control all parameters passed to man.
man is built by the default BusyBox configuration, but not shipped with Ubuntu’s default BusyBox binary.

Applies if the attacker can supply a crafted compressed file, that will be decompressed by using unlzma.

Note that even if the unlzma applet is not available, but CONFIG_FEATURE_SEAMLESS_LZMA (enabled by default) is enabled, other applets such as tar, unzip, rpm, dpkg, lzma and man can also reach the vulnerable code when handling a file with the .lzma filename suffix.

unlzma is built by the default BusyBox configuration and shipped with Ubuntu’s default BusyBox binary.

Applies if the attacker can supply a command line to ash that contains the special characters $, {, }, or # . ash is built by the default BusyBox configuration and shipped with Ubuntu’s default BusyBox binary.

Applies if the attacker can supply a command line to hush that contains the special character \x03 (delimiter). hush is built by the default BusyBox configuration, but not shipped with Ubuntu’s default BusyBox binary.

Applies if the attacker can supply a command line to hush that contains the special character &.

CVE-2021-42378, CVE-2021-42386:
Applies if the attacker can supply an arbitrary pattern to awk (the pattern is the first positional argument this applet takes). awk is built by the default BusyBox configuration and shipped with Ubuntu’s default BusyBox binary.

Read 2280 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News