View: 1587|Reply: 0

Orange Pi 5 Ubuntu Jammy Server vulnerability

[Copy link]

1

threads

1

posts

18

credits

Novice

Rank: 1

credits
18
Published in 2023-5-22 22:57:39 | Show all floors |Read mode
This post was finally edited by bulgaru at 2023-5-22 22:59

Hello, everyone!

I wanted to let you know of a serious vulnerability when it comes to Ubuntu Jammy Server on OPi 5 (don't know if it applies to other models / OSes / builds).

The attack vector is currently unknown, but the penetration of the system is immediate with root access to the attacker.

Symptoms:
  • presence of "tamkjll" file/folder in root directory
  • presence of "data" folder directory in root directory, containing UFO.apk within
  • folders named "arm", "x86", etc in the root directory
  • loss of ssh access
  • overheating CPU

Troubleshooting steps:
  • changed the default root password - NO EFFECT
  • disabled password ssh access - NO EFFECT
  • exposed ssh with a different port - NO EFFECT
  • closed all ports except 22, 80, 443, and a couple technical ones - SUCCESS

Preliminary conclusions:
It seems that the attacker expoits a zero-day vulnerability by attacking one of the exposed ports. After gaining root access, the attacker downloads malicious code that hijacks the device. Seems to be related to Mirai Botnet, according to my research. The Ububtu distro needs to be audited for exposed ports that allow the attacker gain root access. It seems to happen regardless of the root password currently used, which begs the question of how on earth the attacker is capable of running the code with sudo priviledges.

Steps to reproduce:
  • install Ubuntu Server from OPi website
  • change root password, disable ssh password access
  • expose the device to the web

My main concern is that the distro provided via the OPi website is vulnerable out-of-the box. Given that it's a Server distro, it can create a sense of false security when it comes to using it with the devices exposed to the web. Moreover, there may be plenty of infected devices out there already, that are present in the attacker's database and they will be hijacked regardless if they reset and reinstall their system.

Any help would be very much welcome!
You can buy me a beer at https://www.paypal.me/bsensus
You need to log in before you can reply login | Register

Points Rule

Quick reply Top Return list