Summary
While drafting this issue #5944, I was proof-reading when I noticed that private_key.pem is 0644:
root@meshtastic:/# ls -lah *.pem
-rw-r--r-- 1 root root 1.1K Jan 18 19:02 certificate.pem
-rw-r--r-- 1 root root 1.7K Jan 18 19:02 private_key.pem
TLS Key material should never be world readable!
Details
The offending code is here:
|
FILE *pkey_file = fopen("private_key.pem", "wb"); |
|
if (!pkey_file) { |
|
LOG_ERROR("Error opening private key file"); |
|
return 3; |
|
} |
|
// write private key file |
|
PEM_write_PrivateKey(pkey_file, pkey, NULL, NULL, 0, NULL, NULL); |
|
fclose(pkey_file); |
|
|
|
// open Certificate file |
|
FILE *x509_file = fopen("certificate.pem", "wb"); |
|
if (!x509_file) { |
|
LOG_ERROR("Error opening cert"); |
|
return 4; |
|
} |
I'm not a strong C/C++ programmer .... especially for a codebase that targets *nix and micros but I think you can do something like this:
mode_t old_umask = umask(0077); // Should result in 0600 but double check!
// Do the key gen/write out here
umask(old_umask); // Back to 0644 that we had before
PoC
This is a super low priority security issue.
I debated weather or not it was even worth going through this channel vs just tacking on a "PS: key should be 600 or 640 not 644!" at the end of issue #5944 but I figured that it's probably better to call that out discreetly just in case.
There is no PoC as this appears to be a side-effect of how the webserver is written / that it runs with a umask that's pretty broad by default (likely needed for gpio?)
Impact
I will freely admit that this is a low severity thing; somebody looking to abuse this will:
- need to have presence elsewhere on your device/network (and if they do, you already have much bigger problems :) )
- either have presence on the meshtastic host or find some arbitrary file-read vuln that allows them to exfil the key material
kquinsland Reporter
garthvh Coordinator
Summary
While drafting this issue #5944, I was proof-reading when I noticed that
private_key.pemis0644:root@meshtastic:/# ls -lah *.pem -rw-r--r-- 1 root root 1.1K Jan 18 19:02 certificate.pem -rw-r--r-- 1 root root 1.7K Jan 18 19:02 private_key.pemTLS Key material should never be world readable!
Details
The offending code is here:
firmware/src/mesh/raspihttp/PiWebServer.cpp
Lines 419 to 433 in 4747e73
I'm not a strong C/C++ programmer .... especially for a codebase that targets *nix and micros but I think you can do something like this:
PoC
This is a super low priority security issue.
I debated weather or not it was even worth going through this channel vs just tacking on a "PS: key should be
600or640not644!" at the end of issue #5944 but I figured that it's probably better to call that out discreetly just in case.There is no PoC as this appears to be a side-effect of how the webserver is written / that it runs with a
umaskthat's pretty broad by default (likely needed for gpio?)Impact
I will freely admit that this is a low severity thing; somebody looking to abuse this will: