Security News > 2020 > March > Remote Code Execution Vulnerability Patched in OpenWrt
A vulnerability that OpenWrt addressed in its opkg fork could have been exploited for the remote execution of arbitrary code.
"Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged.ipk packages with malicious payload," OpenWrt notes in an advisory.
"To test if opkg would indeed download packages from a custom network connection, I set up a local web server and created a file consisting of random bytes. When I ran opkg to install a package, it retrieved the file as I had intended, and then threw a segmentation fault," ForAllSecure security researcher Guido Vranken, who discovered the bug, explains.
Opkg, the researcher says, would attempt to unpack and install any package it downloads, as OpenWrt's SHA256 verification did not work as intended - otherwise, the package would be discarded and not processed.
The fixed opkg package carries version 2020-01-25, OpenWrt says.