OpenMPTCProuter Insecure Temporary File Vulnerability in RUTX Image Build Process Allowing Arbitrary Command Execution

A vulnerability exists in OpenMPTCProuter versions through 0.64, specifically within the RUTX image build process. The issue arises from the 'create_xor_ipad_opad' function in 'sysupgrade.c', where temporary files are created in an insecure manner. This flaw can lead to command injection by allowing attackers to manipulate the temporary file's contents or location. Consequently, an attacker could execute arbitrary commands during the image verification process, but this vulnerability does not affect the runtime firmware.

Impact

Exploitation of this vulnerability could result in arbitrary command execution on the machine building the RUTX firmware image.

Reproduction

To reproduce this vulnerability, build a custom OpenMPTCProuter RUTX image using a version prior to 0.64 that includes the vulnerable 'sysupgrade-helper' package. The insecure temporary file handling in the 'create_xor_ipad_opad' function will allow for command injection by manipulating the temporary file before it is opened, leading to arbitrary command execution during the image verification routine.

Remediation

Users should update to a version of OpenMPTCProuter that includes the commit '09393d1c41a227bea7d5b85c0a06221b1302b25f', which removes the vulnerable package from the repository.