g/cyberchallenge-modem
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Added required password for update system

Browse Source
This commit is contained in:
Giulio 2020-09-13 23:59:49 +02:00
parent 76728e78e4
commit c01cd28458
3 changed files with 29 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
conf/etc/sudoers
View File

@ -1,4 +1,5 @@
Defaults env_reset Defaults env_reset
Defaults env_keep = "clearpassword"
Defaults mail_badpass Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults logfile="/var/log/sudo.log" Defaults logfile="/var/log/sudo.log"

38
update/update.sh
View File

@ -1,29 +1,39 @@
#!/bin/sh #!/bin/sh
/bin/echo "Usage: clearpassword=<password> sudo -E update.sh"
password=`/bin/cat /etc/txtpwd`
auth=`/bin/echo -n $clearpassword | /bin/sha512sum | /bin/cut -d' ' -f 1`
if [ "$auth" != "$password" ]; then
/bin/echo "Wrong password"
exit 1
fi
pubkey="/pub.pem" pubkey="/pub.pem"
file="/tmp/update.tgz.cc" file="/tmp/update.tgz.cc"
echo "### ccOS Update Script ###" /bin/echo "### ccOS Update Script ###"
echo "[+] Starting" /bin/echo "[+] Starting"
sleep 1 /usr/bin/sleep 1
echo "[+] Extracting Signature" /bin/echo "[+] Extracting Signature"
skip=$(expr $(stat -c '%s' $file) - 256) skip=$(expr $(stat -c '%s' $file) - 256)
if [[ -L $file ]] if [[ -L $file ]]
then then
exit 0 exit 0
fi fi
dd if=/tmp/update.tgz.cc of=sig bs=1 count=256 skip=$skip > /dev/null 2>&1 /usr/bin/dd if=/tmp/update.tgz.cc of=sig bs=1 count=256 skip=$skip > /dev/null 2>&1
truncate -s $skip update.tgz.cc /usr/bin/truncate -s $skip update.tgz.cc
check=`openssl dgst -sha256 -verify $pubkey -signature /tmp/sig /tmp/update.tgz.cc` check=`/usr/bin/openssl dgst -sha256 -verify $pubkey -signature /tmp/sig /tmp/update.tgz.cc`
if [ "$check" == "Verified OK" ] if [ "$check" == "Verified OK" ]
then then
echo "[+] Signature is valid!" /bin/echo "[+] Signature is valid!"
echo "[+] Upgrading..." /bin/echo "[+] Upgrading..."
tar -xvzf /tmp/update.tgz.cc -C / /usr/bin/tar -xvzf /tmp/update.tgz.cc -C /
rm /tmp/update.tgz.cc /tmp/sig /bin/rm /tmp/update.tgz.cc /tmp/sig
echo "[+] Done" /bin/echo "[+] Done"
exit 0 exit 0
else else
echo "[-] Signature error, exiting..." /bin/echo "[-] Signature error, exiting..."
rm /tmp/update.tgz.cc /tmp/sig /bin/rm /tmp/update.tgz.cc /tmp/sig
exit 1 exit 1
fi fi

7
webpanel/update.php
View File

@ -4,9 +4,9 @@ require_once("includes/config.php");
require_once("includes/header.php"); require_once("includes/header.php");
require_once("includes/nav.php"); require_once("includes/nav.php");
if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['update']['size'] > 10000000 && $_FILES['upfile']['size'] < 10000000) { if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['update']['size'] > 10000000 && $_FILES['upfile']['size'] < 10000000 && isset($_POST['password']) && !empty($_POST['password'])) {
move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tgz.cc'); move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tgz.cc');
exec("/usr/bin/sudo /update.sh", $result); exec("clearpassword='.escapeshellarg($_POST['password']).' /usr/bin/sudo /update.sh", $result);
} }
?> ?>
@ -14,7 +14,8 @@ if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['
<h2>System Update</h2> <h2>System Update</h2>
<form id="update" enctype="multipart/form-data" method="post" action=""> <form id="update" enctype="multipart/form-data" method="post" action="">
<fieldset> <fieldset>
<input type="file" name="update"> <input type="file" name="update" required>
<input type="password" name="password" placeholder="Update password" required>
<input type="submit" class="btn btn-b btn-sm smooth" value="Upload"> <input type="submit" class="btn btn-b btn-sm smooth" value="Upload">
<p> <p>
<ul> <ul>