Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2739 - Arbitrary File Creation #7543

Open
openwrt-bot opened this issue Jan 15, 2020 · 0 comments
Open

FS#2739 - Arbitrary File Creation #7543

openwrt-bot opened this issue Jan 15, 2020 · 0 comments
Labels

Comments

@openwrt-bot
Copy link

delikely:

There is no restriction on the path of the system log file(logread),which lead to overwritten important file,such as /etc/passwd. if /etc/passwd was overwritened,it will cause a denial of service. when a router was infected, The only way to fix is flash firmware.

In the background, function [[https://github.com/openwrt/openwrt/blob/fd28ef59db92da245debf207892fad8e1a0d9e45/package/system/ubox/files/log.init#L44|External Linkstart_service_file ]]will deal the system logging request and use logread` to save log in specified file.

PROG=/sbin/logread

start_service_file()                                                              
{                                                                                 
        PIDCOUNT="$(( ${PIDCOUNT} + 1))"                                          
        local pid_file="/var/run/logread.${PIDCOUNT}.pid"                         
                                                                                  
        [ "$2" = 0 ] || {                                                         
                echo "validation failed"                                          
                return 1                                                          
        }                                                                         
        [ -z "${log_file}" ] && return                                            
                                                                                  
        mkdir -p "$(dirname "${log_file}")"                                       
                                                                                  
        procd_open_instance                                                       
        procd_set_param command "$PROG" -f -F "$log_file" -p "$pid_file"          
        [ -n "${log_size}" ] && procd_append_param command -S "$log_size"         
        procd_close_instance                                                      
}   
**POC**
  1. set the path of sustem log and buffer size

In System -> logging page,System log buffer sizeset to 1KiB ,Write system log to file set to /etc/passwd. At the end , clicking "Save & Apply" button.
{{https://github.com/delikely/Arbitrary-File-Creation-in-OpenWrt/raw/master/images/set%20logging%20parameter.png}}

  1. reboot or wait a moment

In order to produce some log to overwriten /etc/passwd , it need to reboot OpenWrt (the fasest way ) or wait a monent.

  1. result

Denial of service: the LuCi web page display "Dad Gateway". the same time , the internet was offline.
{{http://github.com/delikely/Arbitrary-File-Creation-in-OpenWrt/blob/master/images/result%20DOS.png}}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant