-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512Sometimes trying silly things produces interesting results. I thoughtthis was a silly thing to try, but I tried it and got a result that istroubling. This is on a device with a heavily modified setup and kernel,but the kernel is still ultimately based off of OpenWRT's kernel patches.$ id -auid=1000(user) gid=100(users) groups=100(users),0(root)$ ifconfig eth0 1.2.3.4SIOCSIFADDR: Operation not permittedSIOCSIFFLAGS: Operation not permitted$ ls -l `which swconfig`- -rwxr-xr-x 1 root root 10048 Nov 20 2015 /sbin/swconfig$ swconfig dev eth0 set reset$ swconfig dev eth0 set enable_vlan 0$ swconfig dev eth0 set apply$OpenWRT is targeted at embedded devices that generally aren't too likelyto have many users (or any non-admin users), but `swconfig` stillshouldn't be able to change a switch chip's settings withoutCAP_NET_ADMIN permission. Notably this means unprivileged portions ofdaemons will retain the ability to play with switch chip settings, sothis is more likely to be an issue for multi-function devices.Examination of the code suggests all switch chips using OpenWRT's`swconfig` infrastructure are vulnerable to this issue. Systems withswitch chips which do not utilize this infrastructure are not effected bythis vulnerability.Assuming I've got my brains together and press the right key, I'veattached a patch (also assuming it didn't get broken by newer code) whichfixed the issue. After adding the patch and building a new kernel:$ swconfig dev eth0 set resetfailed$ swconfig dev eth0 set enable_vlan 0failed$ swconfig dev eth0 set applyfailed$"Permission denied" would be better (hinting you're at the wrong prompt),but the security issue is fixed. Meanwhile, at a root shell:# swconfig dev eth0 set reset# swconfig dev eth0 set enable_vlan 0# swconfig dev eth0 set apply#So looks like the patch works.Good news is the damage potential of this bug is pretty mild. Theability to execute code on the device is needed before one can takeadvantage of this. One can have a switch chip merge all VLANs together,completely disabling all firewall functionality. Some or all VLANs couldbe disconnected from one or more ports causing a DoS on selected ports.Unfortunately, my efforts to contact people behind various routerdistributions have met with only modest success. Imre Kaloz of OpenWRTseemed interested in security issues, but others at OpenWRT apparentlyaren't and messages to the contact address went unanswered. Robert Callof LibreCMC was the only fully successful contact. No one from any otherLinux router distribution responded, this is rather disappointing and aBad Sign(tm) for security of Linux routers.The initial attempt at contacting OpenWRT was on December 14th, 2015. Istill do not see any attempt at a fix in OpenWRT's repository.- --(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)\BS ( | EHeM+sigmsg (at) m5p (dot) com [email concealed] PGP 87145445 | ) /\_CS\ | _____ -O #include O- _____ | / _/8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445-----BEGIN PGP SIGNATURE-----Version: GnuPG v2iF4EAREKAAYFAldbIKAACgkQs3U30IcUVEUobwD/UPk9wfVJe3laCYnzJ1+jT1p3yJ8AqgcbziANchO0g0YBAINRD5VyxscEk0oqTH8ppQzrzsV9J+P+NAMGULvR0J2p=Drio-----END PGP SIGNATURE-------(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)\BS ( | EHeM+sigmsg (at) m5p (dot) com [email concealed] PGP 87145445 | ) /\_CS\ | _____ -O #include O- _____ | / _/8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445Check for capability CAP_NET_ADMIN before allowing changing switch device configurationSigned-off-by: Elliott Mitchell --- a/target/linux/generic/files/drivers/net/phy/swconfig.c+++ b/target/linux/generic/files/drivers/net/phy/swconfig.c@@ -635,6 +635,10 @@ swconfig_set_attr(struct sk_buff *skb, struct genl_info *info)struct switch_val val;int err = -EINVAL;+ /* check for appropriate permission before allowing setting changes */+ if(!capable(CAP_NET_ADMIN))+ return -EPERM;+dev = swconfig_get_dev(info);if (!dev)return -EINVAL;-----BEGIN PGP MESSAGE-----Version: GnuPG v2owGdUs9rE0EUXlN/kIWKFQsePLzqJcl2s1ZpC9ZKQswh2MTSlgoKLrObt5shk9llZjYxf0DRY1GQHkTpWTwpHhXs1YN4UfAseujBg5ciRWdjUhFvHuYH3zfvve+9bzbHxwxz4nky/+7uqbXqoWeZm954FCPvCVWMifJbN27Bh0oL/TYEkQCfxMSjjKo+VMrLbqO65pav1msN8FDTCISxqEd5CH6L8DC9yB7VWaCJXeoj+BEPaJgIomjETXOVhhybdhQEtte/BFXGaKQU1NMQZAwuYws71lBPqTMbF/2oc8U0bdsG4igiQlQOozy544TIUVDfCShD6TQF7aKQDtd83Oo7sve7ctE3LcsC7z9jSyWw5y7OTs+BlR4z50EjI96VqFyilMhJJRJfgWy7XhIEUJBtbxqGoK7FXMqDCArpnjchO3o+mJTbJQz0WtAE5QpQCFgEu1prrJeXNGhaWaegxztyhMSxiGJBiUKIUXSolHq0//ihtakDX1BCwdGJaJCbGjjKMPeXnfm8ZrMCVSK4rr1cXakvmJZWpG3Uag461iN0NZQbdDJQHEBuSiNpW3/ih9rv3T5sTJjG0SOZ9FMZZvbE6N/htrF/8tH2xuY6e/Pg49LXs6eNC5+/vN3bf3z94c7uj9VM5cwL42ft5bmni/c3rq0c2/k+uftkbKs9o7Y+5Y/vTX57/d57Nf8L=pBR9-----END PGP MESSAGE-----[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/1UKXfyo
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Sometimes trying silly things produces interesting results. I thought
this was a silly thing to try, but I tried it and got a result that is
troubling. This is on a device with a heavily modified setup and kernel,
but the kernel is still ultimately based off of OpenWRT's kernel patches.
$ id -a
uid=1000(user) gid=100(users) groups=100(users),0(root)
$ ifconfig eth0 1.2.3.4
SIOCSIFADDR: Operation not permitted
SIOCSIFFLAGS: Operation not permitted
$ ls -l `which swconfig`
- -rwxr-xr-x 1 root root 10048 Nov 20 2015 /sbin/swconfig
$ swconfig dev eth0 set reset
$ swconfig dev eth0 set enable_vlan 0
$ swconfig dev eth0 set apply
$
OpenWRT is targeted at embedded devices that generally aren't too likely
to have many users (or any non-admin users), but `swconfig` still
shouldn't be able to change a switch chip's settings without
CAP_NET_ADMIN permission. Notably this means unprivileged portions of
daemons will retain the ability to play with switch chip settings, so
this is more likely to be an issue for multi-function devices.
Examination of the code suggests all switch chips using OpenWRT's
`swconfig` infrastructure are vulnerable to this issue. Systems with
switch chips which do not utilize this infrastructure are not effected by
this vulnerability.
Assuming I've got my brains together and press the right key, I've
attached a patch (also assuming it didn't get broken by newer code) which
fixed the issue. After adding the patch and building a new kernel:
$ swconfig dev eth0 set reset
failed
$ swconfig dev eth0 set enable_vlan 0
failed
$ swconfig dev eth0 set apply
failed
$
"Permission denied" would be better (hinting you're at the wrong prompt),
but the security issue is fixed. Meanwhile, at a root shell:
# swconfig dev eth0 set reset
# swconfig dev eth0 set enable_vlan 0
# swconfig dev eth0 set apply
#
So looks like the patch works.
Good news is the damage potential of this bug is pretty mild. The
ability to execute code on the device is needed before one can take
advantage of this. One can have a switch chip merge all VLANs together,
completely disabling all firewall functionality. Some or all VLANs could
be disconnected from one or more ports causing a DoS on selected ports.
Unfortunately, my efforts to contact people behind various router
distributions have met with only modest success. Imre Kaloz of OpenWRT
seemed interested in security issues, but others at OpenWRT apparently
aren't and messages to the contact address went unanswered. Robert Call
of LibreCMC was the only fully successful contact. No one from any other
Linux router distribution responded, this is rather disappointing and a
Bad Sign(tm) for security of Linux routers.
The initial attempt at contacting OpenWRT was on December 14th, 2015. I
still do not see any attempt at a fix in OpenWRT's repository.
- --
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\BS ( | EHeM+sigmsg (at) m5p (dot) com [email concealed] PGP 87145445 | ) /
\_CS\ | _____ -O #include O- _____ | / _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EAREKAAYFAldbIKAACgkQs3U30IcUVEUobwD/UPk9wfVJe3laCYnzJ1+jT1p3
yJ8AqgcbziANchO0g0YBAINRD5VyxscEk0oqTH8ppQzrzsV9J+P+NAMGULvR0J2p
=Drio
-----END PGP SIGNATURE-----
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\BS ( | EHeM+sigmsg (at) m5p (dot) com [email concealed] PGP 87145445 | ) /
\_CS\ | _____ -O #include O- _____ | / _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445
Check for capability CAP_NET_ADMIN before allowing changing switch device configuration
Signed-off-by: Elliott Mitchell
--- a/target/linux/generic/files/drivers/net/phy/swconfig.c
+++ b/target/linux/generic/files/drivers/net/phy/swconfig.c
@@ -635,6 +635,10 @@ swconfig_set_attr(struct sk_buff *skb, struct genl_info *info)
struct switch_val val;
int err = -EINVAL;
+ /* check for appropriate permission before allowing setting changes */
+ if(!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
dev = swconfig_get_dev(info);
if (!dev)
return -EINVAL;
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2
owGdUs9rE0EUXlN/kIWKFQsePLzqJcl2s1ZpC9ZKQswh2MTSlgoKLrObt5shk9ll
ZjYxf0DRY1GQHkTpWTwpHhXs1YN4UfAseujBg5ciRWdjUhFvHuYH3zfvve+9bzbH
xwxz4nky/+7uqbXqoWeZm954FCPvCVWMifJbN27Bh0oL/TYEkQCfxMSjjKo+VMrL
bqO65pav1msN8FDTCISxqEd5CH6L8DC9yB7VWaCJXeoj+BEPaJgIomjETXOVhhyb
dhQEtte/BFXGaKQU1NMQZAwuYws71lBPqTMbF/2oc8U0bdsG4igiQlQOozy544TI
UVDfCShD6TQF7aKQDtd83Oo7sve7ctE3LcsC7z9jSyWw5y7OTs+BlR4z50EjI96V
qFyilMhJJRJfgWy7XhIEUJBtbxqGoK7FXMqDCArpnjchO3o+mJTbJQz0WtAE5QpQ
CFgEu1prrJeXNGhaWaegxztyhMSxiGJBiUKIUXSolHq0//ihtakDX1BCwdGJaJCb
GjjKMPeXnfm8ZrMCVSK4rr1cXakvmJZWpG3Uag461iN0NZQbdDJQHEBuSiNpW3/i
h9rv3T5sTJjG0SOZ9FMZZvbE6N/htrF/8tH2xuY6e/Pg49LXs6eNC5+/vN3bf3z9
4c7uj9VM5cwL42ft5bmni/c3rq0c2/k+uftkbKs9o7Y+5Y/vTX57/d57Nf8L
=pBR9
-----END PGP MESSAGE-----
[ reply ]