[FS#3804] rpcd file Plugin ACLs can be bypassed when used via uhttpd JSON/RPC

Wed May 12 03:41:33 PDT 2021

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Steffen Pfendtner (spfendtner) 

Attached to Project - OpenWrt/LEDE Project
Summary - rpcd file Plugin ACLs can be bypassed when used via uhttpd JSON/RPC
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Low
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - Hi,

I've configured the rcpd file plugin together with the uhttpd ubus plugin to put the ubus on the network and to me there seems to be a security problem when used in this combination.
I think it is some quite exotic experiment by myself and I hope nobody had done this on a live field system on the internet.

Let me elaborate the situation little bit.

The uhttpd will first check the ACLs of the call. In this case whether the user is allowed to call the ubus file object and the read/write/... methods. Lets assume it is allowed.
Further down the call hierarchy the rpcd file plugin will then check its file ACLs if the given session contains the permissions to execute, read, write or list the specified file or directory path.

To accomplish this task the rpcd file plugin needs a session id and as the primary session id was not passed down by uhttpd together with the call it is now not there any more. That's why there is a secondary session id within the ubus file methods payload parameters. The content can be either the same sid or another one, that doesn't mater in this example.

Now if we call a file.exec() via JSON/RPC (uhttpd/ubus) we have to specify the SID two times.
The Problem: **If I leave out the inner secondary sid completely I get passed all file ACLs**! 
The function rpc_file_access() in rpcd will return true at file.c:180 if the sid is NULL!

There is no enforcement of the ubus file methods policy field "ubus_rpc_session". On none of the methods! Only the "path" parameter is enforced.

Either the "return true" should be removed or the methods should enforce a sid. Otherwise one can not use this rpcd file plugin securely as a authenticated users can bypass all file rpcd file ACLs easily by simply dropping the parameter field.

Regards,
Steffen

More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=3804

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.