[OpenWrt-Devel] Dangerous RPATH in uhttpd, uci, rpcd, ubus

Etienne Champetier champetier.etienne at gmail.com
Sun Feb 8 16:01:40 EST 2015


Hi,

I was checking my "hardened" build of openwrt to see if any package
overrides any compile flags and found that some binaries/libraries have
RPATH pointing to buildroot path.
I'm building in /tmp on my computer, which is world writable on the router,
so these "bad" RPATH can be used for privileges escalation.
All problematic bin/lib are built with cmake.
Haven't tried yet to fix the build.

# cd ./staging_dir/target-mips_34kc_uClibc-0.9.33.2/root-ar71xx/

# readelf -a ./usr/sbin/uhttpd | grep RPATH
 0x0000000f (RPATH)                      Librairie rpath:
[/tmp/openwrt-cc/staging_dir/toolchain-mips_34kc_gcc-4.9-linaro_uClibc-0.9.33.2/lib:]
# readelf -a ./sbin/uci | grep RPATH
 0x0000000f (RPATH)                      Librairie rpath:
[/tmp/openwrt-cc/build_dir/target-mips_34kc_uClibc-0.9.33.2/uci-2014-04-11.1:]
# readelf -a ./sbin/rpcd | grep RPATH
 0x0000000f (RPATH)                      Librairie rpath:
[/tmp/openwrt-cc/staging_dir/toolchain-mips_34kc_gcc-4.9-linaro_uClibc-0.9.33.2/lib:]
# readelf -a ./usr/lib/lua/ubus.so | grep RPATH
 0x0000000f (RPATH)                      Librairie rpath:
[/tmp/openwrt-cc/build_dir/target-mips_34kc_uClibc-0.9.33.2/ubus-2015-01-22/lua/..:/tmp/openwr
t-cc/build_dir/target-mips_34kc_uClibc-0.9.33.2/ubus-2015-01-22:]
# readelf -a ./usr/lib/lua/uci.so | grep RPATH
 0x0000000f (RPATH)                      Librairie rpath:
[/tmp/openwrt-cc/build_dir/target-mips_34kc_uClibc-0.9.33.2/uci-2014-04-11.1/lua/..:/tmp/openw
rt-cc/build_dir/target-mips_34kc_uClibc-0.9.33.2/uci-2014-04-11.1:]


3 other binaries have useless rpath
# readelf -a ./usr/bin/openssl | grep RPATH
 0x0000000f (RPATH)                      Librairie rpath: [/usr/lib]
# readelf -a ./usr/lib/libhistory.so | grep RPATH
 0x0000000f (RPATH)                      Librairie rpath: [/usr/lib]
# readelf -a ./usr/lib/libreadline.so.6.3 | grep RPATH
 0x0000000f (RPATH)                      Librairie rpath: [/usr/lib]


I've used checksec.sh
http://www.trapkit.de/tools/checksec.html
after reading
http://blog.oldcomputerjunk.net/2014/evaluating-the-security-of-openwrt-part-1/

cd ./staging_dir/target-mips_34kc_uClibc-0.9.33.2/root-ar71xx/
wget http://www.trapkit.de/tools/checksec.sh
find . -type f -exec file {} \; | grep -i elf | awk -F':' '{print $1}' |
xargs -n1 ./checksec.sh --file | grepNARY' | grep -v 'No RPATH'


My "hardened" compile option are
CONFIG_DEVEL=y
CONFIG_TOOLCHAINOPTS=y
CONFIG_GCC_USE_VERSION_4_8_LINARO=n
CONFIG_GCC_USE_VERSION_4_9_LINARO=y
CONFIG_PKG_CHECK_FORMAT_SECURITY=y
CONFIG_PKG_CC_STACKPROTECTOR_STRONG=y
CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y
CONFIG_PKG_FORTIFY_SOURCE_2=y
CONFIG_PKG_RELRO_FULL=y

Regards
Etienne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150208/dfba7a0e/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list