Rpcd vulnerability reported on VULTDB

Does anyone know about below vulnerability reported on Vultdb about rpcd ?

Is there any action planed for fixes for this report ?

The manipulation with an unknown input leads to a privilege escalation vulnerability (Code Execution). CWE is classifying the issue as CWE-269.

https://vuldb.com/?id.119691

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11116

OpenWrt mishandles access control in /etc/config/rpcd and the /usr/share/rpcd/acl.d files, which allows remote authenticated users to call arbitrary methods (i.e., achieve ubus access over HTTP) that were only supposed to be accessible to a specific user, as demonstrated by the file, log, and service namespaces, potentially leading to remote Information Disclosure or Code Execution.

Specifics in blog at
http://blog.hac425.top/2018/05/16/openwrt_rpcd_acl_fail.html

The reported issue is completely bogus. The name of the ACL group "hac425": { has nothing to do with the associated user. The list read '*' and list write '*' options in his /etc/config/rpcd configuration are whats granting the hac425 ACL to the account.

The reporter planted an "allow anything" ACL on his system, then configured his various logins to use the "allow anything" ACL which means that rpcd allows access to anything specified... which is by design.

I suppose the reporter mean to do something like this:

root@OpenWrt:~# cat /etc/config/rpcd 
config login
    option username 'hac425'
    option password '$p$hac425'
    list read 'hac425'  # only allow read access to whats specified in `"hac425": { ... }`
    list write 'hac425'  # only allow write access to whats specified in `"hac425": { ... }`

config login
    option username 'test'
    option password '$p$test'
    list read '' # do not grant read access to all ACLs (`*`)
    list write '' # do not grant write access to all ACLs (`*`)
1 Like