CTF导航 CTF导航

Openwrt进程间通信-Ubus

渗透技巧 2年前 (2022) admin
859 0 0
01
 介 绍 
Ubus是Openwrt中的进程间通信机制,它让进程间通信的实现变得非常简单。ubus实现的基础就是UNIX Socket,即本地Socket,相对于传统的网络通信Socket变得更加的高效、可靠。

 

1.1   模型架构

UNIX Socket采用C/S模型架构,分为服务端和客户端:
1. server端建立socket,绑定到一个本地socket文件,负责监听客户端的连接
2. client端建立一个或多个socket连接到服务端
3. client端和server端互相发送消息
4. client端和server端收到对方消息后,对收到消息进行对应处理
Ubus同样遵循上述流程,Ubusd实现server端,其它进程(procdnetifdubus)实现client端,client之间通信需要通过服务端进行相应转发。
 
02
 交 互 方 式 

2.1   Ubus Cli

命令行Ubus工具与Ubusd交互(与所有当前注册),对于使用参数调用过程返回响应,使用较为友好的JSON格式。
查看当前运行服务(如图1-1 当前运行服务)
$ ubus
Openwrt进程间通信-Ubus
1-1 当前运行服务
查找特定服务参数及方法(如图1-2 查找特定服务)
$ ubus -v list system
Openwrt进程间通信-Ubus
1-2 查找特定服务
查看特定服务特定参数(如图1-3 查看特定参数)
$ ubus call network.interface.lan status
Openwrt进程间通信-Ubus
1-3 查看服务特定参数
服务参数传递(1-4 服务参数传递)
$ ubus call network.interface.lan status ‘{“name”:”eth0”}’
Openwrt进程间通信-Ubus
1-4 服务参数传递
 

2.2   HTTP访问

Openwrt uhttpd内置了一个uhttpd-mod-ubus插件运行http协议调用ubus功能,uhttpd中访问/ubus,首先会判断访问者是否有权限。OpenwrtACl的实现主要通过rpcd,需要在/usr/share/rpcd/acl中配置acl文件。
 
以下是ACL定义示例,该示例仅允许访问某些特定的ubus模块,而不是无限制访问所有内容
luci-mod-system.json

{

        “luci-mod-system-config”: {

                “description”: “Grant access to system configuration”,

                “read”: {

                        “ubus”: {

                                “luci”: [ “getInitList”, “getLEDs”, “getTimezones”, “getUSBDevices” ],

                                “system”: [ “info” ]

                        },

                        “uci”: [ “luci”, “system” ]

                },

                “write”: {

                        “ubus”: {

                                “luci”: [ “setInitAction”, “setLocaltime”, “setPassword” ]

                        },

                        “uci”: [ “luci”, “system” ]

                }

        },

        “luci-mod-system-ssh”: {

                “description”: “Grant access to SSH configuration”,

                “read”: {

                        “file”: {

                                “/etc/dropbear/authorized_keys”: [ “read” ]

                        },

                        “ubus”: {

                                “file”: [ “read” ]

                        },

                        “uci”: [ “dropbear” ]

                },

                “write”: {

                        “file”: {

                                “/etc/dropbear/authorized_keys”: [ “write” ]

                        },

                        “ubus”: {

                                “file”: [ “write” ],

                                “luci”: [ “setInitAction”, “setLocaltime” ]

                        },

                        “uci”: [ “dropbear” ]

                }

        },

………….

        “luci-mod-system-reboot”: {

                “description”: “Allow rebooting the device”,

                “write”: {

                        “file”: {

                                “/sbin/reboot”: [ “exec” ]

                        },

                        “ubus”: {

                                “file”: [ “exec” ],

                                “system”: [ “reboot” ]

                        }

                }

        }

}
注意:
rpcd处理接口请求同时也需要预验证,配置登录文件为/etc/config/rpcd

config rpcd

        option socket /var/run/ubus/ubus.sock

        option timeout 30

config login

        option username ‘root’

        option password ‘$p$root’

        list read ‘*’

        list write ‘
登录请求(获取rpc_session)

$ curl -d ‘{“jsonrpc”: “2.0”, “id”: 1, “method”: “call”, “params”: [ “00000000000000000000000000000000”, “session”, “login”, {“username”: “root”, “password”: “secret”  }]}’  http://your.server.ip/ubus

{

“jsonrpc”:”2.0″,

“id”:1,”result”:

[0,

{

“ubus_rpc_session”:”c1ed6c7b025d0caca723a816fa61b668″,

“timeout”:300,

“expires”:299,

“acls”:

{

“access-group”:

{

“superuser”:[“read”,”write”],

“unauthenticated”:[“read”]

},

“ubus”:

{

“*”:[“*”],

“session”:[“access”,”login”]},

“uci”:{“*”:[“read”,”write”]}

},

“data”:{“username”:”root”}}]}

03
 会 话 管 理 

获取ubus_rpc_session就可以调用函数(2-1 获取rpc session)
Openwrt进程间通信-Ubus
2-1 获取rpc session
请求头包格式
{ “jsonrpc”: “2.0”,
  “id”: <unique-id-to-identify-request>, 
  “method”: “call”,
  “params”: [
             <ubus_rpc_session>, 
              <ubus_object>,//system
             <ubus_method>, //board
             { <ubus_arguments> }
            ]
}
数据包响应错误码
enum ubus_msg_status {
    UBUS_STATUS_OK,/* 0 */
    UBUS_STATUS_INVALID_COMMAND,/* 1 */
    UBUS_STATUS_INVALID_ARGUMENT,/* 2 */
    UBUS_STATUS_METHOD_NOT_FOUND,/* 3 */
    UBUS_STATUS_NOT_FOUND,/* 4 */
    UBUS_STATUS_NO_DATA,/* 5 */
    UBUS_STATUS_PERMISSION_DENIED,/* 6 */
    UBUS_STATUS_TIMEOUT,/* 7 */
    UBUS_STATUS_NOT_SUPPORTED,/* 8 */
    UBUS_STATUS_UNKNOWN_ERROR,/* 9 */
    UBUS_STATUS_CONNECTION_FAILED,/* 10 */
    __UBUS_STATUS_LAST
};
{“jsonrpc”:“2.0”,”id“:1,”result“:[6]}`
That is a valid jsonrpc response, 6 is the ubus code for UBUS_STATUS_PERMISSION_DENIED
04
 挖 掘 潜 在 漏 洞 
请求方式
File

  1. 1.     read

  2. 2.     list

  3. 3.     write

UCI

  1. 1.     set

  2. 2.     get

  3. 3.     show

  4. 4.1   文件目录泄露

Openwrt进程间通信-Ubus

4.2   任意文件读取

Openwrt进程间通信-Ubus
设置权限的原因导致任意文件读取失败。
05
 参 考 

https://openwrt.org/zh/docs/techref/ubus

原文始发于微信公众号(山石网科安全技术研究院):Openwrt进程间通信-Ubus

版权声明:admin 发表于 2022年7月21日 上午11:04。
转载请注明:Openwrt进程间通信-Ubus | CTF导航

相关文章

JDBC MySQL任意文件读取分析
admin
444
Exploring SCCM by Unobfuscating Network Access Accounts
admin
37
攻防技术创新探究
admin
529
对 Confluence CVE-2023-22515 的一点分析
admin
677
针对漏洞研究者与红队人员的定向水坑攻击
admin
321
红队技巧 | 持久化攻击(绕过AMSI)
admin
1,117

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

Boolean-based SQL Injection in ZoneMinder v1.37.* <= 1.37.64
0
Open-Source Intelligence Summit 2024议题慢递
0
NTLM Relaying – Making the Old New Again
0
每日安全动态推送(24/11/4)
0
wuzhicms<=4.1.0后台RCE(0day)
0
每周蓝军技术推送(2024.10.26-11.1)
0
Apache Solr漏洞CVE-2024-45216分析
0
某小型cms漏洞复现审计
0
Distributed RPC Framework RemoteModule has Deserialization RCE in pytorch/pytorch(CVE-2024-48063)
0
JWT(JSON Web Token) 攻击面小结
0