**** BEGIN LOGGING AT Fri Sep 11 02:59:57 2020 **** BEGIN LOGGING AT Fri Sep 11 03:02:18 2020 **** BEGIN LOGGING AT Fri Sep 11 04:29:57 2020 Sep 11 06:36:56 jow: does any LuCI part uses listing init.d files using uhttpd request? Sep 11 06:37:14 /cgi-bin/luci/admin/system/startup seems to call luci getInitList **** BEGIN LOGGING AT Fri Sep 11 06:52:22 2020 Sep 11 08:29:52 rmilecki: can you please rephrase the question? Sep 11 08:30:52 jow: uhttp supports "method": "list" AFAIR Sep 11 08:30:56 JSON RPC Sep 11 08:31:03 does LuCI use that anywhere? Sep 11 08:31:33 wait Sep 11 08:31:41 nevermind.... brain fart Sep 11 08:32:02 what a silly question, ignore that, i totally messed two different things Sep 11 08:32:07 don't even bother explaining ;) Sep 11 08:32:27 okay. But yes, no ubus rpc list calls are used to enumerate init scripts Sep 11 08:32:42 just method calls returning a list Sep 11 08:32:46 right Sep 11 09:18:41 jow: i was hoping to rewrite LuCI to the new uhttpd API but that's just too complex for me Sep 11 09:21:03 jow: "request" property or Class or object (i hate JS) Request has too much magic in it Sep 11 09:21:52 i guess requestQueue would have to be dropped due to no support for batch requests with new AP Sep 11 09:22:01 still a lot of magic there **** BEGIN LOGGING AT Fri Sep 11 09:47:18 2020 Sep 11 09:58:52 Hello, I have a problem with ubus, I don't know if it's a bug, is there someone here that knows about ubus? Sep 11 09:59:23 try and describe the problem Sep 11 09:59:58 I know a little bit about ubus Sep 11 10:00:32 When I have many objects in the bus it enters an infinite loop throwing EAGAIN every time. It happens in recv_retry function in libubus.c Sep 11 10:00:59 how mayn is many? Sep 11 10:02:49 To put you in context i'm using owsd to replicate the objects of some slave devices into a master's bus. So It varies. But right now I can have around 180 Sep 11 10:02:58 i'm gonna count them **** BEGIN LOGGING AT Fri Sep 11 10:04:50 2020 Sep 11 10:04:56 around 204 Sep 11 10:06:07 is this happening in the client or the server process? Sep 11 10:06:29 client Sep 11 10:06:39 It's when doing Sep 11 10:06:40 ubus list Sep 11 10:10:04 let me whip up a test in qemu Sep 11 10:10:37 Okay thanks Sep 11 10:17:06 hm, cannot reproduce it witha simple test Sep 11 10:17:41 any unusual about your setup? Like objects frequently appearing and disappearing? Sep 11 10:18:00 Any chance that ojects are deregistered while the list call iterates? Sep 11 10:19:21 Nope, I don't think so cause everything works fine when there are less objects. In fact if I disconnect one of the slaves, no matter which one, everything works fine Sep 11 10:20:54 I'm thinking more about a timeout or something like that Sep 11 10:20:57 maybe a buffer Sep 11 10:21:13 but I can't find anything Sep 11 10:22:04 if I follow the code correctly, an infinite loop condition can only occur Sep 11 10:22:24 if a message header was received successfully, but then no payload data anymore Sep 11 10:22:40 how large are the function signatures of your objects? Sep 11 10:22:49 e.g. ubus -v list someobj Sep 11 10:30:43 the object 6W0919250023/network.interface.radio0sta Sep 11 10:31:02 is the largest Sep 11 10:31:27 and its shown correctly Sep 11 11:04:31 any idea if/how it is possible to exclude specific sections of luci from sysauth? Sep 11 11:05:07 i try to reproduce this > https://github.com/iv-wrt/iv-wrt/blob/master/documentation.txt Sep 11 11:05:46 but just adding "page.sysauth = false" to the corresponding page results in an rpc error instead of disabling auth. Sep 11 11:06:35 > "RPC call to uci/get failed with error -32002: Access denied" **** BEGIN LOGGING AT Fri Sep 11 11:13:42 2020 **** BEGIN LOGGING AT Fri Sep 11 13:01:33 2020 Sep 11 13:16:59 hbug__: recent LuCI functions somewhat different Sep 11 13:17:22 since a lot of actions happen on the client side, a proper session token is required to e.g. query the uci api Sep 11 13:17:42 so besides disabling sysauth for a view, you'd also need to place ACLs that allow unauthenticated access to uci Sep 11 13:18:07 (I assume this is for academical purposes, doing so would introduce a security risk) Sep 11 13:29:41 jow: why LuCI provides its own ubus gateway? Sep 11 13:30:06 it doesn't use /ubus Sep 11 13:30:14 but L.url('admin/ubus') Sep 11 14:05:59 jow: thanks for the info. could you point me where to look for that. all documentation i found seems outdated or not very complete :| Sep 11 14:09:18 yes it's for academic purpose and i try to introduce this as a intentional vuln. but only the the diagnostic page should be affected and the i plan to remove the sanatization of the address/ip in the ping field to allow command injection. Sep 11 14:21:22 to be clear i'm working on openwrt-19.07, so the openwrt19.07 branch of the luci git is the right? Sep 11 14:21:55 it seems a lot of things changed from 19.07. Sep 11 14:24:50 i probably have to edit '/usr/share/rpcd/acl.d/luci-base.json' and somehow move the 'ping' part from luci-access to unauthenticated? Sep 11 14:25:37 i'm not comletely sure how the json is interpreted Sep 11 14:52:12 rmilecki: LuCI falls back to its own gateway if /ubus is not accessible Sep 11 14:52:24 rmilecki: it tries once at the beginning of the session and cahces the result Sep 11 14:52:51 rmilecki: this was meant for backwards compat so that we do not need to introduce a new dependency on uhttpd-mod-ubus Sep 11 14:53:14 rmilecki: for 20.x we can consider to hard-depend on uhttpd-mod-ubus and drop the fallback code Sep 11 14:53:27 rmilecki: however, that would also mean dropping support for other webservers Sep 11 14:54:03 hbug__: you would need to add an ACL that allows executing arbitrary commands Sep 11 14:56:55 hbug__: basically modify /usr/share/rpcd/acl.d/luci-mod-network.json and add something like: "/bin/sh": [ "exec" ] or "*": [ "exec" ] Sep 11 14:57:51 then modify /www/luci-static/resources/view/network/diagnostics.js and change the logic to invoke your injected command instead of wahtever is hardcoded there (ping, ping6) Sep 11 14:58:23 or find an actual vulnerability in ping or ping6 :> Sep 11 14:58:50 hm... i see. so there is no easy shell escape by just removing sanatizer code, as execve is directly called with "/bin/ping". Sep 11 14:58:56 yes Sep 11 15:01:30 thanks. whats the difference between the 'read' and 'write' sections in the json? both include 'exec' parts. Sep 11 15:02:56 what is the reason i'm not seeing the diagnostics page at all? i get the rpc error even before i try to execute ping or something. Sep 11 15:12:43 so some rpc calls seem to be made to load the page content? how to debug that properly :? Sep 11 15:12:51 jow: thanks for info, somehow LuCI fallbacks for its own gateway for me even though /ubus/ works Sep 11 15:13:01 i'll see if I can debug that Sep 11 15:45:10 hbug__: difference between read and write is conceptional, write scope contains actions that have side effects Sep 11 15:45:29 read scopes actions without side effects Sep 11 15:46:01 this has no effect on permission enforcement but is provides grouping of acl rules to eventually be able to setup things like readonly user accounts Sep 11 15:46:21 which can be achieded by only applying acls from the read, and not the writze scopes Sep 11 15:47:00 as for view rendering: yes, a bunch of rpc calls are executed. check your browser debug console / network tab for failing requests Sep 11 15:47:21 rmilecki: the state is cached in the sessionstorage. close/reopen the browser tab or try a new incognito window Sep 11 15:47:56 i tried incognito Sep 11 15:48:02 but it still may be me doing sth stupid ;) Sep 11 15:48:07 ah i see, so conceptually the "/bin/sh" shold be in write. Sep 11 15:48:08 i'll double check before bothering you Sep 11 15:48:17 will have a look at the console :) Sep 11 15:48:45 didn't think about that, being bad at web stuff actully. **** BEGIN LOGGING AT Fri Sep 11 15:59:31 2020 Sep 11 16:26:55 hm.. there are multiple errors and one uncaught. this is the uncaught one > https://paste.debian.net/1163445/ Sep 11 16:29:43 does this mean it tries to access some uci value? " call to uci/get failed" Sep 11 16:33:06 hi, I just try to move Build/relocate-kernel to image-commands.mk Sep 11 16:33:20 anybody can tell me what "print pack("V", @s[7])" does? Sep 11 16:33:42 because the first argument is sometimes "V" and sometimes "N" Sep 11 16:34:03 ah i think i found it. it tries to access some uci values. namely 'uci','diag',* Sep 11 16:43:17 can i somehow restrict rpc uci access to read only for specific values? Sep 11 16:45:20 in the other sections is an example with uci ["*"] wildcard. i assume thats for everything. can i somehow restrict that? **** BEGIN LOGGING AT Fri Sep 11 16:50:32 2020 Sep 11 16:52:34 i added uci ["*"] to the read section and also to the ubus section, but it still fails the same way. do i have to reload the acl somehow? Sep 11 17:02:05 a restart resolved the problem. any way to reload manually? Sep 11 17:27:07 and thanks for the help already jow . figuring this out on my own would have taken ages. Sep 11 19:06:58 adrianschmutzler: it converts array value 8 into a little endian unsigned 32bit integer Sep 11 19:07:24 adrianschmutzler: N would result in a big endian unsigned 32bit integer Sep 11 19:09:16 adrianschmutzler: so its somewhat equivalent to int n = ...something...; uint32_t v = htobe(n); fwrite(&v, 1, sizeof(f), stdout); Sep 11 19:09:28 *sizeof(v) Sep 11 19:09:46 and **htobe32(n) :P Sep 11 19:15:19 jow: do you have a first usage of utpl planned? Sep 11 19:16:08 aparcar[m]: yes, I plan to reimplement firewall3 in it and if the functionality is sufficient, will turn it into firewall4 that emits nftables instead of iptables Sep 11 19:16:32 so users will be able to fully edit the rule templates while retaining uci config compatibility Sep 11 19:16:51 very cool Sep 11 19:16:52 thanks Sep 11 19:22:47 nftables hype Sep 11 19:23:16 jow: ah, thanks. Sep 11 19:27:48 are there cases where a target has different package archs per subtarget? Sep 11 19:28:48 yes, x86 Sep 11 19:28:54 malta Sep 11 19:29:22 adm5120 (but this is gone since a while iirc) Sep 11 19:29:25 aparcar[m]: multiple targets with arm + aarch64 Sep 11 19:30:31 oh yea obviously x86 thanks Sep 11 19:33:46 jow: with the risk of provoking a veto on my membership vote; could we add more JSON files covering available versions and targets? **** BEGIN LOGGING AT Fri Sep 11 19:35:39 2020 Sep 11 19:37:01 neither blogic nor jow voted, that feels a bit incomplete Sep 11 19:39:56 am0rphis: :l: Sep 11 19:39:58 sorry Sep 11 19:40:00 aparcar[m]: lol. Sep 11 19:40:34 Borromini: what's up? Sep 11 19:40:59 nothing your JSON/vote observation was funny is all :D Sep 11 19:41:21 well I caused enough trouble with my initial proposal didn't I? Sep 11 19:41:29 quite the stir. Sep 11 19:44:05 :) Sep 11 20:03:16 adrianschmutzler: your spelling of NAKed as "naked" confused me at first :P Sep 11 20:03:55 lol Sep 11 20:04:02 context for others https://github.com/openwrt/openwrt/pull/3396#discussion_r487260092 Sep 11 20:05:37 svanheule[m]: that's why I changed it ... Sep 11 20:05:51 "NAK'ed" Sep 11 20:43:53 adrianschmutzler: ping? Sep 11 20:57:41 jow: really appreciate you help earlier. managed to make the diagnostics page unauthenticated and arbitrary command execution in the ping field possible. harder than i thought it would be. the design with direct execve calls instead of sanatizing the input domain seems really robust. Sep 11 20:57:57 it's even hard to make it wrong/bad this way :D Sep 11 21:00:11 hbug__: great to hear that you made it working Sep 11 21:00:43 yeah, this design defers the security requirements to the invoked programs Sep 11 21:01:12 if e.g. ping6 would have a buffer overflow parsing its arguments it would be a possible vector Sep 11 21:01:23 way harder than adding "; other command" though Sep 11 21:06:57 thats fair. but that vector is also there with the old design. so one less. and none of the functions is normally available without being authenticated. so at the moment its probably overkill. but probably very necessary when it's planned to make some features available without authentication. Sep 11 21:08:34 would it be possible to restrict execution to "/bin/ping -c 3" and then also sanatize the argument thats provided as domain/ip ? Sep 11 21:10:19 ah found the answer. some commands are restricted this way. **** BEGIN LOGGING AT Fri Sep 11 21:16:24 2020 Sep 11 21:19:34 what does the wildcard "*" and the "^" actually mean in the acl config btw? Sep 11 21:20:45 becaus restricting the access to "/bin/sh -c ping -c 3 *" works as expected with 'openwrt.org' as next parameter. but using "/bin/sh -c ping -c 3 openwrt.org *" doesn't ? Sep 11 21:23:27 nevermind it was the single space character in the end "[..].org *" , which messed it up. Sep 11 21:31:04 aparcar[m]: as always at this time: be quick Sep 11 21:32:37 adrianschmutzler: I'd like to follow up on the versions.json file at some point. But if you're about to leave let's talk some other day Sep 11 21:34:33 yes, please. I had some unexpected personal stuff to take care last/this week and didn't even have time yet to look into the CI stuff yet. Sep 11 21:44:23 take your time, it's just a hobby :) Sep 11 21:46:59 can I run at79 images via qemu? Sep 11 22:36:36 hbug__: see this commit message for explanation: https://git.openwrt.org/?p=project/rpcd.git;a=commit;h=aaa08366e6384d9933a405d1218b03c1b167f9e5 Sep 11 22:37:21 hbug__: once I find the time I will extend this to support posix regexp instead of fnmatch() globs, such patterns will start with a ^ then to denote a regex instead of a glob pattern **** BEGIN LOGGING AT Fri Sep 11 22:40:24 2020 Sep 12 02:20:16 mangix: ping **** ENDING LOGGING AT Sat Sep 12 02:59:57 2020