Opened 2 months ago

Closed 8 weeks ago

Last modified 8 weeks ago

#5776 closed (invalid)

nas daemon leaks WPA secrets on R7000

Reported by: jpap00 Owned by:
Keywords: Cc:

Description

On R7000 there is a closed-source nas daemon that leaks the WPA passwords associated with each wireless interface, by having them exposed on its command line:

nas -P /tmp/nas.wl1lan.pid -H 34954 -l br0 -i eth2 -A -m 128 -k [WPASECRET] -s home2N -w 2 -g 3600 
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1 -A -m 128 -k [WPASECRET] -s home2 -w 2 -g 3600 

This is undesirable because all process have read access to the /proc tree and a vulnerability in a network daemon may result in the command line of the nas daemon being exposed, via /proc/$PID/cmdline, where the attacker can guess $PID until it is found. The daemon does not have to be running as root, nor does it require shell access or equivalent. The vulnerability only requires that any process on the system be able to read a world-readable file on the filesystem.

If the attacker is in close proximity to the wireless network, they could then associate and have full unrestricted access to the private LAN.

It is desirable to hide the command-line arguments from all processes, by:

  • Modifying the nas binary to accept arguments via stdin, or a configuration file. Unfortunately the nas binary is closed source, so this can only be done by BrainSlayer?.
  • Interposing the nas binary so that arguments can be passed via stdin without the need to modify the binary itself.

Attached is a patch that takes the second approach, utilizing a new shared object /usr/lib/interpose.so that leverages the loader to insert itself into the nas binary before it executes, to retrieve the command line arguments via a stdin pipe, passing these to the regular nas main() function as it starts up. Modifications are accordingly made to the /lib/services.so library so that the above code-path is taken when launching the nas executable.

The resulting command line arguments appear to other processes as follows:

nas <redacted>
nas <redacted>

Attachments (1)

0001-Hide-WPA-key-from-the-nas-process-command-line.patch (10.4 KB) - added by jpap00 2 months ago.
Patch to hide command-line arguments of the nas daemon that otherwise leaks WPA secret keys.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 2 months ago by jpap00

The patch applies cleanly to r31500, corresponding to the latest Kong build for R7000.

comment:2 Changed 2 months ago by Kong

  • Resolution set to invalid
  • Status changed from new to closed

If an attacker has access to the output of ps, then he can manipulate the config, run commands etc. he does not even have to be near the router anymore and use the wireless password. Thus completely useless code.

comment:3 Changed 2 months ago by jpap00

  • Resolution invalid deleted
  • Status changed from closed to reopened

Given the discussion on the dd-wrt forums, it appears that Kong has closed this ticket without fully understanding the security implications here.

This issue is still valid, as processes that do not have root privilege can gain access to the WPA secret. These non-root processes should not have access to any secrets on the system.

Changed 2 months ago by jpap00

Patch to hide command-line arguments of the nas daemon that otherwise leaks WPA secret keys.

comment:4 Changed 8 weeks ago by BrainSlayer

  • Resolution set to invalid
  • Status changed from reopened to closed

if the attacker has access to ps, he has access to nvram too and is able to read the password in any way. but there are easier ways that your patch to handle that issue. i have the sourcecode for the nas utility. so i can read the data from nvram instead of commandline. but i like the idea of your patch

comment:5 Changed 8 weeks ago by BrainSlayer

in addition this patch will not work with musl libc library as it seems .the symbols are different

Note: See TracTickets for help on using tickets.