Openwrt漏洞挖掘之不要用小米路由偷偷下小电影哦

1 提取固件内容

首先肯定是将固件中文件系统的内容提取出来，然后对其进行分析，也可以是分析其固件中应用程序是否存在漏洞，如Uhttpd等服务，也可以分析其web程序是否存在漏洞 如openwrt，由于本人对二进制并不熟悉，所以此次的内容就是针对openwrt luci的。

root@kali:~/miwifi# binwalk brcm4709_r2d_all_79e11_2.8.19.bin  DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 672 0x2A0LZMA compressed data,properties: 0x5D,dictionary size: 65536bytes,uncompressed size: 90046464bytes 30048716 0x1CA81CCTRX firmware header,little endian,image size: 3047424bytes,CRC32: 0xA85FDFF0,flags: 0x0,version: 1,header size: 28bytes,loader offset: 0x1C,linux kernel offset: 0x0,rootfs offset: 0x0 30048744 0x1CA81E8LZMA compressed data,properties: 0x5D,dictionary size: 65536bytes,uncompressed size: 5902752bytes 

root@kali:~/miwifi# cd _brcm4709_r2d_all_79e11_2.8.19.bin.extracted/ root@kali:~/miwifi/_brcm4709_r2d_all_79e11_2.8.19.bin.extracted# ls 1CA81E8 1CA81E8.7z 2A0 2A0.7z root@kali:~/miwifi/_brcm4709_r2d_all_79e11_2.8.19.bin.extracted# file 2A0 2A0:UBI image,version1 root@kali:~/miwifi/_brcm4709_r2d_all_79e11_2.8.19.bin.extracted# file 1CA81E8 1CA81E8:data root@kali:~/miwifi/_brcm4709_r2d_all_79e11_2.8.19.bin.extracted# 

与其他不同的是，miwifi使用的是UBI的文件系统，这个文件系统挂载起来比较麻烦，在尝试了无数次之后发现一个自动化就能挂载的脚本

https://github.com/jrspruitt/ubi_reader 安装方式:

$ sudo apt-getinstall liblzo2-dev $ sudo apt-getinstall python-lzo $ git clone https://github.com/jd-boyd/python-lzo.git $ cd python-lzo $ python setup.py install 

ubireader_extract_images2A0 

root@kali:~/miwifi/_brcm4709_r2d_all_79e11_2.8.19.bin.extracted# ubireader_extract_images 2A0 root@kali:~/miwifi/_brcm4709_r2d_all_79e11_2.8.19.bin.extracted# ls 1CA81E8 1CA81E8.7z 2A0 2A0.7z *ubifs-root* root@kali:~/miwifi/_brcm4709_r2d_all_79e11_2.8.19.bin.extracted# root@kali:~/miwifi/_brcm4709_r2d_all_79e11_2.8.19.bin.extracted/ubifs-root/2A0# ubireader_extract_files img-1883837156_vol-system.ubifs Extractingfiles to:ubifs-root 

2 Openwrt的简单介绍

/usr/lib/lua/ /usb/lib/lua/luci#这里存放的就是luci也就是openwrt web访问所需的内容。 

3 寻找漏洞

寻找漏洞的第一步自然是寻找一些高风险的漏洞，首先需要的就是查找出不需要登录就可以调用的模块，首先我们来看一个Contraller是怎么写的文件位置:/usb/lib/lua/luci/controller/diagnosis/index.lua

module("luci.controller.diagnosis.index", package.seeall) functionindex()  localroot=node()  if notroot.targetthen root.target= alias("diagnosis") root.index= true  end  localpage=node("diagnosis") page.target=firstchild() page.title=_("") page.order= 110 page.sysauth= "admin" page.mediaurlbase= "/xiaoqiang/diagnosis" page.sysauth_authenticator= "htmlauth" page.index= true entry({"diagnosis"}, template("diagnosis/home"),_("首页"), 1, 0x09)  entry({"diagnosis", "wanerr"},call("action_wanerr"),_(""), 2, 0x09) entry({"diagnosis", "errindex"},call("action_errindex"),_(""), 3, 0x09) end  functionaction_wanerr()  localresult= {} result["code"] = 0 result["data"] = {  ["a"] =_("对不起，小米路由器出现网络连接问题无法打开网页"),  ["b"] =_("1、请检查网线是否正确连接路由器WAN口上"),  ["c"] =_("2、请检查网线是否损坏"),  ["d"] =_("3、请检查路由器WAN口是否损坏"),  ["e"] =_("小米路由器技术支持")  } luci.http.write_json(result) end  functionaction_errindex()  localresult= {} result["code"] = 0 result["data"] = {  ["a"] =_("对不起，小米路由器出现网络连接问题无法打开网页"),  ["b"] =_("立即进行网络诊断"),  ["c"] =_("小米路由器技术支持")  } luci.http.write_json(result) end 

其中最为关键的一个内容便是

entry({"diagnosis", "wanerr"},call("action_wanerr"),_(""), 2, 0x09) 

这一段的意思就是，我通过访问

http://127.0.0.1/cgi-bin/luci/diagnosis/index/wanerr 

就可以调用action_wanerr 函数,然后0x09就是一个权限标志位，经过多次摸索发现0x9,0x01,0x0d的标志位是不需要登录就可以访问的。那我们就先查找出所有0x09,0x08,0x0d标志位的文件,如下

api/misystem.lua:33:entry({"api", "misystem", "topo_graph"},call("getTopoGraph"), (""), 114, 0x0d) api/xqsystem.lua:61:entry({"api", "xqsystem", "upgrade_status"},call("upgradeStatus"), (""), 148, 0x0d) api/xqsystem.lua:73:entry({"api", "xqsystem", "cancel"},call("cancelUpgrade"), (""), 160, 0x0d) api/xqsystem.lua:123:entry({"api", "xqsystem", "flash_permission"},call("flashPermission"), (""), 200, 0x0d) web/index.lua:74:entry({"web", "upgrading"}, template("web/syslock"),_("路由升级"), 101, 0x0d) web/index.lua:81:entry({"web", "topo"}, template("web/topograph"),_(""), 130, 0x0d) api/xqnetwork.lua:90:entry({"api", "xqnetwork", "wan_link"},call("getWanLinkStatus"), (""), 265, 0x09) api/xqnetwork.lua:104:entry({"api", "xqnetwork", "pppoe_catch"},call("pppoeCatch"), (""), 264, 0x09) api/misystem.lua:91:entry({"api", "misystem", "lsusb"},call("lsusb"), (""), 150, 0x09) api/misystem.lua:97:entry({"api", "misystem", "r_ip_conflict"},call("rIpConflict"), (""), 155, 0x09) api/misystem.lua:99:entry({"api", "misystem", "tb_info"},call("toolbarInfo"), (""), 156, 0x09) api/xqsystem.lua:13:entry({"api", "xqsystem", "init_info"},call("getInitInfo"), (""), 101, 0x09) api/xqsystem.lua:14:entry({"api", "xqsystem", "fac_info"},call("getFacInfo"), (""), 101, 0x09) api/xqsystem.lua:133:entry({"api", "xqsystem", "set_payment_info"},call("setPaymentInfo"), (""), 207, 0x09) api/xqsystem.lua:134:entry({"api", "xqsystem", "sign_order"},call("signOrder"), (""), 208, 0x09) diagnosis/index.lua:16:entry({"diagnosis"}, template("diagnosis/home"),_("首页"), 1, 0x09) diagnosis/index.lua:18:entry({"diagnosis", "wanerr"},call("action_wanerr"),_(""), 2, 0x09) diagnosis/index.lua:19:entry({"diagnosis", "errindex"},call("action_errindex"),_(""), 3, 0x09) dispatch/index.lua:17:entry({"dispatch"}, template("index"),_("跳转"), 1, 0x09) web/index.lua:26:entry({"web", "logout"},call("action_logout"), 11, 0x09) web/index.lua:41:entry({"web", "init", "hello"},call("action_hello"),_("欢迎界面"), 14, 0x09) --不需要登录 web/index.lua:42:entry({"web", "init", "agreement"}, template("web/init/agreement"),_("用户协议"), 14, 0x09) --不需要登录 web/index.lua:43:entry({"web", "init", "privacy"}, template("web/init/privacy"),_("用户体验改进计划"), 14, 0x09) --不需要登录 web/index.lua:76:entry({"web", "webinitrdr"},call("action_webinitrdr"),_(""), 110, 0x09) web/index.lua:79:entry({"web", "ieblock"}, template("web/ieblock"),_(""), 120, 0x09) api/xqpassport.lua:12:entry({"api", "xqpassport", "login"},call("passportLogin"), (""), 401, 0x01) api/xqpassport.lua:14:entry({"api", "xqpassport", "rigister"},call("routerRegister"), (""), 405, 0x01) api/xqpassport.lua:15:entry({"api", "xqpassport", "binded"},call("getBindInfo"), (""), 406, 0x01) api/xqnetdetect.lua:12: --entry({"api", "xqnetdetect", "wan_status"},call("getWanStatus"),_(""), 351, 0x01) api/xqnetdetect.lua:13:entry({"api", "xqnetdetect", "sys_info"},call("getSysInfo"), (""), 352, 0x01) api/xqnetdetect.lua:14:entry({"api", "xqnetdetect", "ping_test"},call("pingTest"), (""), 353, 0x01) api/xqnetdetect.lua:15:entry({"api", "xqnetdetect", "detect"},call("systemDiagnostics"), (""), 354, 0x01) api/xqnetdetect.lua:16:entry({"api", "xqnetdetect", "sys_status"},call("systemStatus"), (""), 355, 0x01) api/xqnetdetect.lua:19:entry({"api", "xqnetdetect", "nettb"},call("nettb"), (""), 359, 0x01) api/misns.lua:12:entry({"api", "misns", "prepare"},call("prepare"), (""), 201, 0x01) api/misns.lua:17:entry({"api", "misns", "sns_init"},call("snsInit"), (""), 206, 0x01) api/misns.lua:21:entry({"api", "misns", "authorization_status"},call("authorizationStatus"), (""), 210, 0x01) api/xqsystem.lua:17:entry({"api", "xqsystem", "system_info"},call("getSysInfo"), (""), 104, 0x01) api/xqsystem.lua:32:entry({"api", "xqsystem", "get_languages"},call("getLangList"), (""), 118, 0x01) api/xqsystem.lua:33:entry({"api", "xqsystem", "get_main_language"},call("getMainLang"), (""), 119, 0x01) api/xqsystem.lua:45:entry({"api", "xqsystem", "passport_bind_info"},call("getPassportBindInfo"), (""), 132, 0x01) api/xqsystem.lua:60:entry({"api", "xqsystem", "flash_status"},call("flashStatus"), (""), 147, 0x01) api/xqsystem.lua:86:entry({"api", "xqsystem", "device_mac"},call("getDeviceMacaddr"), (""), 173, 0x01) service/cachecenter.lua:11:entry({"service", "cachecenter", "report_key"},call("reportKey"),_(""), nil, 0x01) service/datacenter.lua:34:entry({"service", "datacenter", "media_delta"},call("mediaDelta"),_(""), nil, 0x01) service/datacenter.lua:35:entry({"service", "datacenter", "media_metadata"},call("mediaMetadata"),_(""), nil, 0x01) service/datacenter.lua:36:entry({"service", "datacenter", "share_miui_dir"},call("shareMiuiBackupDir"),_(""), nil, 0x01) service/datacenter.lua:37:entry({"service", "datacenter", "get_file_list"},call("getFileList"),_(""), nil, 0x01) service/datacenter.lua:38:entry({"service", "datacenter", "get_storage_info"},call("getStorageInfo"),_(""), nil, 0x01) service/datacenter.lua:39:entry({"service", "datacenter", "get_youku_status"},call("getYoukuStatus"),_(""), nil, 0x01) service/datacenter.lua:40:entry({"service", "datacenter", "bind_youku_appid"},call("bindYoukuAppid"),_(""), nil, 0x01)  

先选择几个重点的模块看一下，如：xqsystem，datacenter, misystem先选择第一个来查看一下：通过如下内容:

api/misystem.lua:33:entry({"api", "misystem", "topo_graph"},call("getTopoGraph"), (""), 114, 0x0d) 

得知，可以通过访问 http:///cgi-bin/luci/api/misystem/topo_graph 来调用getTopoGraph，可以去看一下getTopoGraph函数的内容，

functiongetTopoGraph()  local XQTopology = require("xiaoqiang.module.XQTopology")  localresult= {  ["code"] = 0  }  localsimplified=tonumber(LuciHttp.formvalue("simplified")) == 1 and true or false  localgraph=simplifiedand XQTopology.simpleTopoGraph() or XQTopology.topologicalGraph() result["graph"] =graph result["show"] =graph.leafsand 1 or 0  LuciHttp.write_json(result) end 

发现函数中也没有做任何验证，进行访问即可得到如下信息

其中比较严重的漏洞是下面这个，可以获取这个用户使用离线下载的文件列表，函数如下：

functiongetFileList()  localpayload= {} payload["api"] = 3 payload["path"] = LuciHttp.formvalue("path") payload["sharedOnly"] = true tunnelRequestDatacenter(payload) end 

看内容应该是获取path下目录，但是也做了校验，并不能跳出其设置的用户目录，但是比如我们获取了下面这位用户，看到他下了一些小电影，什么黑丝豹纹，都是什么意思哦

来自为知笔记(Wiz)

转载请注明：安全工具箱 » Openwrt漏洞挖掘之不要用小米路由偷偷下小电影哦