Hi, I was checking my "hardened" build of openwrt to see if any package overrides any compile flags and found that some binaries/libraries have RPATH pointing to buildroot path. I'm building in /tmp on my computer, which is world writable on the router, so these "bad" RPATH can be used for privileges escalation. All problematic bin/lib are built with cmake. Haven't tried yet to fix the build.
# cd ./staging_dir/target-mips_34kc_uClibc-0.9.33.2/root-ar71xx/ # readelf -a ./usr/sbin/uhttpd | grep RPATH 0x0000000f (RPATH) Librairie rpath: [/tmp/openwrt-cc/staging_dir/toolchain-mips_34kc_gcc-4.9-linaro_uClibc-0.9.33.2/lib:] # readelf -a ./sbin/uci | grep RPATH 0x0000000f (RPATH) Librairie rpath: [/tmp/openwrt-cc/build_dir/target-mips_34kc_uClibc-0.9.33.2/uci-2014-04-11.1:] # readelf -a ./sbin/rpcd | grep RPATH 0x0000000f (RPATH) Librairie rpath: [/tmp/openwrt-cc/staging_dir/toolchain-mips_34kc_gcc-4.9-linaro_uClibc-0.9.33.2/lib:] # readelf -a ./usr/lib/lua/ubus.so | grep RPATH 0x0000000f (RPATH) Librairie rpath: [/tmp/openwrt-cc/build_dir/target-mips_34kc_uClibc-0.9.33.2/ubus-2015-01-22/lua/..:/tmp/openwr t-cc/build_dir/target-mips_34kc_uClibc-0.9.33.2/ubus-2015-01-22:] # readelf -a ./usr/lib/lua/uci.so | grep RPATH 0x0000000f (RPATH) Librairie rpath: [/tmp/openwrt-cc/build_dir/target-mips_34kc_uClibc-0.9.33.2/uci-2014-04-11.1/lua/..:/tmp/openw rt-cc/build_dir/target-mips_34kc_uClibc-0.9.33.2/uci-2014-04-11.1:] 3 other binaries have useless rpath # readelf -a ./usr/bin/openssl | grep RPATH 0x0000000f (RPATH) Librairie rpath: [/usr/lib] # readelf -a ./usr/lib/libhistory.so | grep RPATH 0x0000000f (RPATH) Librairie rpath: [/usr/lib] # readelf -a ./usr/lib/libreadline.so.6.3 | grep RPATH 0x0000000f (RPATH) Librairie rpath: [/usr/lib] I've used checksec.sh http://www.trapkit.de/tools/checksec.html after reading http://blog.oldcomputerjunk.net/2014/evaluating-the-security-of-openwrt-part-1/ cd ./staging_dir/target-mips_34kc_uClibc-0.9.33.2/root-ar71xx/ wget http://www.trapkit.de/tools/checksec.sh find . -type f -exec file {} \; | grep -i elf | awk -F':' '{print $1}' | xargs -n1 ./checksec.sh --file | grepNARY' | grep -v 'No RPATH' My "hardened" compile option are CONFIG_DEVEL=y CONFIG_TOOLCHAINOPTS=y CONFIG_GCC_USE_VERSION_4_8_LINARO=n CONFIG_GCC_USE_VERSION_4_9_LINARO=y CONFIG_PKG_CHECK_FORMAT_SECURITY=y CONFIG_PKG_CC_STACKPROTECTOR_STRONG=y CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y CONFIG_PKG_FORTIFY_SOURCE_2=y CONFIG_PKG_RELRO_FULL=y Regards Etienne
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
