OpenWRT Network Vulnerabilities: A Deep Dive

Hey guys, today we're diving deep into some pretty significant findings within the OpenWRT network layer. We've been doing a thorough code analysis, and let me tell you, we've uncovered several potential vulnerabilities that you'll want to pay close attention to. These aren't just minor glitches; some of these could have serious implications for your network's security. We'll break down each one, explaining the technical details and what it means for you. So grab your coffee, and let's get into it!

Critical Network Layer Exploits in OpenWRT

First up, let's talk about the vulnerabilities that have us raising the biggest red flags. These are the ones with the highest potential impact and the most straightforward attack vectors. Getting these patched should be a top priority for anyone running OpenWRT.

1. Buffer Overflow in mapcalc.c: An Integer Overflow Nightmare

We've found a critical buffer overflow vulnerability lurking in package/network/ipv6/map/src/mapcalc.c. This one is particularly nasty because it stems from an integer overflow when calculating byte lengths for bit-level copying operations. The functions bmemcpy and bmemcpys64 are the culprits here. Essentially, they perform bit-level copying but use bits / 8 to figure out how many bytes to copy. The problem? There's absolutely no validation to ensure the source buffer is large enough before these memcpy operations kick in. Imagine passing a ridiculously large bits value; this could cause the bytes calculation to wrap around due to an integer overflow. In bmemcpys64, the calculation tobyte - frombyte + 1 could also overflow if frombits + nbits is too large. The attack vector here involves crafting a malicious MAP configuration with specific ealen and prefix6len values. By controlling the bits parameter, an attacker could force a read or write operation that goes way beyond the intended buffer boundaries. If this corruption happens in a critical memory area, like the stack or heap, it could potentially lead to Remote Code Execution (RCE). We've assigned this a CVSS Score of 8.1, making it a High priority find. Seriously, guys, this is the kind of bug that keeps security researchers up at night.

2. Command Injection in 464xlatcfg.c: Writing to the Kernel's Control Interface

Next up, we've got a command injection vulnerability in package/network/ipv6/464xlat/src/464xlatcfg.c. This one occurs when the system writes user-controlled data directly to the kernel's NAT46 control interface, specifically /proc/net/nat46/control. The fprintf function is used to write data here, and alarm bells should be ringing because argv[1], argv[2], and argv[4] – which are essentially user inputs – are written without any sanitization. This opens the door for newline injection. Imagine an attacker providing an interface name like eth0\nmalicious_command\n. This could trick the kernel into executing arbitrary commands or injecting additional NAT46 control instructions. It's a direct path to command injection within the kernel interface itself. This vulnerability has a CVSS Score of 7.5, also classified as High. This is a serious breach of trust, allowing external input to directly influence kernel operations.

3. Unsafe String Operations in ead.c: The Dangers of strncpy

In package/network/services/ead/src/ead.c, we've identified several unsafe string operations, primarily involving strncpy. First, on line 207, strncpy is used to copy str into pw_saltbuf, but the code then manually null-terminates it with pw_saltbuf[s2 - str] = 0;. The problem is, if the length s2 - str is greater than or equal to MAXSALTLEN, this manual null termination will write outside the allocated buffer, causing a buffer overflow before the intended null termination even happens. Then, on line 218, a similar issue occurs when copying a password. strncpy((char )password, str, MAXPARAMLEN); is used. Again, there's no guarantee of null termination if the source string (str) is MAXPARAMLEN characters or longer. This lack of null termination can lead to information disclosure or even authentication bypasses if subsequent code reads past the intended buffer. Lastly, on line 186, while fgets is used with sizeof(lbuf) - 1, which seems okay, there's still a potential off-by-one error, and more critically, a risk of buffer over-read if a line in the file is longer than 1023 characters. The attack vector here involves malicious entries in files like /etc/passwd, where carefully crafted usernames or passwords could trigger these buffer overflows during password hash calculations. This could allow an attacker to bypass authentication entirely. We've rated this with a CVSS Score of 7.2, putting it in the High category.

4. Format String Vulnerability Risk in ubus.c

Over in package/network/services/hostapd/src/src/ap/ubus.c, we've spotted a potential format string vulnerability. This risk arises from multiple uses of sprintf and asprintf where the format string could potentially incorporate untrusted input. For instance, on line 272, sprintf(mac_buf, MACSTR, MAC2STR(sta->addr)); is used. While the MAC2STR macro is likely safe and should sanitize the MAC address, if the format string MACSTR were ever unexpectedly malformed or if the input sta->addr wasn't what was expected, it could lead to issues. A more direct concern is on line 112: if (asprintf(&event_type, "bss.%s", event) < 0). Here, the event parameter is directly used in the format string. If an attacker can control the event string and inject format specifiers like %n%x%s, they could potentially corrupt memory. This type of vulnerability is notoriously dangerous and can often lead to full system compromise, including RCE. We've given this a CVSS Score of 6.5, making it a Medium priority, but don't let that fool you – format string bugs are serious business.

High Priority Findings: Input Validation and More

Moving on, we have several high-priority findings that, while not quite reaching the critical level of the first four, still pose significant risks. These often involve missing input validation, which, as we've seen, can be a gateway to many other problems.

5. Missing Input Validation in resolveip.c: The DNS Rebinding Threat

In package/network/utils/resolveip/src/resolveip.c, specifically on line 80, we've identified a lack of input validation before calling getaddrinfo. The argv[optind] variable, which is supposed to be a hostname, isn't properly checked. This might not seem like a big deal, but it can lead to a classic DNS rebinding attack. Here's how it works: an attacker controls a DNS server. Initially, a hostname like yourbank.com resolves to a private IP address within your local network (e.g., 192.168.1.1). Your OpenWRT device resolves this, and your browser might think it's allowed to access it. However, the attacker can then change the DNS record so that the same hostname yourbank.com now resolves to an IP address controlled by the attacker on the internet. Your browser, still thinking it's talking to yourbank.com, now communicates with the attacker's server. While a timeout is set, it doesn't prevent all attack scenarios. This could be used for internal network enumeration or to bypass firewall rules through clever DNS resolution. We've assigned this a CVSS Score of 5.3, placing it in the Medium category.

6. Integer Overflow in mapcalc.c Bit Calculations: A Repeat Offender

Remember mapcalc.c? Well, it seems to have more than one trick up its sleeve. We've found another integer overflow issue, this time related to bit shift operations on lines 328-329 and 339. These operations lack proper overflow checking. Specifically, the calculation prefix6len + ealen - psidlen could overflow if the input parameters are maliciously crafted. Even worse, ealen - psidlen could underflow if psidlen is greater than ealen. This means the resulting value could become negative or wrap around unexpectedly. In the vulnerable code snippet bmemcpys64(&psid16, &pd, prefix6len + ealen - psidlen, psidlen);, these faulty calculations directly feed into buffer manipulation functions. The attack vector involves crafting a MAP rule where psidlen is larger than ealen, causing an underflow, or where prefix6len + ealen is so large it overflows. This could lead to buffer underflows or overflows during bit manipulation, potentially corrupting critical data. This has a CVSS Score of 6.1, also Medium priority.

7. Race Condition in Socket Operations: The TOCTOU Trap

In package/network/services/unetmsg/files/usr/share/ucode/unetmsg/unetmsgd-remote.uc, we've identified a potential race condition in how socket file descriptors (FDs) are handled during connection establishment. The issue lies in the asynchronous callbacks and the lack of proper locking mechanisms. This creates a classic Time-of-Check to Time-of-Use (TOCTOU) vulnerability. Imagine this: a socket FD is created and checked. Before the system can properly bind the channel to it, another process or even a signal handler could potentially close or reuse that same FD. This could happen rapidly with frequent socket creation and destruction. Signal handling during network I/O can also corrupt the state. The attack vector here involves triggering these race conditions to cause FD reuse, leading to state corruption. This could result in a Denial of Service (DoS) or, in some scenarios, potentially even code execution if the corrupted state can be exploited. We've rated this with a CVSS Score of 5.5, which is Medium priority.

8. Missing ARP/ND Validation: The Man-in-the-Middle Risk

Over in package/network/base-files/files/lib/functions/network.sh, we've found a weakness in how network interface information is handled. The functions rely on ubus call network.interface dump to get network configuration, but there's no validation of the returned data. Crucially, ARP (Address Resolution Protocol) and NDP (Neighbor Discovery Protocol for IPv6) table entries aren't verified for authenticity. This means that if an attacker can poison the ARP cache with spoofed replies, the network_get_gateway() function (and others relying on this information) might return incorrect or malicious gateway information. This opens the door for Man-in-the-Middle (MitM) attacks, where an attacker can redirect traffic intended for legitimate destinations through their own machine. This vulnerability has a CVSS Score of 6.8, classifying it as Medium. Ensuring the integrity of ARP/ND information is fundamental for network security.

Medium Priority Findings: Configuration and Processing

Finally, let's look at some medium-priority issues. These might be less immediately exploitable or have a narrower impact, but they still represent areas where OpenWRT could be strengthened.

9. Firewall Rule Validation Weakness: Bypassing Restrictions

In package/network/config/firewall/files/firewall.init, we've identified a weakness in firewall rule validation. While the system uses uci_validate_section for validation, it allows CIDR ranges without sufficient checks. More importantly, there's no validation to ensure that user-defined firewall rules don't conflict with critical system rules or create unintended loopholes. Although port ranges are validated, there's no mechanism to detect overlapping or conflicting rules that could be exploited. The attack vector involves crafting firewall rules that might bypass intended restrictions or manipulate rule precedence to gain unauthorized access. This could allow an attacker to effectively bypass the firewall by exploiting rule conflicts. We've assigned this a CVSS Score of 4.3, which is considered Low priority, but it's still an area ripe for improvement in rule logic.

10. DNS Cache Management: The Threat of Poisoning

Focusing on package/network/services/dnsmasq/, we've noted potential issues with DNS cache management. If the transaction ID used in DNS requests is predictable, an attacker might be able to poison the DNS cache. This means an attacker could trick your OpenWRT device into caching a malicious IP address for a legitimate domain name. We didn't find obvious source port randomization in the analyzed patch files, which is a key defense against cache poisoning. Furthermore, the DNS rebinding protection might be incomplete. The attack vectors here include classic DNS cache poisoning attacks, DNS rebinding to bypass same-origin policies in web browsers, and potentially internal network enumeration by resolving internal hostnames to attacker-controlled IPs. This has a CVSS Score of 5.0, making it Medium priority.

11. Switch Configuration Injection: Manipulating Network Traffic

In package/network/config/swconfig/src/cli.c, specifically around line 358 with the swlib_set_attr_string function, we've found a potential for switch configuration injection. Switch attribute values are passed directly to the netlink interface without proper sanitization. This is particularly concerning because interface names taken from the UCI configuration aren't validated. If the switch driver happens to interpret these values in a special way, it could lead to command injection. The attack vector involves providing malicious switch configurations via UCI. This could lead to VLAN or port manipulation attacks, or even switch forwarding table poisoning, allowing an attacker to control how network traffic is handled by the switch hardware. This vulnerability has a CVSS Score of 4.7, also Medium priority.

12. IPv6 Extension Header Processing: Resource Exhaustion Risks

Finally, looking at IPv6 processing within the kernel and netifd, we've identified potential issues with how IPv6 extension headers are handled. These headers are processed without sufficient validation. Specifically, the fragment reassembly process could potentially exhaust system memory if crafted malicious fragments are sent. Additionally, hop-by-hop options are not rate-limited, which could also be exploited for resource exhaustion attacks. The attack vectors include Denial of Service (DoS) attacks leveraging IPv6 extension headers, buffer exhaustion through malicious fragment reassembly, and general resource exhaustion. This has a CVSS Score of 5.2, considered Medium priority. With the increasing adoption of IPv6, securing its processing is vital.

Recommendations: What to Do Now?

Okay, so we've identified a bunch of potential issues. What's the game plan? Here are our recommendations, broken down into immediate actions, code review priorities, and testing requirements:

Immediate Actions

These are the fixes we believe are most critical and should be addressed as soon as possible:

1. Bounds Checking: Implement robust bounds checking for all memcpy, strncpy, and bit manipulation functions. This is fundamental to preventing buffer overflows.
2. Input Validation: Aggressively validate all user-supplied input before writing it to kernel interfaces, configuration files, or passing it to network functions.
3. ARP/ND Integrity: Implement rate limiting and proper validation for ARP and NDP messages to prevent cache poisoning and MitM attacks.
4. Sanitization: Add input sanitization for all network interface names, IP addresses, and other critical network parameters.
5. Integer Overflow Fixes: Address the integer overflow issues identified in bit calculation functions, particularly in mapcalc.c.

Code Review Priorities

When you're digging into the codebase, focus your review efforts on these areas first:

1. Packet Parsing: All functions involved in parsing network packets (Step 1 in the original analysis) are high-risk areas.
2. Configuration Parsing: Pay close attention to how network configuration files are parsed (Step 11).
3. Socket & I/O Handling: Review code related to socket operations and general I/O handling, especially where race conditions might occur (Step 6).
4. DNS/DHCP Processing: Code responsible for DNS and DHCP handling needs thorough scrutiny (Step 7, Step 8).

Testing Requirements

To confirm these findings and ensure fixes are effective, we need comprehensive testing:

1. Fuzzing: Fuzz all packet parsing code with a wide variety of malformed and unexpected inputs.
2. Spoofing Resistance: Test the system's resistance to ARP and NDP spoofing attacks.
3. Firewall Bypass: Actively try to bypass firewall rules using crafted configurations and rule conflicts.
4. Resource Exhaustion: Test the system's resilience against resource exhaustion attacks, especially involving IPv6 extension headers and fragment reassembly.
5. DNS Protection: Validate the effectiveness of DNS rebinding protection mechanisms.

It's important to remember that this analysis was primarily based on static code review. Dynamic testing and fuzzing are crucial next steps to confirm the exploitability of these vulnerabilities and verify the efficacy of any proposed fixes. Stay safe out there, guys!