Open prankster009 opened 3 days ago
Sure, you can take the firmware luci folder path after unpacking as the LuaTaint's input. For example, the test command is as follows:
python LuaTaint xxx/__openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci
The results are as follows:
4 vulnerabilities found (plus 7 sanitised):
Vulnerability 1:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
> User input at line 41, source "Framework function URL parameter":
table
Reassigned in:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
> Line 49: ~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
> reaches line 49, sink "process.exec(":
~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)
This vulnerability is unknown due to: Label: ~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)
Vulnerability 2:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
> User input at line 41, source "Framework function URL parameter":
family
Reassigned in:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
> Line 42: prefix = family == '6' and 'ip6' or 'ip'
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
> Line 49: ~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
> reaches line 49, sink "process.exec(":
~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)
This vulnerability is unknown due to: Label: ~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)
Vulnerability 3:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
> User input at line 43, source "luci.http.formvalue":
~call_2 = ret_luci.http.formvalue('package')
Reassigned in:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
> Line 43: pkg = ~call_2
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
> Line 56: cmd.#cmd + 1 = pkg
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
> Line 60: ~call_5 = ret_sys.process.exec(cmd, true, true)
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
> reaches line 60, sink "process.exec(":
~call_5 = ret_sys.process.exec(cmd, true, true)
This vulnerability is unknown due to: Label: ~call_5 = ret_sys.process.exec(cmd, true, true)
Vulnerability 4:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
> User input at line 40, source "Framework function URL parameter":
command
Reassigned in:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
> Line 53: cmd.#cmd + 1 = command
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
> Line 60: ~call_5 = ret_sys.process.exec(cmd, true, true)
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
> reaches line 60, sink "process.exec(":
~call_5 = ret_sys.process.exec(cmd, true, true)
This vulnerability is unknown due to: Label: ~call_5 = ret_sys.process.exec(cmd, true, true)
I have updated a simple firmware for testing. Thanks.
Thanks a lot for your help.
And I have another question for your help.
I find a lot of vulnerability examples in the manufactured-vulnerability directory. I use LuaTaint test the manufactured-vulnerability/CI/CI_1.lua
, but has no finding.
So i add some code as below:
--Example 1: Direct Parameter Injection into os.execute
function vulnerableRoute1(queryParams)
local user_input = queryParams.cmd
os.execute("ls -l " .. user_input)
local input2 = luci.http.formvalue("test")
os.execute("ls -l " .. input2)
end
I get the following outputs.
ubuntu2204:~$ python LuaTaint ~/LuaTaint/manufactured-vulnerability/CI/CI_1.lua
1 vulnerability found:
Vulnerability 1:
File: ~/LuaTaint/manufactured-vulnerability/CI/CI_1.lua
> User input at line 5, source "luci.http.formvalue":
~call_2 = ret_luci.http.formvalue('test')
Reassigned in:
File: ~/LuaTaint/manufactured-vulnerability/CI/CI_1.lua
> Line 5: input2 = ~call_2
File: ~/LuaTaint/manufactured-vulnerability/CI/CI_1.lua
> Line 6: ~call_3 = ret_os.execute('ls -l '..input2)
File: ~/LuaTaint/manufactured-vulnerability/CI/CI_1.lua
> reaches line 6, sink "os.execute(":
~call_3 = ret_os.execute('ls -l '..input2)
This vulnerability is unknown due to: Label: ~call_3 = ret_os.execute('ls -l '..input2)
As the output shows, LuaTaint find the vulnerability from luci.http.formvalue
to os.execute
, but do not find the vulnerability from function para to os.execute
.
I read the code and find that, the LuaTaint taint all the function para node and taint the cfg node according to the all_trigger_words.pyt as follow. So LuaTaint should have recognized the vulnerability from function para to os.execute, but it did not.
assignment_nodes = filter_cfg_nodes(cfg, AssignmentNode)
tainted_nodes = filter_cfg_nodes(cfg, TaintedNode) # tainted in function get_func_cfg_with_tainted_args
tainted_trigger_nodes = [
TriggerNode(
Source('Framework function URL parameter'),
cfg_node=node
) for node in tainted_nodes
]
sources_in_file = find_triggers(assignment_nodes, sources, nosec_lines) # tainted the node according to all_trigger_words.pyt
sources_in_file.extend(tainted_trigger_nodes)
can you explain it to me? Thanks a lot.
I use the following cmds to run luataint, but get no more infomation. can you give some usage examples?