pkgscripts-ng icon indicating copy to clipboard operation
pkgscripts-ng copied to clipboard

Published 20 hours ago verified publisher icon SynologyOpenSource

Dsm 7.0 - package Root bypass

Open BeatSkip opened this issue 4 years ago • 10 comments

In getting my RTL8156 driver working on DSM 7.0, I discovered that you can pretty easily bypass the new 'privilege security feature' by just rewriting the privilege file in your postinst script. I verified that after rewriting the privilege file with literally 1 line of code, the entire package actually runs as root.

Tried posting on the synology beta forum but to no avail, so it might be good/handy to point out here as a useful tip in porting your package temporarily and ultimately get it fixed in the final version of dsm 7.0. Full details are available here: https://github.com/bb-qq/r8152/issues/88

BeatSkip avatar Jan 26 '21 11:01 BeatSkip

it seems that the conf/privilege is owned by package user so that packages can change the content by their own

jason1122g avatar Jan 27 '21 09:01 jason1122g

@jason1122g yes indeed. But the funny thing is that you can run as root by editing a file that's owned by the package. Seems like that doesn't follow proper security procedures.

BeatSkip avatar Jan 27 '21 11:01 BeatSkip

Simply fixed by changing the owner, but still then, the underlying procedure of just reading "root" from a file provided by the package and subsequently running as root doesn't seem correct to me and fully exploitable. But I'm just a mechanical engineer, and far from an expert

BeatSkip avatar Jan 27 '21 11:01 BeatSkip

@BeatSkip Good find! I would email [email protected] about it, yes I would class that as a vulnerability. Not sure if their program applies to pre-release software though. And bearing in mind that in DSM6 allowed all packages that asked for root, execute as root. I don't think it's a huge issue at present but it's hilarious nonetheless and should be fixed (as It's clearly their intent to not allow root access anymore).

Let me know if you emailed them otherwise I'll happily notify them and point Synology to this very GitHub issue.

publicarray avatar Feb 01 '21 10:02 publicarray

I'll email them today 👍

BeatSkip avatar Feb 01 '21 11:02 BeatSkip

@publicarray you are right, it's not a big issue as this is pre-release. But it's a real funny oversight in the design of this privilege system. As it's undermined in the exact way it's supposed to protect the rights. I e-mailled them about it and will await the response. A bounty reward would be awesome though haha. But as I disclosed it publicly before contacting the bounty program I'm not sure, but again, as it's preview I didn't see it as 'irresponsible' to publicly disclose and just wanted to get attention towards it to get it fixed.

BeatSkip avatar Feb 01 '21 12:02 BeatSkip

Thanks @BeatSkip I agree. Yea I doubt you get a reward. Feel free to update us on their response though. Who knows it might be a feature.

publicarray avatar Feb 04 '21 03:02 publicarray

@BeatSkip Do you have any news?

publicarray avatar Mar 22 '21 13:03 publicarray

@SynologyOpenSource @BeatSkip What does it take to get an update around here? This is way past any 60 day disclosure policy. And is a publicly known bug.

publicarray avatar Apr 11 '21 09:04 publicarray

@SynologyOpenSource @BeatSkip What does it take to get an update around here? This is way past any 60 day disclosure policy. And is a publicly known bug.

Well, there is no update. They are fixing it. Done

BeatSkip avatar Apr 11 '21 10:04 BeatSkip