FINDING ID: iSEC-COMMO13-10

TARGETS: The Serval route signing key.

DESCRIPTION: The Serval route signing key is static across all Commotion instances. This provides no security, as anyone with the key can publish signed routes that all other routers will accept. The key can either be extracted from the firmware or downloaded on GitHub to be later leveraged by attackers.

Additionally, iSEC is unaware of a method within the web interface to change or rotate these keys.

EXPLOIT SCENARIO: An attacker joins the backhaul wireless mesh network by brute forcing WEP. The attacker generates malicious OLSR route advertisements and signs them with the known secret key. The routers will identify the signature as valid and update their routing tables accordingly, allowing the malicious user to redirect traffic as he sees fit.

SHORT TERM SOLUTION: Several options:

• Allow a device administrator to change the key
• Use a key derivation function (KDF) 7 based on the network key

LONG TERM SOLUTION: Handling secure key generation and distribution is a difficult problem with both technical and UI/UX challenges. Consider policies related to the security level of the router as described in commotion-openwrt issue 23

The po2lmo utility is causing fatal build errors again.

svn co http://svn.luci.subsignal.org/luci/branches/luci-0.11/modules/base/ /mnt/build_tree_2/commotion-router/openwrt/build_dir/target-mips_r2_uClibc-0.9.33.2/luci-i18n-commotion-master/po2lmo/.
svn: URL 'http://svn.luci.subsignal.org/luci/branches/luci-0.11/modules/base' doesn't exist

See 5e9012c and 2260c95 for previous fixes.

Serval-DNA's stable commotion-wireless branch is missing a lot of improvements and bugfixes. Work with Serval to merge appropriate changes from development branch.

Currently, due to input validation in olsrd's init script, there is no way to add IP/hostname pairs to the nameservice plugin. The format olsrd expects in its config file for IP/hostname entries is:

PlParam "1.2.3.4" "nodename"

Olsrd's init script turns /etc/config/olsrd UCI entries into the olsrd config file. So for IP/hostname pairs, the option name (the IP address) would contain periods, which is disallowed in UCI.

To solve this issue, we would need to add logic to the olsrd init script to convert some new option, like hostname for instance, into the right format for the olsrd config file. So as an example, the following line in /etc/config/olsrd:

option hostname "1.2.3.4/nodename"

would be converted into:

PlParam "1.2.3.4" "nodename"

in the generated olsrd config file, /var/run/olsrd.conf.

The serval-dna and serval-crypto Makefiles need to be updated to build against the commotion-wireless git branch of upstream Serval, rather than the 0.9 or 0.91 batphone release tarballs, and tested to make sure that they build correctly. This is the implementation of the fix for #19

per: opentechinstitute/luci-commotion#97

It is currently pinned to the commotion-0.2 tag, but we've since made updates to the olsrd repo.

Since the repo merge, luci-commotion-apps fails to install images, stylesheets, and javascript properly. The package assets are available in buildroot's staging directory and are actually available in /www/luci-commotion/apps/, but are not listed by opkg files luci-commotion-apps. The files should be installed in /www/luci-static/commotion/.

This is the list of files installed on the router:
/usr/lib/lua/luci/controller/commotion/apps_controller.lua
/usr/lib/lua/luci/view/commotion/apps_view.htm
/usr/lib/lua/luci/model/cbi/commotion/app_settings.lua
/usr/lib/lua/luci/view/themes/commotion/apps_apps.htm
/usr/lib/lua/luci/view/commotion/apps_settings.htm
/usr/lib/lua/luci/view/commotion/apps_display.htm
/usr/lib/lua/luci/view/themes/commotion/apps_categories.htm
/usr/lib/lua/luci/view/commotion/apps_form.htm
/usr/lib/lua/luci/view/commotion/apps_admin_display.htm

This is the full list of files that should be installed:
/www/luci-static/commotion/code.png
/www/luci-static/commotion/equals.png
/www/luci-static/commotion/radio.png
/www/luci-static/commotion/apps_form.js
/www/luci-static/commotion/chat.png
/www/luci-static/commotion/audio.png
/www/luci-static/commotion/apps.js
/usr/lib/lua/luci/controller/commotion/apps_controller.lua
/usr/lib/lua/luci/view/commotion/apps_view.htm
/www/luci-static/commotion/x.png
/usr/lib/lua/luci/model/cbi/commotion/app_settings.lua
/usr/lib/lua/luci/view/themes/commotion/apps_apps.htm
/usr/lib/lua/luci/view/commotion/apps_settings.htm
/www/luci-static/commotion/write.png
/www/luci-static/commotion/email.png
/www/luci-static/commotion/commotion-faded2.png
/www/luci-static/commotion/calendar.png
/www/luci-static/commotion/internet.png
/usr/lib/lua/luci/view/commotion/apps_display.htm
/usr/lib/lua/luci/view/themes/commotion/apps_categories.htm
/www/luci-static/commotion/check.png
/www/luci-static/commotion/commotion-faded.png
/www/luci-static/commotion/downloads.png
/usr/lib/lua/luci/view/commotion/apps_form.htm
/www/luci-static/commotion/apps.css
/www/luci-static/commotion/bann.png
/www/luci-static/commotion/admin_apps.js
/www/luci-static/commotion/photo.png
/www/luci-static/commotion/patternizer.min.js
/usr/lib/lua/luci/view/commotion/apps_admin_display.htm

The logic responsible for establishing the thisnode alias, which resides in openwrt/files/etc/hotplug.d/iface/90-thisnode, only sets up the alias if an ap interface is active. As a result, the current logic does not create the thisnode alias before quickstart has been run, which makes the node setup process considerably more complicated for a non-technical user. Additionally, there are several hard-coded references to 192.168.1.20 in various places in the build tree, which become invalid when the 192.168.1.20 alias is removed:

openwrt/files/etc/nodogsplash/nodogsplash.conf:FirewallRule allow to 192.168.1.20
openwrt/feeds/packages/net/haproxy/files/haproxy.cfg: server server02 192.168.1.20:80 source 192.168.1.1
openwrt/feeds/packages/net/haproxy/files/haproxy.cfg: server server02 192.168.1.20:123 source 192.168.1.1:25
openwrt/feeds/packages/net/ucarp/files/ucarp.conf:MYIP=192.168.1.20
openwrt/staging_dir/target-mips_r2_uClibc-0.9.33.2/root-ar71xx/etc/uci-defaults/commotiond:echo '192.168.1.20 thisnode' >> /etc/hosts
openwrt/staging_dir/target-mips_r2_uClibc-0.9.33.2/root-ar71xx/usr/lib/lua/luci/controller/commotion-splash/splash.lua: FirewallRule allow to 192.168.1.20

The HTTP URL-Parameters are not sanitized in the when /rhizome/manifestbyprefix/ rhizome_http.c are requested.

Since SQLite is used as a DBMS, no grave security impact could be found in the context of this service. A cause for concern would arise if another DBMS was to be used, as it could lead to a potential command execution with the INTO OUTFILE statements. For this reason, the SQL parameters should be sanitized regardless of which DBMS is chosen, as a change may result in injections leading to information leakages.

Originally reported as WRT-01-005

This bug affects users who download a commotion-openwrt tar archive instead of cloning the commotion-openwrt git repo. Submit upstream patch if necessary.

(Was Bug 624 on code.commotionwireless.net)

This issue is in follow-up to #622 that was marked resolved yesterday.

The problem is that Commotion-OpenWRT build will fail with the following error if no level in serval-dna-batphone's path inside the build tree is a git repo:

make[4]: Entering directory /blah/blah/commotion-openwrt/openwrt/build_dir/target-mips_uClibc-0.9.33.2/serval-dna-batphone-release-0.91' LINK servald fatal: Not a git repository (or any of the parent directories): .git make[4]: *** [servald] Error 128 make[4]: Leaving directory/blah/blah/commotion-openwrt/openwrt/build_dir/target-mips_uClibc-0.9.33.2/serval-dna-batphone-release-0.91'
make[3]: *** [/blah/blah/commotion-openwrt/openwrt/build_dir/target-mips_uClibc-0.9.33.2/serval-dna-batphone-release-0.91/.built] Error 2
make[3]: Leaving directory /blah/blah/commotion-openwrt/openwrt/feeds/commotion/packages/serval-dna' make[2]: *** [package/feeds/commotion/serval-dna/compile] Error 2 make[2]: Leaving directory/blah/blah/commotion-openwrt/openwrt'
make[1]: *** [/blah/blah/commotion-openwrt/openwrt/staging_dir/target-mips_uClibc-0.9.33.2/stamp/.package_compile] Error 2
make[1]: Leaving directory `/blah/blah/commotion-openwrt/openwrt'
make: *** [world] Error 2

This error occurs because /blah/blah/commotion-openwrt/openwrt/build_dir/target-mips_uClibc-0.9.33.2/serval-dna-batphone-release-0.91/Makefile runs the script version_string.sh in the same directory to generate a string representing the current revision.

This works for instances where the Commoption-OpenWRT codebase is itself cloned from github, as version_string.sh will then return "DR2", but really this approach is only working by coincidence. version_string.sh is likely expecting to retrieve the current git revision for serval-dna, and not for an unrelated repo in a higher up directory.

A possible resolution is to add a patch commotion/packages/serval-dna/patches to alter version_string.sh so that it doesn't expect a git repo in its current directory.

luci-i18n-commotion was split into separate packages for each language in 3ea7112. The commotion-gui package still depends on the old name, luci-i18n-commotion, and gets excluded by make menuconfig for the missing dependency.

tmp/.config-package.in:46271:warning: 'select' used by config symbol 'PACKAGE_commotion-gui' refer to undefined symbol 'PACKAGE_luci-i18n-commotion'

This causes various other packages to not build properly (namely commotion-splash) without some manual intervention.

I am not an expert in the openwrt build system, but to fix it for my own purposes I just removed the dependency from commotion-gui and everything was fine again.

I am using the 1.1 branch, but I believe this problem still exists in master.

luci is no longer available from svn.luci.subsignal.org, so the package does not properly build anymore.

This was already fixed on master in #63.

Could this patch be merged into the 1.1 branch?

We can save some space by using wpad-mini (as is the default usually in OpenWRT) rather than wpad. The only reason we don't is because wpad-mini is not compiled with support for IBSS-RSN. However if it works to just add a compile-time option, we could save a good 500K or so, as we don't need all of the WPA-Enterprise stuff that is included in wpad.