Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Member
Posts: 152
Registered: ‎03-03-2010
Kudos: 17

GPL archive missing components

Hi,

Recently I've noticed a few GPL licensed components missing from the 5.5.2 GPL archive:

  • openwrt/target/linux/generic-2.6/files-2.6.32
  • openwrt/target/linux/generic-2.6/patches-2.6.32
  • openwrt/target/linux/ubnt
  • openwrt/dl/bridge-utils-1.4.tar.gz
  • openwrt/dl/comgt.0.32.tgz
  • openwrt/dl/dhcp-forwarder-0.7.tar.bz2
  • openwrt/dl/lighttpd-1.4.28.tar.bz2
  • openwrt/dl/memtester-4.1.3.tar.gz
  • openwrt/dl/opkg-4564.tar.gz
  • openwrt/dl/radvd-1.2.tar.gz
  • openwrt/dl/usb-modeswitch-1.1.4.tar.bz2
  • openwrt/dl/usb-modeswitch-data-20100826.tar.bz2
  • openwrt/package/openssl (various patches/changes)

Are Ubiquiti aware of this? Why the omissions?
New Member
Posts: 12
Registered: ‎05-18-2011
Kudos: 6

Re: GPL archive missing components

Add to this that the modified source to U-Boot (boot loader) is missing. Ubiquiti made some modifications and added functionality to U-Boot that we consider to be a security risk, after Ubiquiti gave one of our competitors information on how to exploit one of those additional features in the boot loader. So we're pretty keen to strip that particular functionality out of U-Boot on all of our CPE's..
I made several requests to Ubiquiti staff last year to release the U-Boot source so we could correct this security issue ourselves, but the only response we've gotten is that the competitor they gave the relevant information to probably doesn't have enough technical knowledge to use simple Linux utilities like dd and hexdump, but that doesn't give us a lot of comfort. We even offered to sign an NDA for the modified U-Boot source (even though we're entitled to it already under the GPL), but no dice.
U-Boot is under the GPLv2+ license, so Ubiquiti really should be publishing the modified source to be in compliance with the GPL. However, publishing the source would also make the security issue we're concerned about obvious and be roughly equivalent to everyone receiving the same info one of our competitors did. So it's a bit of a double-edged sword.
en.wikipedia.org/wiki/Das_U-Boot
EDIT - Later postings that referred to exactly what the security issue is (but not how to exploit it) have been nuked so as not to piss off Ubiquiti. Nothing to see here, move along..
-Ryan
New Member
Posts: 20
Registered: ‎02-17-2013
Kudos: 14

Re: GPL archive missing components

I'm somewhat curious about the security flaw you mention.
BUT, there is another fatal flaw in the ubiquity variant of U-Boot on the unifi devices we have. The boot loader seems to assume the flash is in a fresh from power up state when the device starts, and, it's not prepared to deal with a flash chip in some unknown state. This is easily re-produceable. Write a script that logs into the unit, and calls reboot. Do this with a serial console set up, and, log the serial console data as it runs. You will see that occaisionally, uboot prints the ram size, but, hangs before it prints the flash size. At that point, the unit is essentially dead, and the only recovery is a power cycle. I set up another test case where we plugged it into a web power switch, and power cycled every couple of minutes for a few hours, uboot never got stuck after a power cycle, only when we do a soft reboot.
For us, this is pretty much a fatal flaw, which we have seen in a significant number of the unifi access points we got for trial.
This would be an almost trivial fix, if we had the sources for u-boot with any mods required for the ubiquity devices. But alas, no sources, and, I dont have the energy to reverse engineer a jtag setup, so that I can safely play with vanilla u-boot code on the devices. I'm not keen on taking a stab at building / flashing from vanilla u-boot sources, without a jtag setup or some other way to ensure I can rescue a device onto which a flawed boot loader has been flashed.
Member
Posts: 152
Registered: ‎03-03-2010
Kudos: 17

Re: GPL archive missing components

Ubiquiti added flash dump functionality to U-Boot. Anyone with physical access to the Ethernet cable going to a Ubiquiti device can dump the complete flash contents, including the config mtd partition.

Is there really a practical fix for this considering one can just netboot the device if they have that level of physical access?
New Member
Posts: 20
Registered: ‎02-17-2013
Kudos: 14

Re: GPL archive missing components

Maybe I'm missing something here, but, doesn't getting to the u-boot console require a terminal hookup as well ? Is there a way to get to the u-boot console over the ethernet ?
Ubiquiti Employee
Posts: 5,548
Registered: ‎05-13-2009
Kudos: 1679
Solutions: 150

Re: GPL archive missing components

Hi,

Recently I've noticed a few GPL licensed components missing from the 5.5.2 GPL archive:

  • openwrt/target/linux/generic-2.6/files-2.6.32
  • openwrt/target/linux/generic-2.6/patches-2.6.32
  • openwrt/target/linux/ubnt
  • openwrt/dl/bridge-utils-1.4.tar.gz
  • openwrt/dl/comgt.0.32.tgz
  • openwrt/dl/dhcp-forwarder-0.7.tar.bz2
  • openwrt/dl/lighttpd-1.4.28.tar.bz2
  • openwrt/dl/memtester-4.1.3.tar.gz
  • openwrt/dl/opkg-4564.tar.gz
  • openwrt/dl/radvd-1.2.tar.gz
  • openwrt/dl/usb-modeswitch-1.1.4.tar.bz2
  • openwrt/dl/usb-modeswitch-data-20100826.tar.bz2
  • openwrt/package/openssl (various patches/changes)

Are Ubiquiti aware of this? Why the omissions?


These packages are not modified or not used by Ubiquiti and in such case, they are not included in GPL archive.

-Edmundas
Member
Posts: 152
Registered: ‎03-03-2010
Kudos: 17

Re: GPL archive missing components

These packages are not modified or not used by Ubiquiti and in such case, they are not included in GPL archive.

I think the FSF would disagree - executable GPL code does not have to be modified to make distribution of the original source a requirement.

I also think you're mistaken about GPL code not being modified. At a glance I see lighttpd is modified with AirOS specific changes.

And openwrt/target/linux/ubnt includes patches against the GPL licensed Linux kernel, which as far as I can tell do get applied to the kernel build - how can this be excluded?

The only wiggle room I see is with:

  • openwrt/target/linux/generic-2.6/files-2.6.32 (not used)
  • openwrt/target/linux/generic-2.6/patches-2.6.32 (not used)
  • openwrt/dl/bridge-utils-1.4.tar.gz (not used)
  • openwrt/dl/memtester-4.1.3.tar.gz (not used)
  • openwrt/dl/opkg-4564.tar.gz (not used)
  • openwrt/package/openssl (Apache licensed)
Ubiquiti Employee
Posts: 5,548
Registered: ‎05-13-2009
Kudos: 1679
Solutions: 150

Re: GPL archive missing components

I think the FSF would disagree - executable GPL code does not have to be modified to make distribution of the original source a requirement.


I may be wrong, but as far as I know, requirement is to provide GPL source modifications (patches). Complete and original packages can be downloaded from OpenWRT website (as airOS is based on this platform), or package author website.


I also think you're mistaken about GPL code not being modified. At a glance I see lighttpd is modified with AirOS specific changes.


Actually it's distributed under BSD license (en.wikipedia.org/wiki/Lighttpd)


And openwrt/target/linux/ubnt includes patches against the GPL licensed Linux kernel, which as far as I can tell do get applied to the kernel build - how can this be excluded?


Sorry, but I don't know what exactly is placed there and why isn't included in GPL archive. Please send an e-mail to gpl@ubnt.com to get right answer.

-Edmundas
Member
Posts: 152
Registered: ‎03-03-2010
Kudos: 17

Re: GPL archive missing components

Actually it's distributed under BSD license (en.wikipedia.org/wiki/Lighttpd)

You're right. Apologies!


Sorry, but I don't know what exactly is placed there and why isn't included in GPL archive. Please send an e-mail to gpl@ubnt.com to get right answer.

Have done so - thanks.
Member
Posts: 152
Registered: ‎03-03-2010
Kudos: 17

Re: GPL archive missing components

Sorry, but I don't know what exactly is placed there and why isn't included in GPL archive. Please send an e-mail to gpl@ubnt.com to get right answer.

I received the following response:


Date: Thu, 7 Mar 2013 03:20:09 -0800
From: "Ubiquiti Networks"
Message-ID:
Subject: Delivery Status Notification (Failure) Re: GPL archive missing components

Your e-mail has been rejected because the e-mail address you were
sending to does not exist.

Please check your spelling to make sure you are sending to the correct
e-mail address.

This is an automatically generated Delivery Status Notification. Do
not reply to this e-mail.


Product Support:
support@ubnt.com

Sales Inquiries:
sales@ubnt.com

Website Related Support:
admin@ubnt.com
Ubiquiti Employee
Posts: 5,548
Registered: ‎05-13-2009
Kudos: 1679
Solutions: 150

Re: GPL archive missing components

I received the following response:


Sorry. I wasn't aware about gpl->support address changes. Please forward your e-mail to support@ubnt.com.

Thanks,
Edmundas
Member
Posts: 152
Registered: ‎03-03-2010
Kudos: 17

Re: GPL archive missing components

Sorry. I wasn't aware about gpl->support address changes. Please forward your e-mail to support@ubnt.com.

Done Man Happy
Regular Member
Posts: 451
Registered: ‎01-29-2009
Kudos: 59

Re: GPL archive missing components

Is there really a practical fix for this considering one can just netboot the device if they have that level of physical access?


If it's only Ethernet cable access (no serial console which would require opening the case, that could at least be detected after the fact with warranty stickers etc.), then it's a serious security issue that really needs to be fixed soon. Perhaps disallow the flash dump or netboot features without clearing the config partition first? The config may contain things like WPA2 key (for the whole network, not just that customer), and there is still no easy way to change that periodically (as recent firmware changes broke it in AirControl 1, and there is no feature such as station trying to connect using two different keys before/after change - so it's still an "all or nothing" operation with high risk of a truck roll).
Ubiquiti Employee
Posts: 435
Registered: ‎08-28-2007
Kudos: 49
Solutions: 6

Re: GPL archive missing components

If user password is unknow then there is almost no possibility to get plain text system.cfg from it. If user password is know then there is nothing to talk about.

 

BTW: Topic is about GPL archive missing components. Please use other thread.

Ubiquiti Networks, Inc.
System programmer
New Member
Posts: 12
Registered: ‎05-18-2011
Kudos: 6

Re: GPL archive missing components


UBNT-keba wrote:

If user password is unknow then there is almost no possibility to get plain text system.cfg from it. If user password is know then there is nothing to talk about.

 

BTW: Topic is about GPL archive missing components. Please use other thread.


Keba:

The issue of the GPL status of u-boot wasn't ever addressed.  I was recently made aware that other parties have been bringing this to your attention recently, including one of the u-boot developers themselves.

However, on the point that the ability to dump the configuration in versions of u-boot used prior to airOS v5.5.4 by merely having physical access to the Ethernet cable is off-topic, I have posted over in the other thread you referred to at the link below.  I still consider this a GPL issue, as our own ability to fix the hole ourselves prior to the fix you implemented in v5.5.4 was thwarted because Ubiquiti was unwilling to provide the modified u-boot source code as per the GPL.

Other relevant thread for off-topic discussion:

http://community.ubnt.com/t5/Installation-Troubleshooting/AirOS-and-Security-DUMP-of-configuration-f...

Reply