Jump to content

shrmn

Members
 View Profile  See their activity

  • Posts

    6

  • Joined

  • Last visited

 Content Type 

Posts posted by shrmn

    CVE-2021-3156 - Sudo before 1.9.5p2 has a Heap-based Buffer Overflow

    in Security

    Posted

    On 1/28/2021 at 8:52 PM, ich777 said:

    A workaround for this would be to do it on your own for now until a fix is released, since Unraid is based on Slackware this is pretty straight forward...

     

    Open up a Unraid terminal and enter the following:

      

    
cd /tmp
wget http://slackware.cs.utah.edu/pub/slackware/slackware64-14.2/patches/packages/sudo-1.9.5p2-x86_64-1_slack14.2.txz
installpkg sudo-1.9.5p2-x86_64-1_slack14.2.txz
rm -rf /tmp/sudo-1.9.5p2-x86_64-1_slack14.2.txz

     

    You can also append this to your 'go' file to install it on every reboot.

     

    I know this is only a temporary solution but it's a solution that works.

    After that you can issue 'sudo -V' in the terminal and you will see that you now have sudo 1.9.5p2 installed.

     

    (Btw the package is from the official Slackware repo)

     

     

     

    EDIT: Wrote a quick Plugin if this is what you are after, it will do basically the same and you don't have to edit anything (works only from Unraid version 6.8.2 to 6.9.0rc2): 

    
https://raw.githubusercontent.com/ich777/unraid-sudo-patch/master/CVE-2021-3156.plg

     

     

    Got an error running the plugin:

      

    -----------------Downloading sudo 1.9.5p2, please wait...!---------------------
-----------This could take some time, please don't close this window!----------

-----ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR------
------------------------Can't download sudo 1.9.5p2-----------------------------
plugin: run failed: /bin/bash retval: 1

     

    Cloudflare Argo Tunnel

    in User Customizations

    Posted

    Had a local business need to expose their CRM server to the public net today and the owner did not want to open any ports. Cloudflare's Argo Tunnel came to mind. 

     

    They had an existing Unraid server handling file shares and backups, so started looking at ways to leverage this (actually underutilised) server. Thought I'd share the steps I got to getting the tunnel to work here.

     

    Below steps assume understanding/experience with reverse proxy setups and User Scripts.

     

    The setup consists of two broad steps:

    A. Install any reverse proxy as a Docker image (I used Nginx Proxy Manager) and take note of the exposed port / IP.

    • In this example, I will be setting only the HTTP proxy on port 1880.
    • This reverse proxy is the entry point of the tunnel. Configure this proxy to connect to whichever other services you have.

     

    B. Installing cloudflared and run on startup

     

    1. ssh into your server and download the cloudflared binary 
      wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.tgz
    2. unzip the tgz 
      tar -xvzf cloudflared-stable-linux-amd64.tgz
    3. Login to Cloudflare (this will produce a URL. Open that URL on your browser) 
      ./cloudflared tunnel login
    4. Once authenticated, verify that the tunnel works (change your.hostname.com to your hostname) 
      ./cloudflared tunnel --hostname your.hostname.com --url http://localhost:1880

      Then visit your.hostname.com, you should see a Cloudflare welcome page. If DNS hasn't propagated, try setting your DNS resolver to 1.1.1.1

    5. Save your configuration as a YAML-formatted file in ~/.cloudflared/config.yml; The contents should look like this: 

      hostname: your.hostname.com
url: http://localhost:1880

       

    6. Copy the contents of ~/.cloudflared into /etc/cloudflared 

      mkdir -p /etc/cloudflared
cp ~/.cloudflared/config.yml /etc/cloudflared/
cp ~/.cloudflared/cert.pem /etc/cloudflared/
    7. Install the User Scripts plugin if you haven't already, and create a new script. I named mine cloudflared
    8. Remove the default description file and copy the contents of the script below: 
      #!/bin/bash
#description=Launches cloudflared with config and cert loaded in /etc/cloudflared
#backgroundOnly=true
#arrayStarted=true

# Above lines set the script info read: https://forums.unraid.net/topic/48286-plugin-ca-user-scripts/page/7/?tab=comments#comment-512697

# Set path to cloudflared binary
configpath=/etc/cloudflared

echo "Starting Cloudflared Binary with config and cert in $configpath"

/root/cloudflared --config $configpath/config.yml --origincert $configpath/cert.pem

echo "Exiting Cloudflared Binary"

exit
    9. Refresh the User Scripts page and set the script to run on startup of array
      image.thumb.png.9c7137d9e7ffb55621f988d6346e20b0.png
    10. View the logs to ensure that your routes are secured and established. You should see something like this: 
      Starting Cloudflared Binary with config and cert in /etc/cloudflared
time="2019-07-24T01:36:27+08:00" level=info msg="Version 2019.7.0"
time="2019-07-24T01:36:27+08:00" level=info msg="GOOS: linux, GOVersion: go1.11.5, GoArch: amd64"
time="2019-07-24T01:36:27+08:00" level=info msg=Flags config=/etc/cloudflared/config.yml hostname=your.hostname.com logfile=/var/log/cloudflared.log origincert=/etc/cloudflared/cert.pem proxy-dns-upstream="https://1.1.1.1/dns-query, https://1.0.0.1/dns-query" url="http://localhost:1880"
time="2019-07-24T01:36:27+08:00" level=info msg="Starting metrics server" addr="127.0.0.1:38457"
time="2019-07-24T01:36:27+08:00" level=info msg="Autoupdate frequency is set to 24h0m0s"
time="2019-07-24T01:36:27+08:00" level=info msg="Proxying tunnel requests to http://localhost:1880"
time="2019-07-24T01:36:30+08:00" level=info msg="Connected to HKG"
time="2019-07-24T01:36:30+08:00" level=info msg="Each HA connection's tunnel IDs: map[<REDACTED>]"
time="2019-07-24T01:36:30+08:00" level=info msg="Route propagating, it may take up to 1 minute for your new route to become functional"
time="2019-07-24T01:36:32+08:00" level=info msg="Connected to SIN"
time="2019-07-24T01:36:32+08:00" level=info msg="Each HA connection's tunnel IDs: map[<REDACTED>]"
time="2019-07-24T01:36:32+08:00" level=info msg="Route propagating, it may take up to 1 minute for your new route to become functional"
time="2019-07-24T01:36:33+08:00" level=info msg="Connected to HKG"
time="2019-07-24T01:36:33+08:00" level=info msg="Each HA connection's tunnel IDs: map[<REDACTED>]"
time="2019-07-24T01:36:33+08:00" level=info msg="Route propagating, it may take up to 1 minute for your new route to become functional"
time="2019-07-24T01:36:34+08:00" level=info msg="Connected to SIN"
time="2019-07-24T01:36:34+08:00" level=info msg="Each HA connection's tunnel IDs: map[<REDACTED>]"
time="2019-07-24T01:36:34+08:00" level=info msg="Route propagating, it may take up to 1 minute for your new route to become functional"

       

    11. Voila!

     

    • Like 1
    • Thanks 2
×
×
  • Create New...