New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Weak protection for a root shell - Disable Root Shell in Admin-UI #119

Open
krippendorf opened this Issue Oct 12, 2017 · 6 comments

Comments

Projects
None yet
3 participants
@krippendorf
Contributor

krippendorf commented Oct 12, 2017

The idea to have access to the system console in the /admin area, protected by just a password sets the entire networkt at serious risk.

Is there a way to disable the root shell in the Admin GUI or to prevent access to /admin at all? In a well protected network envirnoment, there is no way to expose a device to the public, that allows to root access a shell, protected by just a password.

@laemmy

This comment has been minimized.

Show comment
Hide comment
@laemmy

laemmy Oct 12, 2017

I have the same Problem. I could setup a Reverse Proxy, but that is more overhead.

laemmy commented Oct 12, 2017

I have the same Problem. I could setup a Reverse Proxy, but that is more overhead.

@krippendorf

This comment has been minimized.

Show comment
Hide comment
@krippendorf

krippendorf Oct 12, 2017

Contributor

maybe the most ugly, but working solution would be a persistent iptables rule like:
iptables -I INPUT 1 -m string --algo bm --string "/admin" -j DROP on the beagle - remember to apply the same for IPv6....

Contributor

krippendorf commented Oct 12, 2017

maybe the most ugly, but working solution would be a persistent iptables rule like:
iptables -I INPUT 1 -m string --algo bm --string "/admin" -j DROP on the beagle - remember to apply the same for IPv6....

@jks-prv

This comment has been minimized.

Show comment
Hide comment
@jks-prv

jks-prv Oct 12, 2017

Owner

Just set the admin password blank. A message in the entry field then says "No password set: no admin access from Internet allowed"

You'll still be able to connect to /admin from the local network ("local" meaning from the same subnet). The "admin auto-login" switch only applies when a password is set. It is meant to require a password be used if the connection is local. Like if you're in some sort of shared computer-use environment.

Now if what you want is admin access from the Internet, but just the console disabled, that's more complicated. That means a new option is required that is only settable from a local admin connection. And there is no concept of that the way the code is currently written.

The admin log tab and then console tab were added after increasing support problems. It was becoming impossible to talk certain non-*nix savvy customers through the process of using shell commands and forwarding log files to find problems. Problems that were often not related to the Kiwi server software itself.

Owner

jks-prv commented Oct 12, 2017

Just set the admin password blank. A message in the entry field then says "No password set: no admin access from Internet allowed"

You'll still be able to connect to /admin from the local network ("local" meaning from the same subnet). The "admin auto-login" switch only applies when a password is set. It is meant to require a password be used if the connection is local. Like if you're in some sort of shared computer-use environment.

Now if what you want is admin access from the Internet, but just the console disabled, that's more complicated. That means a new option is required that is only settable from a local admin connection. And there is no concept of that the way the code is currently written.

The admin log tab and then console tab were added after increasing support problems. It was becoming impossible to talk certain non-*nix savvy customers through the process of using shell commands and forwarding log files to find problems. Problems that were often not related to the Kiwi server software itself.

@krippendorf

This comment has been minimized.

Show comment
Hide comment
@krippendorf

krippendorf Oct 12, 2017

Contributor

I've gone through the code and understood your idea of protecting the admin WS conn. I have not put it under heavy tests yet, but I fear a possible privilege escalation over HTTP/WS - maybe caused by a leak / overflow in that embedded webserver it is built upon. Without the console there wouldn't be so much damage possible.... easily, but with that root console via WS commands it is a bit scary. For now I'll go with the IPTables way and disable IPv6 until I've tested myself. Maybe I'll simply not put it online.

What I have to criticise that these devices usually run without TLS and the password ist not even hashed! Cleartext + then stored in the session cookie. So many anti-patterns at once make it an InternetOfTarget device of first class. Terminal access is supposed to be put behind SSH, even better with enforced key auth. A DumpLogsCallHome() function would maybe solve that debugging thing also!?

The argument with that non-*nix savvy customers is very weak. I guess these kind of arguments transforms all that IoT stuff into botnets and open doors to more heavy network infrastructure.

Contributor

krippendorf commented Oct 12, 2017

I've gone through the code and understood your idea of protecting the admin WS conn. I have not put it under heavy tests yet, but I fear a possible privilege escalation over HTTP/WS - maybe caused by a leak / overflow in that embedded webserver it is built upon. Without the console there wouldn't be so much damage possible.... easily, but with that root console via WS commands it is a bit scary. For now I'll go with the IPTables way and disable IPv6 until I've tested myself. Maybe I'll simply not put it online.

What I have to criticise that these devices usually run without TLS and the password ist not even hashed! Cleartext + then stored in the session cookie. So many anti-patterns at once make it an InternetOfTarget device of first class. Terminal access is supposed to be put behind SSH, even better with enforced key auth. A DumpLogsCallHome() function would maybe solve that debugging thing also!?

The argument with that non-*nix savvy customers is very weak. I guess these kind of arguments transforms all that IoT stuff into botnets and open doors to more heavy network infrastructure.

@jks-prv jks-prv added the discussion label Oct 13, 2017

@krippendorf

This comment has been minimized.

Show comment
Hide comment
@krippendorf

krippendorf Oct 22, 2017

Contributor

Thx, @jks-prv for takting these points into account. I see cdf3623 looks like a good step towards a better security. ThumbsUp!

Contributor

krippendorf commented Oct 22, 2017

Thx, @jks-prv for takting these points into account. I see cdf3623 looks like a good step towards a better security. ThumbsUp!

@krippendorf

This comment has been minimized.

Show comment
Hide comment
@krippendorf

krippendorf Oct 28, 2017

Contributor

Thx @jks-prv for the update, the rx is now online @http://kiwisdr.hamspirit.de:8073/
Consider the issue as resolved :-) https://twitter.com/HB9FXQ/status/924376781309796353

2017-10-28 22_31_23-sec

Contributor

krippendorf commented Oct 28, 2017

Thx @jks-prv for the update, the rx is now online @http://kiwisdr.hamspirit.de:8073/
Consider the issue as resolved :-) https://twitter.com/HB9FXQ/status/924376781309796353

2017-10-28 22_31_23-sec

@jks-prv jks-prv added the security label Nov 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment