www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Vulnerability and compromised profiles (Zeroshell<3.0.0)

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
aseques



Joined: 16 Jun 2009
Posts: 59

PostPosted: Tue Jan 28, 2014 5:01 pm    Post subject: Vulnerability and compromised profiles (Zeroshell<3.0.0) Reply with quote

Hello, can we get any details on this? I'd like to know if there is any way to apply the profile fixes without upgrading.
Also, does closing the web access block the issue?
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1077

PostPosted: Tue Jan 28, 2014 7:15 pm    Post subject: Reply with quote

On YouTube you can find a video that illustrates how to gain access to Zeroshell without knowing the admin's password. Surely, if you restrict the http access you mitigate the issue.
Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
Yhoni



Joined: 19 May 2013
Posts: 31

PostPosted: Tue Jan 28, 2014 8:13 pm    Post subject: Re: Vulnerability and compromised profiles (Zeroshell<3.0 Reply with quote

fulvio wrote:
Hello,

all versions of Zeroshell older than release 2.0.RC3 are vulnerable because of the possibility to execute code remotely via the web interface
in a non-authenticated mode. This well-documented vulnerability has been exploited to introduce an executable within the profiles that make connections to some DNS with the aim of producing a DDoS resulting bandwidth consumption.
Even the release 2.0.RC3 may be subject to the attack if the configuration profile comes from a previous version already compromised. The release 3.0.0 is able to detect a compromised profile and clean it. It is recommended, in view of the gravity of the problem, to migrate as soon as possible to release 3.0.0 to be sure that Zeroshell is not running a compromised profile.

Regards
Fulvio


Thank you for the information.
Back to top
View user's profile Send private message
aseques



Joined: 16 Jun 2009
Posts: 59

PostPosted: Wed Jan 29, 2014 11:37 am    Post subject: Reply with quote

I can confirm that the details outline in th video on youtube allows full access to the zeroshell, the only protection for this attacks other than updating is closing the web access except for your whitelisted ips.
Other than that, could someone explain how to identify the traces of the exploits intalled?
Back to top
View user's profile Send private message
meloun



Joined: 31 Mar 2013
Posts: 10

PostPosted: Wed Jan 29, 2014 12:28 pm    Post subject: Reply with quote

aseques wrote:

Other than that, could someone explain how to identify the traces of the exploits intalled?

Check manually. Connect to SFTP and watch the files in subfolders in /DB
Run through the SSH command ps -ax and see if there is anything running from /DB whether subfolders.

PS Access SFTP can include changing the shell. Connect to SSH and run chsh, enter /bin/bash

PS2 Return shell back chsh and enter /root/kerbynet.cgi/scripts/localman or simply reboot zeroshell router.
Back to top
View user's profile Send private message
aseques



Joined: 16 Jun 2009
Posts: 59

PostPosted: Wed Feb 12, 2014 11:29 am    Post subject: Reply with quote

We observed that there is a hidden process (only shows upw when doing top) that's called .DB.001
This process is launched by the Database-Cron (Startup Cron -> Cron Database)
You can see if you are affected by doing:
Quote:
cat ./DB/_DB.001/var/register/system/startup/scripts/Database-Cron/File
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group