Vulnerability and compromised profiles (Zeroshell<3.0.0)

Forums Network Management ZeroShell Vulnerability and compromised profiles (Zeroshell<3.0.0)

  • This topic is empty.
Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • January 28, 2014 at 5:01 pm #43834
    aseques
    Member

    Hello, can we get any details on this? I’d like to know if there is any way to apply the profile fixes without upgrading.
    Also, does closing the web access block the issue?

    January 28, 2014 at 7:15 pm #53145
    imported_fulvio
    Participant

    On YouTube you can find a video that illustrates how to gain access to Zeroshell without knowing the admin’s password. Surely, if you restrict the http access you mitigate the issue.
    Regards
    Fulvio

    January 28, 2014 at 8:13 pm #53146
    Yhoni
    Member

    @fulvio wrote:

    Hello,

    all versions of Zeroshell older than release 2.0.RC3 are vulnerable because of the possibility to execute code remotely via the web interface
    in a non-authenticated mode. This well-documented vulnerability has been exploited to introduce an executable within the profiles that make connections to some DNS with the aim of producing a DDoS resulting bandwidth consumption.
    Even the release 2.0.RC3 may be subject to the attack if the configuration profile comes from a previous version already compromised. The release 3.0.0 is able to detect a compromised profile and clean it. It is recommended, in view of the gravity of the problem, to migrate as soon as possible to release 3.0.0 to be sure that Zeroshell is not running a compromised profile.

    Regards
    Fulvio

    Thank you for the information.

    January 29, 2014 at 11:37 am #53147
    aseques
    Member

    I can confirm that the details outline in th video on youtube allows full access to the zeroshell, the only protection for this attacks other than updating is closing the web access except for your whitelisted ips.
    Other than that, could someone explain how to identify the traces of the exploits intalled?

    January 29, 2014 at 12:28 pm #53148
    meloun
    Member

    @aseques wrote:

    Other than that, could someone explain how to identify the traces of the exploits intalled?

    Check manually. Connect to SFTP and watch the files in subfolders in /DB
    Run through the SSH command ps -ax and see if there is anything running from /DB whether subfolders.

    PS Access SFTP can include changing the shell. Connect to SSH and run chsh, enter /bin/bash

    PS2 Return shell back chsh and enter /root/kerbynet.cgi/scripts/localman or simply reboot zeroshell router.

    February 12, 2014 at 11:29 am #53149
    aseques
    Member

    We observed that there is a hidden process (only shows upw when doing top) that’s called .DB.001
    This process is launched by the Database-Cron (Startup Cron -> Cron Database)
    You can see if you are affected by doing:

    cat ./DB/_DB.001/var/register/system/startup/scripts/Database-Cron/File

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.