Home of the Squeezebox™ & Transporter® network music players.
Page 1 of 9 123 ... LastLast
Results 1 to 10 of 83
  1. #1
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,779

    Shellshock vulnerability exposedby SSOxS?

    Hi,

    We've been informed about a vulnerability in LMS - which turns out to be
    a vulnerability in SSOTS on QNAP devices:

    https://www.nettitude.co.uk/qnap-nas...-shell-part-1/

    Anybody willing and able to tackle this?

    --

    Michael

  2. #2
    Senior Member
    Join Date
    Jan 2011
    Location
    Staffordshire. UK
    Posts
    1,990
    Quote Originally Posted by mherger View Post
    Hi,

    We've been informed about a vulnerability in LMS - which turns out to be
    a vulnerability in SSOTS on QNAP devices:

    https://www.nettitude.co.uk/qnap-nas...-shell-part-1/

    Anybody willing and able to tackle this?

    --

    Michael

    Michael, I have a Qnap Nas TS-121 running LMS V.7.9 nightly.

    I am willing to do my best to help as long as it is a case of just following instructions, as I am the real Numpty .

    There was a firmware update by Qnap yesterday (but I did not read the change log ).

    If one has changed from the default password for log in, is ones Qnap still vulnerable?


    atb

    Ronnie

  3. #3
    Senior Member pippin's Avatar
    Join Date
    Oct 2007
    Location
    Berlin
    Posts
    14,182
    Let's put it this way: if you have not changed the default password you will not have to care about the vulnerability.....
    ---
    learn more about iPeng, the iPhone and iPad remote for the Squeezebox and
    Logitech UE Smart Radio as well as iPeng Party, the free Party-App,
    at penguinlovesmusic.com
    New: iPeng 9, the Universal App for iPhone, iPad and Apple Watch

  4. #4
    Senior Member flipflip's Avatar
    Join Date
    Apr 2006
    Location
    Swissaland
    Posts
    1,408
    Quote Originally Posted by mherger View Post
    We've been informed about a vulnerability in LMS - which turns out to be
    a vulnerability in SSOTS on QNAP devices:

    Anybody willing and able to tackle this?

    Yeah, looks like it's the bash shell shipped with it, and that's used for the admin interface CGI scripts.

    I've always said: never expose SSODS (or the DS/TS/et al.) to the internets..

    I'm not in the position anymore to update the SSODS stuff.

    One can always disable the SSODS web interface once everything is setup (I think there's a /opt/ssods4/etc/init.d/thttpd-ssods script or so that one can remove).

    Happy hacking,
    flipflip

    edit:

    The editor of https://www.nettitude.co.uk/qnap-nas...-shell-part-1/ claims "SSOTS/SSODS author contacted 12/02/2015. No response to date". I assume he means me. However, the few emails I have around that date are not related.

    I'll add a note on the SSODS homepage regarding the vulnerability.

    edit again:

    So the "official" word is: uninstall SSODS and don't use it anymore. Or at least disable the affected thttpd-ssods service. Or find/build a bash binary that is good (and replace the bad one in /opt/ssods4/bin/ with it).
    Last edited by flipflip; 2015-05-03 at 08:58.

  5. #5
    Senior Member
    Join Date
    Nov 2014
    Posts
    203
    Quote Originally Posted by flipflip View Post
    One can always disable the SSODS web interface once everything is setup (I think there's a /opt/ssods4/etc/init.d/thttpd-ssods script or so that one can remove).
    I'm wondering if anybody could formulate somewhat more detailed instructions. I'm not sure I know the right thing here.

    So I guess I remove the script with rm? Are there any other commands I need to run afterwards? Or is there something in Synology DSM akin to the update-rc.d thingy in Ubuntu???

    EDIT: flipflip, Thank you very much for updating the instructions on your website!!
    Last edited by poing; 2015-05-03 at 12:38.

  6. #6
    Senior Member flipflip's Avatar
    Join Date
    Apr 2006
    Location
    Swissaland
    Posts
    1,408
    Thanks, poing. I should have added the link to the instructions: http://oinkzwurgl.org/ssods_installation

    Can you confirm that it works?

    Also note that this is not going to be the only vulnerability. All the libraries and binaries in the SSODS are years old! And again: this is not built for security or anything.

    Regards,
    flipflip

  7. #7
    Member KeBul's Avatar
    Join Date
    Sep 2009
    Location
    London
    Posts
    85
    Quote Originally Posted by flipflip View Post

    One can always disable the SSODS web interface once everything is setup (I think there's a /opt/ssods4/etc/init.d/thttpd-ssods script or so that one can remove).


    So the "official" word is: uninstall SSODS and don't use it anymore. Or at least disable the affected thttpd-ssods service. Or find/build a bash binary that is good (and replace the bad one in /opt/ssods4/bin/ with it).
    First of all thanks for re-surfacing and responding flipflip, much appreciated that you took the time.

    So I've had a real amateur play around on the above 2 ideas;

    On the first I removed both /opt/ssods4/etc/thttpd-ssods.conf and /opt/ssods4/etc/init.d/thttpd-ssods script, re-enabled LMS in QTS App Centre.

    LMS started fine and was accessible via it's web interface. I was unable to access SSOTS on it's web interface. So objective seemingly achieved, problem is, I am not sure how to test for bash vulnerabilities from here, but I'll keep reading up to see if I can work that side out.

    As for replacing the bash binary, I've now idea how to build a new good binary, so just for fun I tried using the updated QNAP QTS bash binary and dropping that into SSOTS (told you it was an amateur play!).

    Re-enabled LMS in QTS App Centre and LMS started, SSOTS web interface was accessible but showed some errors in routines.sh namely invalid timeout specification and /proc//status: no such file or directory.

    LMS seemed to be working though, although impossible to fully test in such a short period of playing around, and as above I could not test to check for bash vulnerabilities.

    Still kept me occupied for a while!

    Kev
    Last edited by KeBul; 2015-05-03 at 14:33. Reason: Corrected error

  8. #8
    Member KeBul's Avatar
    Join Date
    Sep 2009
    Location
    London
    Posts
    85

    Thanks

    Quote Originally Posted by flipflip View Post
    Thanks, poing. I should have added the link to the instructions: http://oinkzwurgl.org/ssods_installation

    Can you confirm that it works?

    Also note that this is not going to be the only vulnerability. All the libraries and binaries in the SSODS are years old! And again: this is not built for security or anything.

    Regards,
    flipflip
    Good update to the install instructions, as per my previous post, I can confirm that removing the thttpd-ssods script does disable the web interface.

    It's a fair point to say that there maybe other vulnerabilities and to advise stop using it altogether, pity as it's provided great service over the years for me.

    Once again thanks for your input.

    Kev

  9. #9
    Senior Member flipflip's Avatar
    Join Date
    Apr 2006
    Location
    Swissaland
    Posts
    1,408
    Quote Originally Posted by KeBul View Post
    problem is, I am not sure how to test for bash vulnerabilities from here, but I'll keep reading up to see if I can work that side out.
    There's nothing more to do, I think. I.e. you're save from said vulnerability (that works when anonymous can run the bash, which he can in case of the SSOTS web interface).

    Quote Originally Posted by KeBul View Post
    I tried using the updated QNAP QTS bash binary and dropping that into SSOTS (told you it was an amateur play!).
    That should do the trick! As long as the binary works and is "good" SSOTS shouldn't really care. But....

    Quote Originally Posted by KeBul View Post
    Re-enabled LMS in QTS App Centre and LMS started, SSOTS web interface was accessible but showed some errors in routines.sh namely invalid timeout specification and /proc//status: no such file or directory.
    Hmm. Not sure what happens. I'd thought that any bash will do and as far as I remember there's not many compile time options that could change its behaviour significantly. But that seems to be the case. Can you check that it really is a bash by running the command

    /opt/ssods4/bin/bash --version

    from a shell. It should say "GNU bash, version ... " etc. Maybe it's not really a proper bash.

    Again, any bash should work. So maybe you can find a good one in another package? Maybe there's even a bash package?

    Quote Originally Posted by KeBul View Post
    LMS seemed to be working though
    Yes, it won't be affected. The SSOTS admin web interface and the LMS itself are two separate things.

    Quote Originally Posted by KeBul View Post
    It's a fair point to say that there maybe other vulnerabilities and to advise stop using it altogether, pity as it's provided great service over the years for me.
    Yes, but that hasn't been any different since day 1.

    I wouldn't bother too much about all this as long as the server runs in your home network and is not exposed to the internet (and you have no ambitious junior hackers around :-).

  10. #10
    Senior Member
    Join Date
    Nov 2014
    Posts
    203
    Quote Originally Posted by flipflip View Post
    I should have added the link to the instructions: http://oinkzwurgl.org/ssods_installation

    Can you confirm that it works?
    Works as expected.


    Quote Originally Posted by KeBul View Post
    First of all thanks for re-surfacing and responding flipflip, much appreciated that you took the time.
    +1
    Last edited by poing; 2015-05-04 at 00:25.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •