Home of the Squeezebox™ & Transporter® network music players.
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16
  1. #11
    Senior Member
    Join Date
    Feb 2007
    Posts
    144
    Quote Originally Posted by rick_k View Post
    Port 9000 lets you do some things that should only be done by an authenticated administrator. Two examples are setting passwords and turning CSRF protection on/off.
    Another example is installing plugins. If you can install plugins, you can run arbitrary code as the user that LMS runs as.

  2. #12
    Senior Member
    Join Date
    Mar 2008
    Posts
    603
    Quote Originally Posted by mavit View Post
    Another example is installing plugins. If you can install plugins, you can run arbitrary code as the user that LMS runs as.
    Wouldn't installing malicious plugins involve either putting malicious code into a repository (which seems like a good way to get caught though not a certainty) or having write access to the appropriate directories on the target computer? And if someone with bad intentions has write access to the directories, wouldn't involving HTTP be extra work for no extra reward?

    I'm curious how many malware authors are targeting HTTP on internal home networks. Is it safe to say that relatively few people are running any kind of server at all on their home networks? And, if the numbers are indeed low, why would HTTP be a tempting target compared to something using a more direct approach?

    I can't decide if this is a near-complete non-issue or if I'm somehow missing something painfully obvious that I'll eventually regret. Are there currently Bad Things out there in the wild that are taking advantage of insecure home HTTP? I realize that just because there may not be now doesn't mean there never will be, I'm just trying to understand what the current real world risk is. The claim that interfacing with LMS via HTTP may be a serious enough security risk to require mitigation caught me completely by surprise.

    I'm probably an outlier in that I have several things running internally using HTTP. It's interesting to me that NONE of them, including some pretty hefty stuff like TrueNAS, are using HTTPS for their interfaces. Are the people behind TrueNAS, piHole, LMS and whatever else I can't remember at the moment simply *lazy* or are they reasonably certain that they aren't creating a security risk?

    I assume there's browser-accessed software out there that uses HTTPS over the home network because someone thought it was worth it, but I have yet to see *any*. (Again, I'm not claiming that's a scientific survey, I just find it interesting.)

  3. #13
    Senior Member
    Join Date
    Feb 2007
    Posts
    144
    Quote Originally Posted by atrocity View Post
    Wouldn't installing malicious plugins involve either putting malicious code into a repository (which seems like a good way to get caught though not a certainty)
    I don't think it would be easy to get caught. Put the malicious plugin in a private repository, add the repository to LMS, install the plugin, remove the repository.

  4. #14
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    20,622

    https for internal network?

    > Wouldn't installing malicious plugins involve either putting malicious
    > code into a repository (which seems like a good way to get caught though
    > not a certainty) or having write access to the appropriate directories
    > on the target computer?


    You can set up a repository on any web server of your liking, then add
    it to the repo section, done. And it has been done. It's actually what
    caught my attention LMS installations being "hacked": the attacker
    installed a modified version of my Picture Gallery plugin and configured
    it to scan _all_ drives, _all_ folders. This caused crashes on some systems.

    > I'm curious how many malware authors are targeting HTTP on internal home
    > networks. Is it safe to say that relatively few people are running any
    > kind of server at all on their home networks?


    People don't run servers. They run appliances. And many of them come
    with web and other servers built in: modems & routers, printers, TV
    sets, webcams...

    > I can't decide if this is a near-complete non-issue or if I'm somehow
    > missing something painfully obvious that I'll eventually regret. Are
    > there currently Bad Things out there in the wild that are taking
    > advantage of insecure home HTTP?


    I think more often the bad things take advantage of broken servers.
    Vulnerabilities causing unexpected behaviour given specific parameters.
    But these would work whether the traffic was encrypted or not. The risk
    that comes with unencrypted traffic is that somebody could spy on it -
    if he already had access to your network. If that data transported
    sensitive data, then the biggest risk would be to expose sensitive data.

  5. #15
    Senior Member
    Join Date
    Mar 2008
    Posts
    603
    Quote Originally Posted by mherger View Post
    You can set up a repository on any web server of your liking, then add
    it to the repo section, done. And it has been done. It's actually what
    caught my attention LMS installations being "hacked": the attacker
    installed a modified version of my Picture Gallery plugin and configured
    it to scan _all_ drives, _all_ folders. This caused crashes on some systems.
    Painful! I'm just not thinking like a criminal, I guess. In my head, having the repository at a static IP seems like a good way to get caught, but of course whoever is hosting that IP has to be cooperative as well. And certainly there's malware out there that phones home all the time, so in hindsight my point makes no sense.

  6. #16
    Senior Member
    Join Date
    Dec 2020
    Posts
    186
    Quote Originally Posted by atrocity View Post
    I'm probably an outlier in that I have several things running internally using HTTP. It's interesting to me that NONE of them, including some pretty hefty stuff like TrueNAS, are using HTTPS for their interfaces. Are the people behind TrueNAS, piHole, LMS and whatever else I can't remember at the moment simply *lazy* or are they reasonably certain that they aren't creating a security risk?
    The problem with HTTPS is that it requires a certificate that your browser needs to trust and therefore must contain a public key from whomever authorized/signed the certificate in use. Of course if the customer of a home appliance is willing to pay extra for that certificate that would be easy enough to achieve, but the tricky part is that certificates as a rule have an expiration date (which is how certificate authorizers make money and likely need to pay part of that to OS vendors for having them included as trusted CAs) and your browser may deny you access to your own appliance.

    As Michael stated the security hazard isn't that big though in a home network because there will be nothing pointing from the outside to that specific device unless you specifically changed your firewall configuration to do so, in which case you are assumed to know what you are doing. Also for a hacker to be able to sniff any traffic between your browser and the device he must first have control over some machine inside your network and even then your switch will prevent him (or her! let's not forget that ladies can be crooks too) to see anything on the wired network.

    As a side note: malware typically does not phone home. If your machine has a direct connection to the internet the hacker's software will phone in for instructions (e.g. send spam, participate in a DDOS attack on server X, etc) but this phone in is in fact a cascaded method as well and you will never be able to tell whether your machine was the first to receive it and thus that the originating IP is in fact that of the hacker (or the free Wifi from Pizza Hut).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •