busybox telnetd security/misconfiguration

Rich Felker dalias at aerifal.cx
Wed Nov 14 14:54:09 UTC 2012


On Wed, Nov 14, 2012 at 03:06:08PM +0100, Vutral wrote:
> i noticed or some other projects like openembedded and forks of it and
> probably for some routers using the busybox telnet daemon there should
> be a check for empty root password, so if the root password is empty
> and the source ip of a request is not in private space(ex 192.168/16
> 10/8 ecetera) the default action is not to allow a login... to reduce
> risk of unintentional farm creation for botnets...
> 
> so i suggest by default only allow access to telnet from ""lan/private ips"",
> when no root password is set
> there could be an extra option to allow turning that sanity check off
> if required
> 
> alternative i guess the hostaccess style filter would be sufficient
> too... but since that would require configuration pattern change from
> the users i dont know what you'd prefer
> 
> somehow i dont see any use in allowing the whole world to access a
> passwordless root account..

Making it ip-based is naive and gives a false sense of security. If
passwordless root login is disallowed, it should be disallowed from
ALL addresses, not just some. You don't want folks thinking "it's safe
because only local clients can access it" and not realizing that means
that anybody who can run (even mostly-sandboxed) code on a local
machine can get root on the device.

Rich


More information about the busybox mailing list