busybox telnetd security/misconfiguration

Tito farmatito at tiscali.it
Thu Nov 15 07:10:32 UTC 2012 

On Thursday 15 November 2012 00:26:02 you wrote:
> stilll i suggest at least disallowing root login without a password...
> 
> also i dont suggest hardcoding limitations, i just thought about
> reasonable safe defaults
> ((possibly allow old behaviour with an unsafe option or for access
> limits allow using a hosts.access or hosts.deny type file or some
> other pattern))
> 
> anyway i might send some ugly patch or maybe a more beautified when i
> got the time for it for the rootpw check...
> 
> if i run busybox in a init system or sandbox sure i can use options to
> modify its behaviour but as rick said before in sandbox you dont need
> root login at all for access to the system

Maybe then locking the root account is a solution?
 
> 
> the source i read of telnetd doesnt even care about source of a
> connection without utmp enabled
> 
> i talke with the openembedded people earlier they suggested to add it
> to the busybox upstream directly
> 
> there is in fact with busybox build without pam even in the login
> program no check on the user and if it got a password, and well i dont
> think it passwd the connection src host/ip anywhere else than into the
> utmp

If the user has no password what else could a login program do besides grant access?
User accounts should be set up correctly at their creation time.

> as far as i can see the telnetd anyway got no possibility to validate
> which user is loggin in with /bin/login enabled..
> 
> /bin/login also ignores /etc/nologin if the user root is loggin in

This is a sane default, how could you reset /etc/nologin if root
logins are not allowed.

> an empty password is just ignored in /bin/login if there is build with
> NO_PAM, without caring about which user logs in with empty password
> that behaviour is "hardcoded" too i would say

		/* Don't check the password if password entry is empty (!) */
		if (!pw->pw_passwd[0])
			break;

You can change this "hardcoded" behaviour easily:
1) lock the account or
2) setup a passwd or
3) delete the user

Ciao,
Tito 
> 
> MirOS Project
> Armored Secure Operating System
> http://www.mirbsd.org/
> 
> 
> 2012/11/14 Tito <farmatito at tiscali.it>:
> > On Wednesday 14 November 2012 15:06:08 Vutral wrote:
> >> i noticed or some other projects like openembedded and forks of it and
> >> probably for some routers using the busybox telnet daemon there should
> >> be a check for empty root password, so if the root password is empty
> >> and the source ip of a request is not in private space(ex 192.168/16
> >> 10/8 ecetera) the default action is not to allow a login... to reduce
> >> risk of unintentional farm creation for botnets...
> >>
> >> so i suggest by default only allow access to telnet from ""lan/private ips"",
> >> when no root password is set
> >> there could be an extra option to allow turning that sanity check off
> >> if required
> >>
> >> alternative i guess the hostaccess style filter would be sufficient
> >> too... but since that would require configuration pattern change from
> >> the users i dont know what you'd prefer
> >>
> >> somehow i dont see any use in allowing the whole world to access a
> >> passwordless root account..
> >>
> >>
> >> MirOS Project
> >> Armored Secure Operating System
> >> http://www.mirbsd.org/
> >
> > Hi,
> > i think that hardcoding this behaviour in busybox telnetd
> > may not be desiderable for all users and uses of busybox.
> >
> > An alternaltive solution to be implemented by the openembedded folks could be:
> > 1) create a random generated root passwd at first boot
> > 2) ask user to add an account +  passwd at first connection to web config
> > 3) add the user to sudoers
> > 4) use sudo for config tasks or to change the unknown random root passwd to a known one.
> >
> > or
> >
> > 1) ask user to add a root passwd  at first connection to web config
> > 2) ask user to add an account +  passwd at first connection to web config
> >
> > just my 0.2 cents.
> >
> > Ciao,
> > Tito
> >
> > _______________________________________________
> > busybox mailing list
> > busybox at busybox.net
> > http://lists.busybox.net/mailman/listinfo/busybox
>

More information about the busybox mailing list