Jump to content

Security Flaw Discovered in 2.0.0 by ihuntpineapples


ZaraByte

Recommended Posts

Uhhh dang this is why you gotta not rush releases guys a security flaw has been found in the latest firmware released by hak5 at defcon 22.

On the new firmware, /?logout=true unauthenticated to force log out and sniff creds coming back in, or just tight loop it to make it useless

Credits:@ihuntpineapples on twitter

check out ihuntpineapples on twitter for more security holes in the pineapple firmware.

This is why i told you guys not to make the rush releasing the firmware is stuff like this it needs to be fully tested.

Edited by ZaraByte
Link to comment
Share on other sites

Infusion vulnerabilities have gotten a lot harder to exploit in 2.0. Foxtrot, Tesla, Wh1p and I have spent all day trying to break stuff. I am going to be doing a write up about what was wrong and what has been done to fix it now

Link to comment
Share on other sites

Hey guys,

2.0.0 fixed a bunch of things, but mainly one derp of me having shifted code around and put it into the wrong place (footer instead of header file) - that was a major fuck up but shit happens.

The security bugs everyone is reporting with the infusions are fixed now, as long as the root password is not know. If you know the root password, you can inject into POST or even some GET requests. You could also just use the functions.php in the configuration tile that will execute commands for you - a built-in function of the tile. We'll have to lock that - and other things down now.

We figured, as long as everything requires a password, the injection shouldn't matter - as you could just send an "rm -rf /" over ssh just as easy.

We'll be undergoing a hardening cycle to make sure these issues get resolved. Until then, we will have 2.0.1 (uploading now), which fixes the bug allowing another user to log you out.

We cannot really fix the fact that passwords can be sniffed over the open wireless - use a cable to manage it without the password leaking into the air. Only thing we could do in that regard is put self-signed SSL certs on every Pineaple.. but that would be a hassle for everyone. Nginx DOES support SSL, so feel free to set that up.

TLDR: Download 2.0.1 once it's out, it has the logout bug fixed.

Best Regards,

Sebkinne

Link to comment
Share on other sites

What's this guy's deal? Just to try to embarrass Darren and Seb?

Not at all. Expose flaws so they get fixed. The flaws that we discovered have already been fixed in 2.0 we just want to show what it was and how it was fixed

Link to comment
Share on other sites

It seems that a couple of folks wrote a nice little wiki page on changing the UI interface to HTTPS. I think that by now, the pineapple should probably use SSL out of the box. Any thoughts from others?

That would cost money yearly to have a SSL Cert unless their is a way to every can have that cert for their pineapple.

Link to comment
Share on other sites

Certificates are free. Getting your cert signed by a trusted company is what costs money.

Using the openssl tools it's trivial to create a self-signed cert. If you add that cert to your local keystore, things are fine, you have your encrypted connection and it will have cost you the grand total sum of 0 in whatever currency is local to you.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...