Jump to content
Hak5 Forums

Archived

This topic is now archived and is closed to further replies.

ZaraByte

Security Flaw Discovered in 2.0.0 by ihuntpineapples

Recommended Posts

Uhhh dang this is why you gotta not rush releases guys a security flaw has been found in the latest firmware released by hak5 at defcon 22.

On the new firmware, /?logout=true unauthenticated to force log out and sniff creds coming back in, or just tight loop it to make it useless

Credits:@ihuntpineapples on twitter

check out ihuntpineapples on twitter for more security holes in the pineapple firmware.

This is why i told you guys not to make the rush releasing the firmware is stuff like this it needs to be fully tested.

Share this post


Link to post
Share on other sites

You should see the security flaws in 1.4.1 that don't exists in 2.0.... its crazy

Share this post


Link to post
Share on other sites

To newbi3's point. Many vulnerabilities have been fixed, and must continue to be fixed even by the infusion authors.

It is not just the responsiblity of the core web interface to be secure, the infusions must also be as they could be exploited themselves.

Share this post


Link to post
Share on other sites

Infusion vulnerabilities have gotten a lot harder to exploit in 2.0. Foxtrot, Tesla, Wh1p and I have spent all day trying to break stuff. I am going to be doing a write up about what was wrong and what has been done to fix it now

Share this post


Link to post
Share on other sites

Hey guys,

2.0.0 fixed a bunch of things, but mainly one derp of me having shifted code around and put it into the wrong place (footer instead of header file) - that was a major fuck up but shit happens.

The security bugs everyone is reporting with the infusions are fixed now, as long as the root password is not know. If you know the root password, you can inject into POST or even some GET requests. You could also just use the functions.php in the configuration tile that will execute commands for you - a built-in function of the tile. We'll have to lock that - and other things down now.

We figured, as long as everything requires a password, the injection shouldn't matter - as you could just send an "rm -rf /" over ssh just as easy.

We'll be undergoing a hardening cycle to make sure these issues get resolved. Until then, we will have 2.0.1 (uploading now), which fixes the bug allowing another user to log you out.

We cannot really fix the fact that passwords can be sniffed over the open wireless - use a cable to manage it without the password leaking into the air. Only thing we could do in that regard is put self-signed SSL certs on every Pineaple.. but that would be a hassle for everyone. Nginx DOES support SSL, so feel free to set that up.

TLDR: Download 2.0.1 once it's out, it has the logout bug fixed.

Best Regards,

Sebkinne

Share this post


Link to post
Share on other sites

What's this guy's deal? Just to try to embarrass Darren and Seb?

Not at all. Expose flaws so they get fixed. The flaws that we discovered have already been fixed in 2.0 we just want to show what it was and how it was fixed

Share this post


Link to post
Share on other sites

Not at all. Expose flaws so they get fixed. The flaws that we discovered have already been fixed in 2.0 we just want to show what it was and how it was fixed

Not I get that - it just seems like the way he's going about it is totally ego driven.

Share this post


Link to post
Share on other sites

Actually interested to see if Hak5 has any thoughts on the situation (good, bad, or indifferent)? Seems like the entire deal was a bit bizarre.

Share this post


Link to post
Share on other sites

It seems that a couple of folks wrote a nice little wiki page on changing the UI interface to HTTPS. I think that by now, the pineapple should probably use SSL out of the box. Any thoughts from others?

Share this post


Link to post
Share on other sites

It seems that a couple of folks wrote a nice little wiki page on changing the UI interface to HTTPS. I think that by now, the pineapple should probably use SSL out of the box. Any thoughts from others?

That would cost money yearly to have a SSL Cert unless their is a way to every can have that cert for their pineapple.

Share this post


Link to post
Share on other sites

Certificates are free. Getting your cert signed by a trusted company is what costs money.

Using the openssl tools it's trivial to create a self-signed cert. If you add that cert to your local keystore, things are fine, you have your encrypted connection and it will have cost you the grand total sum of 0 in whatever currency is local to you.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×