ZaraByte Posted August 9, 2014 Posted August 9, 2014 (edited) Uhhh dang this is why you gotta not rush releases guys a security flaw has been found in the latest firmware released by hak5 at defcon 22. On the new firmware, /?logout=true unauthenticated to force log out and sniff creds coming back in, or just tight loop it to make it useless Credits:@ihuntpineapples on twitter check out ihuntpineapples on twitter for more security holes in the pineapple firmware. This is why i told you guys not to make the rush releasing the firmware is stuff like this it needs to be fully tested. Edited August 9, 2014 by ZaraByte Quote
newbi3 Posted August 9, 2014 Posted August 9, 2014 You should see the security flaws in 1.4.1 that don't exists in 2.0.... its crazy Quote
dustbyter Posted August 9, 2014 Posted August 9, 2014 To newbi3's point. Many vulnerabilities have been fixed, and must continue to be fixed even by the infusion authors. It is not just the responsiblity of the core web interface to be secure, the infusions must also be as they could be exploited themselves. Quote
newbi3 Posted August 9, 2014 Posted August 9, 2014 Infusion vulnerabilities have gotten a lot harder to exploit in 2.0. Foxtrot, Tesla, Wh1p and I have spent all day trying to break stuff. I am going to be doing a write up about what was wrong and what has been done to fix it now Quote
rottingsun Posted August 9, 2014 Posted August 9, 2014 What's this guy's deal? Just to try to embarrass Darren and Seb? Quote
Sebkinne Posted August 9, 2014 Posted August 9, 2014 Hey guys, 2.0.0 fixed a bunch of things, but mainly one derp of me having shifted code around and put it into the wrong place (footer instead of header file) - that was a major fuck up but shit happens. The security bugs everyone is reporting with the infusions are fixed now, as long as the root password is not know. If you know the root password, you can inject into POST or even some GET requests. You could also just use the functions.php in the configuration tile that will execute commands for you - a built-in function of the tile. We'll have to lock that - and other things down now. We figured, as long as everything requires a password, the injection shouldn't matter - as you could just send an "rm -rf /" over ssh just as easy. We'll be undergoing a hardening cycle to make sure these issues get resolved. Until then, we will have 2.0.1 (uploading now), which fixes the bug allowing another user to log you out. We cannot really fix the fact that passwords can be sniffed over the open wireless - use a cable to manage it without the password leaking into the air. Only thing we could do in that regard is put self-signed SSL certs on every Pineaple.. but that would be a hassle for everyone. Nginx DOES support SSL, so feel free to set that up. TLDR: Download 2.0.1 once it's out, it has the logout bug fixed. Best Regards, Sebkinne Quote
newbi3 Posted August 9, 2014 Posted August 9, 2014 What's this guy's deal? Just to try to embarrass Darren and Seb? Not at all. Expose flaws so they get fixed. The flaws that we discovered have already been fixed in 2.0 we just want to show what it was and how it was fixed Quote
rottingsun Posted August 9, 2014 Posted August 9, 2014 Not at all. Expose flaws so they get fixed. The flaws that we discovered have already been fixed in 2.0 we just want to show what it was and how it was fixed Not I get that - it just seems like the way he's going about it is totally ego driven. Quote
rottingsun Posted August 11, 2014 Posted August 11, 2014 Actually interested to see if Hak5 has any thoughts on the situation (good, bad, or indifferent)? Seems like the entire deal was a bit bizarre. Quote
fringes Posted August 13, 2014 Posted August 13, 2014 It seems that a couple of folks wrote a nice little wiki page on changing the UI interface to HTTPS. I think that by now, the pineapple should probably use SSL out of the box. Any thoughts from others? Quote
ZaraByte Posted August 13, 2014 Author Posted August 13, 2014 It seems that a couple of folks wrote a nice little wiki page on changing the UI interface to HTTPS. I think that by now, the pineapple should probably use SSL out of the box. Any thoughts from others? That would cost money yearly to have a SSL Cert unless their is a way to every can have that cert for their pineapple. Quote
cooper Posted August 13, 2014 Posted August 13, 2014 Certificates are free. Getting your cert signed by a trusted company is what costs money. Using the openssl tools it's trivial to create a self-signed cert. If you add that cert to your local keystore, things are fine, you have your encrypted connection and it will have cost you the grand total sum of 0 in whatever currency is local to you. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.