Vulnerability and compromised profiles (Zeroshell<3.0.0)

Home Page Forums Network Management ZeroShell Vulnerability and compromised profiles (Zeroshell<3.0.0)

This topic contains 4 replies, has 0 voices, and was last updated by  aseques 4 years, 10 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #43834

    aseques
    Member

    Hello, can we get any details on this? I’d like to know if there is any way to apply the profile fixes without upgrading.
    Also, does closing the web access block the issue?

    #53145

    imported_fulvio
    Participant

    On YouTube you can find a video that illustrates how to gain access to Zeroshell without knowing the admin’s password. Surely, if you restrict the http access you mitigate the issue.
    Regards
    Fulvio

    #53146

    Yhoni
    Member

    @fulvio wrote:

    Hello,

    all versions of Zeroshell older than release 2.0.RC3 are vulnerable because of the possibility to execute code remotely via the web interface
    in a non-authenticated mode. This well-documented vulnerability has been exploited to introduce an executable within the profiles that make connections to some DNS with the aim of producing a DDoS resulting bandwidth consumption.
    Even the release 2.0.RC3 may be subject to the attack if the configuration profile comes from a previous version already compromised. The release 3.0.0 is able to detect a compromised profile and clean it. It is recommended, in view of the gravity of the problem, to migrate as soon as possible to release 3.0.0 to be sure that Zeroshell is not running a compromised profile.

    Regards
    Fulvio

    Thank you for the information.

    #53147

    aseques
    Member

    I can confirm that the details outline in th video on youtube allows full access to the zeroshell, the only protection for this attacks other than updating is closing the web access except for your whitelisted ips.
    Other than that, could someone explain how to identify the traces of the exploits intalled?

    #53148

    meloun
    Member

    @aseques wrote:

    Other than that, could someone explain how to identify the traces of the exploits intalled?

    Check manually. Connect to SFTP and watch the files in subfolders in /DB
    Run through the SSH command ps -ax and see if there is anything running from /DB whether subfolders.

    PS Access SFTP can include changing the shell. Connect to SSH and run chsh, enter /bin/bash

    PS2 Return shell back chsh and enter /root/kerbynet.cgi/scripts/localman or simply reboot zeroshell router.

    #53149

    aseques
    Member

    We observed that there is a hidden process (only shows upw when doing top) that’s called .DB.001
    This process is launched by the Database-Cron (Startup Cron -> Cron Database)
    You can see if you are affected by doing:

    cat ./DB/_DB.001/var/register/system/startup/scripts/Database-Cron/File

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.