Pasquale `sid` Fiorillo and Guido `go` Oricchio have released a critical security advisory for any QNAP NAS running any version of QTS prior to 4.2.4 Build 20170313.
The issue involves all the QNAP NAS that are members of a Microsoft Active Directory and can be used by any local user, such as “httpdusr” used to run web application, to escalate to Domain Administrator.
Aws-key-auditor is a simple bash script to test AWS credentials against some safe (read-only) awscli commands.
It could be useful during a penetration test to automate checks to understand what resources can be accessed with compromised key.
Download from GitHub
How to workaround a 2017’s Win32-OpenSSH bug by using a 1980’s unix util 😉
If you run ssh in a non-real TTY (like a popen() from mod_php, or cron) against a windows host running Win32-OpenSSH, you may receive a “read failed”.
To easily reproduce the problem you can run ssh through “nohup”:
nohup ssh -vvv user@windows-host whoami
Here’s the log:
debug1: Sending command: whoami
debug2: channel 0: request exec confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
debug2: channel 0: read<=0 rfd 4 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug2: channel 0: input drain -> closed
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: fd 2 clearing O_NONBLOCK
Transferred: sent 3888, received 2748 bytes, in 0.1 seconds
Bytes per second: sent 75340.2, received 53249.7
debug1: Exit status 0
A workaround which can be used to solve this issue is the running of the ssh through “script”, a 1980’s utility to log an interactive session to a file:
script makes a typescript of everything displayed on your terminal.
It is useful for students who need a hardcopy record of an
interactive session as proof of an assignment, as the typescript file
can be printed out later with lpr(1).
So, for example:
script -q -c "ssh user@windows-host whoami"
There is an open issue on GitHub.
After you have configured “sshd_config” in Win32-OpenSSH to enable key authentication feature and have copied your public key to “%systemdrive%\users\user\.ssh\authorized_keys” as written on their Wiki, the publickey authentication still does not work.
The missing step, not well documented, consists in copying “ssh_lsa.dll” to “%WINDIR%/System32” directory, and adding “ssh-lsa” string to the “HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/Authentication Packages” registry key.
Hey man, you’re on windows, don’t forget to reboot! 😉