QNAP QTS 0day (CVE-2017-5227)

Pasquale `sid` Fiorillo and Guido `go` Oricchio have released a critical security advisory for any QNAP NAS running any version of QTS prior to 4.2.4 Build 20170313.

The issue involves all the QNAP NAS that are members of a Microsoft Active Directory and can be used by any local user, such as “httpdusr” used to run web application, to escalate to Domain Administrator.

Ssh read failed from linux to Win32-OpenSSH

How to workaround a 2017’s Win32-OpenSSH bug by using a 1980’s unix util 😉

If you run ssh in a non-real TTY (like a popen() from mod_php, or cron) against a windows host running Win32-OpenSSH, you may receive a “read failed”.

To easily reproduce the problem you can run ssh through “nohup”:

nohup ssh -vvv user@windows-host whoami

Here’s the log:

[...]
debug1: Sending command: whoami
debug2: channel 0: request exec confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
debug2: channel 0: read<=0 rfd 4 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug2: channel 0: input drain -> closed
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: fd 2 clearing O_NONBLOCK
Transferred: sent 3888, received 2748 bytes, in 0.1 seconds
Bytes per second: sent 75340.2, received 53249.7
debug1: Exit status 0

A workaround which can be used to solve this issue is the running of the ssh through “script”, a 1980’s utility to log an interactive session to a file:

script makes a typescript of everything displayed on your terminal.
It is useful for students who need a hardcopy record of an
interactive session as proof of an assignment, as the typescript file
can be printed out later with lpr(1).

So, for example:

script -q -c "ssh user@windows-host whoami"

There is an open issue on GitHub.

Enable key authentication on Win32-OpenSSH

After you have configured “sshd_config” in Win32-OpenSSH to enable key authentication feature and have copied your public key to “%systemdrive%\users\user\.ssh\authorized_keys” as written on their Wiki, the publickey authentication still does not work.

The missing step, not well documented, consists in copying “ssh_lsa.dll” to “%WINDIR%/System32” directory, and adding “ssh-lsa” string to the “HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/Authentication Packages” registry key.

Hey man, you’re on windows, don’t forget to reboot! 😉