How to properly escape ash input?

nozombian · March 9, 2018, 8:05pm

That is actually beauty of internet, it was never a safe place, never should be and it should be anonymous. I don't like the dangers, but I also see where regulations and restriction by the government go, it finally always only affects the good people. We are the ones who should secure our devices, starting by replacing original firmware with lede
Btw. is it possible to allow more IP adresses on a specific port in a single firewall rule? I mean something like list src_ip 'ip1,ip2,ip3'

jeff · March 9, 2018, 8:07pm

Yes, please stop considering exposing insecure and non-robust services

mbo2o · March 9, 2018, 8:14pm

/etc/services defines the ports

Use a private port

nozombian · March 9, 2018, 8:20pm

@mbo2o thank you, I will have to read something about that. I had no idea this is possible in openwrt.
@jeff Well, that is why I asked before doing something stupid. As long as you correctly trim the input and properly escape, nothing should go wrong. I'm quite disappointed to see, that sh seems to be insecure for this task.

jeff · March 9, 2018, 8:23pm

That is, regrettably, a very poor assumption, no matter what port you are running on, registered or otherwise.

As just one reference
https://engineering.purdue.edu/ResearchGroups/SmashGuard/BoF.html

And for something more current, start with https://www.us-cert.gov/ncas/current-activity

Here you go https://www.us-cert.gov/ncas/bulletins/SB18-064 -- just one week of "nothing should go wrong"

nozombian · March 9, 2018, 8:37pm

Thank you, I actually remeber some of the attacks from first link
So better to sit home and watch TV, right? Not me. But I got your message, I believe even hello world.c can be exploited, if it relies on vulnerable library or vulnerable system.

anon57995562 · March 9, 2018, 9:13pm

My car can be stolen, but I don't leave the keys inside and the doors unlocked.

mbo2o · March 9, 2018, 9:50pm

You don't even require a script you could call etherwake with its arguments directly from inted.

Also use the wait option instead of nowait.

anon57995562 · March 9, 2018, 10:03pm

root@LEDE:~# cd /etc
root@LEDE:/etc# passwd
Changing password for root
New password:

Pwnd...

(Sound of car being driven away)

mbo2o · March 9, 2018, 10:25pm

@jwoods, I have only used initd on internal networks so I haven't explored the security issues.

@nozombian, You can probably do a penetration test on your own network to see what fails.

anon57995562 · March 9, 2018, 10:37pm

etherwake must be run as root.

wakeonlan can be run as non-root user.

nozombian · March 14, 2018, 5:33pm

wakeonlan could be useful, if it would not require ton of perl dependencies and like 5MB of flash
@mbo2o any tip for (free) penetration test?

lleachii · March 14, 2018, 6:08pm

Place the IPs in an ipset foo, them edit the iptables rule to block by SRC IPs in set foo.

jow · March 14, 2018, 9:38pm

Yes. Either specify a range (option src_ip 10.0.0.1-10.0.0.100) or a uci list of ips:

config rule
  ...
  list src_ip 10.0.0.1
  list src_ip 10.0.0.2
  list src_ip 10.0.0.3
  ...