Skip to first unread message
jeph300
Dec 16, 2016, 1:56:56 PM12/16/16
to LibraryBox
Hello guys, I'm sharing with you an existing flaw in LibraryBox 2.1 that allow any connected user to sniff your ftp password.
LibraryBox use ftp for file transfer instead of sftp(secure ftp), which makes it vulnerable for sniffing. I use Kali Linux to do this, using wireshark, I sniffed the ftp username/password WHILE the admin user is authenticating. Is there a way to fix this or at least install sftp.
LibraryBox use ftp for file transfer instead of sftp(secure ftp), which makes it vulnerable for sniffing. I use Kali Linux to do this, using wireshark, I sniffed the ftp username/password WHILE the admin user is authenticating. Is there a way to fix this or at least install sftp.
Matthias Strubel
Dec 17, 2016, 2:38:08 PM12/17/16
to libra...@googlegroups.com
Hello,
yes. The built in sftp:
- has a 1:1 relationship with the user accounts
- no session limits (to prevent overload)
- no anonymous access possible.
The only way to solve this is to use self signed certs together with FTP over SSL....
best regards
Matthias
2016-12-16 19:56 GMT+01:00 jeph300 <drakec...@gmail.com>:
Hello guys, I'm sharing with you an existing flaw in LibraryBox 2.1 that allow any connected user to sniff your ftp password.
LibraryBox use ftp for file transfer instead of sftp(secure ftp), which makes it vulnerable for sniffing. I use Kali Linux to do this, using wireshark, I sniffed the ftp username/password WHILE the admin user is authenticating. Is there a way to fix this or at least install sftp.
--
You received this message because you are subscribed to the Google Groups "LibraryBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to librarybox+unsubscribe@googlegroups.com.
To post to this group, send email to libra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/6e035d14-1c24-434b-9d26-2f8e7dc66ba4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jason Griffey
Dec 17, 2016, 3:04:37 PM12/17/16
to libra...@googlegroups.com
What Matthias said. LibraryBox, especially running on the TP-Link hardware, is not at all hardened against even the lowest forms of hackery. It's very easy to purposefully interrupt one.
I would prefer that to be much, much harder to do, and would _love_ to find ways to do end-to-end encryption for all communications on the system. But that's _very_ hard, esp since standard methods (ssl) require connectivity to the 'net for full implementation.
We have been looking for some time for someone that wanted to work on a Raspberry Pi port of LibraryBox, which would allow for more robust efforts at this sort of thing. The code is there, and I'm more than happy to look at pull requests if you want to help to harden the system.
Jason
On Sat, Dec 17, 2016 at 1:45 PM 'Matthias Strubel' via LibraryBox <libra...@googlegroups.com> wrote:
I also investigated in using sftp over ftp.Hello,yes.The built in sftp:- has a 1:1 relationship with the user accounts- no session limits (to prevent overload)- no anonymous access possible.The only way to solve this is to use self signed certs together with FTP over SSL....best regardsMatthias
2016-12-16 19:56 GMT+01:00 jeph300 <drakec...@gmail.com>:
Hello guys, I'm sharing with you an existing flaw in LibraryBox 2.1 that allow any connected user to sniff your ftp password.
LibraryBox use ftp for file transfer instead of sftp(secure ftp), which makes it vulnerable for sniffing. I use Kali Linux to do this, using wireshark, I sniffed the ftp username/password WHILE the admin user is authenticating. Is there a way to fix this or at least install sftp.
--
You received this message because you are subscribed to the Google Groups "LibraryBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to librarybox+...@googlegroups.com.
To post to this group, send email to libra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/6e035d14-1c24-434b-9d26-2f8e7dc66ba4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "LibraryBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to librarybox+...@googlegroups.com.
To post to this group, send email to libra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/librarybox/CAAuLk%2BE18%3DA8PC%3DfAQKLGnaiQ3R3zmoeDO2q4e6MG8vU1h-8Og%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages