Jump to content


Photo

VUSolo 2 streamproxy authentication bug (user/password)


  • Please log in to reply
17 replies to this topic

#1 cineq

  • Member
  • 6 posts

0
Neutral

Posted 18 August 2014 - 14:14

Current version of OpenPLI on VUSolo2. I use transcode function.

 

AFAIK streamproxy should enable/disable 8001/8002 port according to config.streaming.authentication setting. Currently streamproxy seems to use Config.OpenWebif.auth setting for this purpose.

 

I tested it by running streamproxy -f. Every time I change Config.OpenWebif.auth in settings streamproxy detects file change and reacts correspondingly. Changing config.streaming.authentication has no effect. The same result with config.OpenWebif.auth_for_streaming.

 

I don't want to enter username/password in VLC each time I open transcoded stream. I don't want to disable OpenWebif authentication.

 

Is this some solo2 specific problem?

 

 


Re: VUSolo 2 streamproxy authentication bug (user/password) #2 Erik Slagter

  • PLi® Core member
  • 46,969 posts

+542
Excellent

Posted 19 August 2014 - 18:46

This is no problem, this is exactly how it's designed. There is no sense in requiring a password on the web interface and then accepting everything and anyone on the transcoding port.

Anyway, web interface authentication shouldn't be used for remote streaming anyway, you should use a VPN connection for that. And either you will take that advice and be safe or ignore it and be vulnerable, I am not going into discussion about this.

* Wavefrontier T90 with 28E/23E/19E/13E via SCR switches 2 x 2 x 6 user bands
I don't read PM -> if you have something to ask or to report, do it in the forum so others can benefit. I don't take freelance jobs.
Ik lees geen PM -> als je iets te vragen of te melden hebt, doe het op het forum, zodat anderen er ook wat aan hebben.


Re: VUSolo 2 streamproxy authentication bug (user/password) #3 cineq

  • Member
  • 6 posts

0
Neutral

Posted 20 August 2014 - 19:30

Thanks for answer and clarification. I read somewhere on this forum that config.streaming. authentication has been set to control system wide setting for any stream authentication method. So it seems the logic of these settings changes in time. I understand security concerns. Anyway good to know it works the way by design not by mistake.

Re: VUSolo 2 streamproxy authentication bug (user/password) #4 Gaston64

  • Senior Member
  • 46 posts

+1
Neutral

Posted 2 September 2014 - 22:20

This is not how it works on other images, for example BH. But maybe Openpli's choice is better. BUT, does anyone know of a good video player for Android that supports this authentication?



Re: VUSolo 2 streamproxy authentication bug (user/password) #5 Gaston64

  • Senior Member
  • 46 posts

+1
Neutral

Posted 3 September 2014 - 07:12

There is no sense in requiring a password on the web interface and then accepting everything and anyone on the transcoding port.

 

Also, can you please explain why to someone who doesn't quite understand? Leaving port 8002 open is a big security issue?



Re: VUSolo 2 streamproxy authentication bug (user/password) #6 daddelfalk

  • Senior Member
  • 489 posts

+17
Neutral

Posted 3 September 2014 - 07:16

As Erik already stated: Use a VPN connection and you are fine.



Re: VUSolo 2 streamproxy authentication bug (user/password) #7 Gaston64

  • Senior Member
  • 46 posts

+1
Neutral

Posted 3 September 2014 - 07:27

Well, I really don't know where to start doing that. Would that be setting up the box running Openpli as VPN server with OpenVPN? And having OpenVPN clients installed on the devices I wan't to connect with? Is there a how-to on this?



Re: VUSolo 2 streamproxy authentication bug (user/password) #8 mattiL

  • Senior Member
  • 268 posts

+5
Neutral

Posted 3 September 2014 - 11:46

No, you do not want your stb (receiver) to act as a VPN server, either install VPN server on your internet router if it supports it, or use a pc on the local network as your VPN server.

The stb is not suited for acting as a VPN server.



Re: VUSolo 2 streamproxy authentication bug (user/password) #9 Gaston64

  • Senior Member
  • 46 posts

+1
Neutral

Posted 3 September 2014 - 15:27

OK, no good options for me... What are the potential issues in exposing the transcoding port openly on the net. Any known issues or more just a bad idea to expose anything?

 

I have the upload to use the 8001-port for streaming but I use 8002 (transcoding) sometimes to keep down the traffic on my mobile when away from wifi. Can't see the reason to treat 8001 any differently to 8002.



Re: VUSolo 2 streamproxy authentication bug (user/password) #10 Robinson

  • Senior Member
  • 2,621 posts

+30
Good

Posted 3 September 2014 - 19:37

No, you do not want your stb (receiver) to act as a VPN server, either install VPN server on your internet router if it supports it, or use a pc on the local network as your VPN server.

The stb is not suited for acting as a VPN server.

 

I have a TP-link WR543G router. According to is specifications, it supports VPN pass-through, whatever that means.

Is this router suitable to set up VPN then?


ET9000, OpenPLi 4.0, 13E, 19E

HD51, OpenPLi 6.2, 75E - 30W


Re: VUSolo 2 streamproxy authentication bug (user/password) #11 mattiL

  • Senior Member
  • 268 posts

+5
Neutral

Posted 4 September 2014 - 10:26

No, VPN pass-through is not the same as VPN server:

http://www.home-netw...ss-through.html



Re: VUSolo 2 streamproxy authentication bug (user/password) #12 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 14 September 2014 - 10:51

What are the potential issues in exposing the transcoding port openly on the net. Any known issues or more just a bad idea to expose anything?

The only proper answer is the Radio Eriwan way:

In theory that should be no risk at all, as long as the author(s) maintain their code properly and there are no issues inside the listener.
In practice, opening a port to the net always exposes the machine to all the risks of any known or not-yet-known issue within the listener, which could or should be none, but more realistically are not equal zero.

Happily in this case we can become a bit more specific:
All E2 streaming uses plain http (not https) thus unencrypted traffic "on the wire".
So the risk you unavoidably get for granted when you open one of the streaming ports is that anyone on the same network as you (e.g. the hotel/restaurant WiFi) can monitor your login (So actually, no auth would be at least a bit more secure, because all people could watch TV using your box but wouldn't get the OpenWebif password for free together with it).

But even if you do not login and thus the login can not be monitored, http basic auth allows for unlimited login attempts without any delay.
So an open streaming port (For OpenWebif read on) allows anyone to use brute-force for probing the root password, which - if also opened to the outside - might grant him access via ssh, then you have effectively lost your whole network (and not just the E2 box) to someone else.

OpenWebif allows to disable root logins to it (You will have to create a different user for login to the OpenWebif then, I guess about 0.01% of all users do this ;) ), which entirely gets rid of the possibility to brute-force the root password via OpenWebif but sadly I'm an idiot nobody listens to, so erik insisted on implementing his own auth in his transcoding proxy and someone else did the same for OpenPLi's built-in streaming port (Which historically always has been entirely open and was replaced with a proxy hooking to the webif as soon as a webif was installed), so neither streaming ports honors "disallow root logins".

So on Vu+ Duo² and Solo², you now get triple duplicated code:
OpenPLi's built-in http auth for streaming
trancoding proxy's built-in http auth for transcoded streaming
OpenWebifs http auth for the Webif itself.

Now to the real known risks (Nobody with a clear mind would dare to promise there aren't any unknown ones):
You must not open ssh and one or more of the streaming ports at the same time to avoid the streaming port being abused for brute-forcing the root password which would then be usable for ssh login. Instead you are strongly advised to use key auth for ssh and disable password logins to ssh.

You must not allow root logins in OpenWebif and open one or more of the streaming ports at the same time to avoid the streaming port being abused for brute-forcing the root password which would then be usable for OpenWebif logins. While OpenWebif doesn't grant full access it still allows enough damage to the E2 box - like deleted timers/recordings/bouquets - to be preferably avoided.


If you
  • create one or more additional users without shell access and home directory
  • disallow root logins to OpenWebif
  • do not open the http port for OpenWebif but only its https port
  • create own cert/key for OpenWebif with proper hostname informations rather than using the auto-generated cert/key and adding your own cert/key to the trusted sites in your browser
  • always make sure that the cert/key for OpenWebif matches (Green closed lock and "https" in Chrome, gray closed lock and "https" in Firefox) before you enter any credentials
  • disallow password logins to ssh or do not open its port to the outside
  • use the root (sic!) password for streaming
.. there are at least no known issues for gaining control over your E2 box.

In this scenario, the root password monitored on the streaming port is useless for anything else (OpenWebif or ssh) and with proper key/cert for OpenWebifs https access you can be sure that there is no MITM intercepting the credentials, as long as you take care that OpenWebif has presented its proper cert (Thus the green/gray closed lock).

If you fail to understand or apply any of the above steps, you are lost as soon as you open any of those ports.

But even if you apply all of the above measures one issue remains and definitely will be abused:
Some chinese guy will probe your streaming ports until he gets access and will then watch TV using your box resp. stream it to others.

Especially with the Solo² and its software transcoding, this might and probably will end in crashes of your box.

Rest assured:
Any port opened to the internet will sooner or later be probed.
Right now my secondary router's traffic LED keeps blinking although there is no device attached which would legally cause those amounts of activity, so someone is trying to exploit its ssh.
He or she will be rotten to a skeleton before he/she is done with it, so I just let them waste their time, but they would succeed easily and quickly with Joe Average's ultra-secure password(s) ...[

Edited by SpaceRat, 14 September 2014 - 10:54.

1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: VUSolo 2 streamproxy authentication bug (user/password) #13 Gaston64

  • Senior Member
  • 46 posts

+1
Neutral

Posted 15 September 2014 - 06:27

Thanks for the post!

I've been having my streamingport open for a few years (I have the upload even for HD channels) - never noticed any problem with it, but as you write it isn't impossible that it will abused. I had thought about the streaming abuse, not the brute force password abuse. But webif port is open so I suppose they hammer that.

Since I never noticed a problem with open streaming port I would like an open transcoding port as well so it would be nice to have as a setting.

Will going via VPN in a router solve all the issues as well?

Anyone know of a good video player for Android that supports the basic authentication and can play these streams?



Re: VUSolo 2 streamproxy authentication bug (user/password) #14 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 15 September 2014 - 06:49

Your mileage may vary, but I consider an ssh tunnel easier to set up and more reliable in operation.
Well, depending on where (on which devices) you set it up and where you would have to set up the VPN.

Once you have set up one (or more) device(s) on your LAN to open ssh to the outside world and connect to it, you can tunnel any port on any device on the LAN (or even outside the LAN) through it.
Which is also the reason why security considerations have to be made even "for a simple set top box", because it's a Linux OS on its low levels.

On the other hand it means you can safely use any port on any device inside your home LAN from the outside world through an ssh tunnel, as long as the ssh is set up securely, without opening any of those ports directly.
1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: VUSolo 2 streamproxy authentication bug (user/password) #15 Robinson

  • Senior Member
  • 2,621 posts

+30
Good

Posted 15 September 2014 - 07:36

Hello,

 

MiLo, is this guide still up-to-date or does it require any amendments?

http://www.milosoftw...p?body=dropbear


ET9000, OpenPLi 4.0, 13E, 19E

HD51, OpenPLi 6.2, 75E - 30W


Re: VUSolo 2 streamproxy authentication bug (user/password) #16 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 15 September 2014 - 07:46

Wouldn't know what could have changed, so yes, it's up-to-date.
Although Putty is a PITA to use, IMHO.

One might want to add that there are Smartphone Apps for ssh connections too, e.g. ConnectBot.
ConnectBot doesn't actually make up a good terminal emulation, but it's great if tunneling ports is the main purpose of an ssh connection.
1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: VUSolo 2 streamproxy authentication bug (user/password) #17 Gaston64

  • Senior Member
  • 46 posts

+1
Neutral

Posted 15 September 2014 - 12:46

Thanks, will give SSH-tunnel a try.



Re: VUSolo 2 streamproxy authentication bug (user/password) #18 Gaston64

  • Senior Member
  • 46 posts

+1
Neutral

Posted 16 September 2014 - 07:58

SSH tunnel worked fine (only tested on windows so far). Using putty gave me very jerky streaming though, don't know why (no CPU load or anything). But Bitvise (SSH) Tunnelier seems rock solid so far. On to Android setup next.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users