0

I have a Raspberry Pi connected to my network and keep getting this vulnerability warning from my security software. I turned off the apache2 web server on the Pi, which fixed my port 80 issue but have no idea how to fix the remaining port issues (8080 and 8443 below). I need to fix these vulnerabilities without removing my SSH access. Is this easily fixed by adjusting permissions to files or do I need to do something else? My webpage code is written in HTML and PHP if that helps. The webpage is shutdown after it accomplishes its purpose but I am still vulnerable to traversal. How do I fix this? Thanks in advance.

PORT STATE SERVICE

22/tcp open ssh

8080/tcp open http-proxy

| http-passwd: Directory traversal found.

| Payload: "/../../../../../../../etc/passwd"

| Printing first 250 bytes:

8443/tcp open https-alt

| http-passwd: Directory traversal found.

| Payload: "/../../../../../../../etc/passwd"

| Printing first 250 bytes:

sudo netstat -lptu results are: enter image description here

NOTE: "dwcore" is deviceWISE M2M by Telit just adding some more info in case that helps

  • TO REMOVE "dwcore"

sudo /opt/dw/devicewise stop
sudo /bin/sh/etc/software/dwgateway_raspbian.remove
sudo rm -rf /opt/dw

SChand
  • 3
  • 4
  • I am using a raspberry pi. How can I check the application? Is there a linux command? – SChand Aug 21 '19 at 17:33
  • @Ghedipunk I read PHP has some built in functions that can check input paths but also not sure how to use it and if this is even a solution for me – SChand Aug 21 '19 at 17:34
  • The process name that you're looking for is dwcore. It's not an application that I'm familiar with, though it does narrow things down for those who may be able to help. I'll delete my comments up to this one, as they've served their purpose. – Ghedipunk Aug 21 '19 at 20:14
  • @Ghedipunk how does knowing the application help prevent directory traversal? – SChand Aug 21 '19 at 20:15
  • 1
    You security scanner is connecting to that application, and that application is what's allowing the directory traversal. It's likely misconfigured. A few Google searches for that process name has left me clueless on what that application is, so I can't help further. My advice is to find the documentation, or hopefully someone will read this question and know what dwcore is. – Ghedipunk Aug 21 '19 at 20:21
  • @Ghedipunk do you have suggestions on how I can improve my system against directory traversal in general? Even some basic help to filter out those ../,./,%2e, etc... attacks..... The security scan results I posted above show some pretty simple attacks worked – SChand Aug 21 '19 at 20:27
  • A background application in Linux *should* run in its own user and group, so that even if someone makes it behave badly, it can't read things that are owned by other users. The application itself is responsible for interpreting a URL, so if the process can return the contents of the /etc/passwd file, then it's that application that's behaving badly. A firewall that does deep packet inspection might be able to filter that, but it's the wrong place to put a fix; the application should be configured to be secure, or a bug report sent to the devs if it can't be configured. – Ghedipunk Aug 21 '19 at 20:35
  • So this means use of "chmod" and "chown" to reassign permissions to the /etc folder? – SChand Aug 21 '19 at 20:56

1 Answers1

3

This simply means that dwcore application which is listening on port 8080 and 8443 are vulnerable to path traversal. Without the knowledge of what that application is, an accurate answer cannot be provided for this.

Having said that, if the application running on those two ports are not used, you can kill those services or add an iptable rule to restrict access to those ports to prevent this.

If that application is needed to run, you will have to fix directory traversal at code level [if that is written by you and have the source available.]

Also to answer your following questions:

Is this easily fixed by adjusting permissions to files or do I need to do something else?

/etc/passwd is supposed to be read by all users on the machine. The issue here is not that it can be read, rather it can be retrieved by someone outside the raspberry pi by connecting to the web application running on port 8080 and 8443. In other words, this is not a permission issue, but an application security issue.

PS: From the question I read that you have created a web application in PHP to run on the raspberry pi, but it it is unclear at this point which port your application is listening on if you have disabled port 80.

hax
  • 3,851
  • 1
  • 16
  • 34
  • 1
    Sorry, to clarify... the web app is written in PHP but after it achieves its purpose I turn off the app. Once the PHP script is exited I still get traversal vulnerabilities. I personally wouldn't know how to find the application running on those ports, it is also possible the security tool is accessing that port. How can I fix this at code level? I read some items mentioning filtering basepaths? I was just hoping someone with more background on this could provide an example or even a basic solution at code level ideally. – SChand Aug 21 '19 at 22:39
  • @SChand, if that's the case, then it's definitely not in your PHP code. – Ghedipunk Aug 21 '19 at 22:57
  • @Ghedipunk where would this code based traversal security go? what language is code like this written in? The goal of the question is to fix the traversal vulnerability – SChand Aug 21 '19 at 23:09
  • 1
    @SChand, it's in the dwcore application installed on your RPi. So far, nobody knows what that is beyond its name. Maybe someone will come by with a better idea, but right now, you're the one with the most access to information on it, since you're the one with that application. If you want to stop that vulnerability, your options are to investigate further (we're unlikely to be able to help you with that), or remove that program and see what happens. (Be aware that bad things might happen if you remove that program. Until someone learns what dwcore is, we can't give you good advice.) – Ghedipunk Aug 21 '19 at 23:17
  • Do I need to know the application? Isn't it possible to detect attacks on those ports without caring about the device/application attached to it? – SChand Aug 21 '19 at 23:29
  • @drewbenn thanks for that clarification. Let's say I don't care which application is using the port and it is an attack. How would I go about handling this? Currently reading about IPTABLES (know anything on this?). – SChand Aug 21 '19 at 23:41
  • @drewbenn are you saying this application is keeping the ports open and when I run my security scan it uses the port the application opened to attack my system? .... if so, then wouldn't I need to configure the Raspberry Pi to only allow devices on those ports a minimal level of access?... Also, is it possible the router I'm connected to is using the ports? – SChand Aug 21 '19 at 23:53
  • `sudo kill -9 11025` -- This will stop that process. It might have side effects that nobody here can foresee. It will only stop it until it restarts, which is likely the next time the computer is rebooted, and the next time it restarts, it will have a different process ID, so you'll need to use a different number. It could auto-restart. It might crash your OS (very unlikely, though). _Treat this command as a gun that might be pointing at your foot._ A better option would be to get a professional to look at it in person. – Ghedipunk Aug 22 '19 at 00:01
  • The point of asking questions is to learn so I can fix this myself or help the community learn something new. Thanks for the quick fix suggestion, I am seeking something more concrete. – SChand Aug 22 '19 at 00:05
  • @Ghedipunk "dwcore" is deviceWISE M2M by Telit just adding some more info in case that helps – SChand Aug 22 '19 at 00:38
  • @SChand What have you installed on this RaspberryPi? – hax Aug 22 '19 at 00:42
  • We cannot provide a solution at code level because we don't know what dwcore is and we cannot see the code of dwcore which resulted path traversal vulnerability. Is dwcore some third party app you installed after you started your Pi? Or is it the process of your own PHP application? – hax Aug 22 '19 at 00:46
  • @hax dwcore is linked to Telit and I used Telit device for my Cellular modem... (the results you see above are from a unit that no longer runs the modem but it seems the SW is still active) – SChand Aug 22 '19 at 00:47
  • In that case killing that process would resolve your issue. Give it a try with the command Ghedipunk provided in the above comment – hax Aug 22 '19 at 00:49
  • That did not work as the Program restarted itself almost immediately. – SChand Aug 22 '19 at 01:23
  • Then kill what's restarting it. Perhaps you misunderstood stack exchange for a customer support for the product you are using. This extended discussion which is happening right now has nothing to do with the vulnerability you mentioned. The vulnerability is 'directory traversal' and the fix for it is preventing your web application from interpreting relative paths in user input in the context of OS. Neither can anyone here provide you with a 'code which fixes your issue' nor can we pin point the issue with details which we don't have. – hax Aug 22 '19 at 05:41
  • @SChand, knowing the company does indeed help. Your steps are now clear: Go to https://www.telit.com/contact-us/, and complain loudly, profanely, and constantly until they fix it. – Ghedipunk Aug 22 '19 at 15:44
  • @Ghedipunk will do. Thanks all for your help to this point. – SChand Aug 22 '19 at 17:32
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/97897/discussion-on-answer-by-hax-preventing-basic-directory-traversal-attack-in-linux). – Rory Alsop Aug 26 '19 at 19:09