HD Station security hole: do not bind whole volumes
-
- New here
- Posts: 3
- Joined: Sun Jun 21, 2015 6:00 pm
HD Station security hole: do not bind whole volumes
Any user logged into HD Station can inspect and see files of any another user's home folder. For example, by using KODI player it is quiet possible to navigate into any user's home folder and play any multimedia content from there. This is all due to slightly ugly desicion to bind all volumes into HD Station qpkg chroot container. This binding breaks the whole purpose of chrooting and may cause another security issues like stealing user's data by a remote exploiter of HD Station appllications bugs. Please, do not bind whole volumes into HD Station. It is better to use SMB, DLNA or bind media folders selectively.
- pwilson
- Guru
- Posts: 22533
- Joined: Fri Mar 06, 2009 11:20 am
- Location: Victoria, BC, Canada (UTC-08:00)
Re: HD Station security hole: do not bind whole volumes
This is only true if you login to HybridDesk Station as "admin".sovadufafo wrote:Any user logged into HD Station can inspect and see files of any another user's home folder. For example, by using KODI player it is quiet possible to navigate into any user's home folder and play any multimedia content from there. This is all due to slightly ugly desicion to bind all volumes into HD Station qpkg chroot container. This binding breaks the whole purpose of chrooting and may cause another security issues like stealing user's data by a remote exploiter of HD Station appllications bugs. Please, do not bind whole volumes into HD Station. It is better to use SMB, DLNA or bind media folders selectively.
I agree with you about the Volumes though. KODI will happily access SMB shares, so it doesn't need this at all.
If you access HD_Station as "admin", you can also use the File Manager in KODI to look at /etc/config/shadow to harvest users "encrpyted" passwords, to make it trivial to crack the passwords for any user, including "admin".
Stop running running HybridDesk Station as "admin" to prevent this security hole.
Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs
Please review: When you're asking a question, please include the following.
-
- New here
- Posts: 3
- Joined: Sun Jun 21, 2015 6:00 pm
Re: HD Station security hole: do not bind whole volumes
No no no. I've just verified once again. There is no need to login as admin. I've logged into HD Station with a usual non-admin account and still able to navigate (using KODI) into even admin's home folder.pwilson wrote:This is only true if you login to HybridDesk Station as "admin".
- pwilson
- Guru
- Posts: 22533
- Joined: Fri Mar 06, 2009 11:20 am
- Location: Victoria, BC, Canada (UTC-08:00)
Re: HD Station security hole: do not bind whole volumes
Not good. Please submit a ticket for this issue.sovadufafo wrote:No no no. I've just verified once again. There is no need to login as admin. I've logged into HD Station with a usual non-admin account and still able to navigate (using KODI) into even admin's home folder.pwilson wrote:This is only true if you login to HybridDesk Station as "admin".
They won't fix it if no one complains.
Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs
Please review: When you're asking a question, please include the following.
- spamkutu
- Know my way around
- Posts: 112
- Joined: Sun Aug 09, 2015 4:09 pm
Re: HD Station security hole: do not bind whole volumes
Not tested but if so this is great hole must be fix immediately and hd station still have some bug in firmware 4.1.4 i have to always reinstall its not stay as installed its gone a few time passed broken status or uninstaled state so i have to reinstale borring..
-
- Starting out
- Posts: 12
- Joined: Wed Feb 16, 2011 12:20 am
Re: HD Station security hole: do not bind whole volumes
Any news on this issue? I noticed the same thing:
1. Created a mediauser which only has access to the multimedia folder and its 'own' home folder
2. Restricted access to admin and other users home folders
3. Start up HD center and login with this mediauser
4. Start up KODI
5. I'm able to access everybody's home folder?!
1. Created a mediauser which only has access to the multimedia folder and its 'own' home folder
2. Restricted access to admin and other users home folders
3. Start up HD center and login with this mediauser
4. Start up KODI
5. I'm able to access everybody's home folder?!
Vancouver, B.C., Canada & Noord-Brabant, Netherlands
QNAP TS-251+ (2x Western Digital WD40EFRX WD Reds (RAID1) - - QNAP 112 (1x Western Digital WD20EZRX WD green) - - QNAP TS-410
QNAP TS-251+ (2x Western Digital WD40EFRX WD Reds (RAID1) - - QNAP 112 (1x Western Digital WD20EZRX WD green) - - QNAP TS-410
Re: HD Station security hole: do not bind whole volumes
Heb je al een ticket naar qnap gestuurd?oliesjeik wrote:Any news on this issue? I noticed the same thing:
1. Created a mediauser which only has access to the multimedia folder and its 'own' home folder
2. Restricted access to admin and other users home folders
3. Start up HD center and login with this mediauser
4. Start up KODI
5. I'm able to access everybody's home folder?!
Did you submit a ticket to qnap?
-
- Starting out
- Posts: 12
- Joined: Wed Feb 16, 2011 12:20 am
Re: HD Station security hole: do not bind whole volumes
Ja dat heb ik gedaan / Yes I did.CylonCenturion wrote:
Heb je al een ticket naar qnap gestuurd?
Did you submit a ticket to qnap?
It's a shame this issue is still present. It was already reported back in June and is still present..
Vancouver, B.C., Canada & Noord-Brabant, Netherlands
QNAP TS-251+ (2x Western Digital WD40EFRX WD Reds (RAID1) - - QNAP 112 (1x Western Digital WD20EZRX WD green) - - QNAP TS-410
QNAP TS-251+ (2x Western Digital WD40EFRX WD Reds (RAID1) - - QNAP 112 (1x Western Digital WD20EZRX WD green) - - QNAP TS-410
Re: HD Station security hole: do not bind whole volumes
Maybe there are not enough people that complaining about it.oliesjeik wrote:Ja dat heb ik gedaan / Yes I did.CylonCenturion wrote:
Heb je al een ticket naar qnap gestuurd?
Did you submit a ticket to qnap?
It's a shame this issue is still present. It was already reported back in June and is still present..
The more people complain, the quicker is got solved.
-
- Starting out
- Posts: 24
- Joined: Tue Apr 18, 2017 9:48 am
Re: HD Station security hole: do not bind whole volumes
One year later, I see this problem still exists. I have created a ticket, but it is unfortunate that the only way to demonstrably reproduce it is through myKodi. I don't see any other apps that allow you to browse the root hard drive, and using the myKodi example QNAP support will probably reject it outright as unsupported and they are not liable, yadda yadda yadda.
HD Station should be separate from its login screen and should spin up with the privileges of the user who is logged in, not some process root or admin or anything of the sort.
HD Station should be separate from its login screen and should spin up with the privileges of the user who is logged in, not some process root or admin or anything of the sort.
- dolbyman
- Guru
- Posts: 35269
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: HD Station security hole: do not bind whole volumes
don't think QNAP will do anything, because they no longer officially support KODi
-
- Starting out
- Posts: 24
- Joined: Tue Apr 18, 2017 9:48 am
Re: HD Station security hole: do not bind whole volumes
I don't either. Whether or not that is the right policy, however, is another question.dolbyman wrote:don't think QNAP will do anything, because they no longer officially support KODi
-
- New here
- Posts: 3
- Joined: Sun Apr 23, 2017 9:42 pm
Re: HD Station security hole: do not bind whole volumes
The fact that Kodi can do this (supported by QNap or not), indicates that there is a security vulnerability inherent in QNAPs operating system and utilities. I'm new to QNAP, but since this thread was opened nearly two years ago and there are still reports of this issue makes me question a NAS vendors commitment to security. Who's to say that other apps can't be introduced to the system to carry out rogue activities by bypassing security.
- schumaku
- Guru
- Posts: 43578
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: HD Station security hole: do not bind whole volumes
It's not specific to Kodi - it's a HD Station or newer name Hybrid Station issue. Hybrid Station is accessibly in the first iteration from the local HDMI console.mazzonna wrote:The fact that Kodi can do this (supported by QNap or not), indicates that there is a security vulnerability inherent in QNAPs operating system and utilities.
the majority of HD Station installations imply physical access to the NAS - so there it goes, security is equal if not worse then when looking at in simple baseline security. The issue is limited to apps running in the HD Station rooted file system.mazzonna wrote:Who's to say that other apps can't be introduced to the system to carry out rogue activities by bypassing security.
-
- New here
- Posts: 3
- Joined: Sun Apr 23, 2017 9:42 pm
Re: HD Station security hole: do not bind whole volumes
Hi schumaku.....thanks....that helps to enlighten me somewhat. Does this mean that Hybrid Station and it's associated apps run with 'root' level access, regardless of the user id that has logged in?