HD Station security hole: do not bind whole volumes

[sovadufafo]

Any user logged into HD Station can inspect and see files of any another user's home folder. For example, by using KODI player it is quiet possible to navigate into any user's home folder and play any multimedia content from there. This is all due to slightly ugly desicion to bind all volumes into HD Station qpkg chroot container. This binding breaks the whole purpose of chrooting and may cause another security issues like stealing user's data by a remote exploiter of HD Station appllications bugs. Please, do not bind whole volumes into HD Station. It is better to use SMB, DLNA or bind media folders selectively.

[pwilson]

Any user logged into HD Station can inspect and see files of any another user's home folder. For example, by using KODI player it is quiet possible to navigate into any user's home folder and play any multimedia content from there. This is all due to slightly ugly desicion to bind all volumes into HD Station qpkg chroot container. This binding breaks the whole purpose of chrooting and may cause another security issues like stealing user's data by a remote exploiter of HD Station appllications bugs. Please, do not bind whole volumes into HD Station. It is better to use SMB, DLNA or bind media folders selectively.

This is only true if you login to HybridDesk Station as "admin".

I agree with you about the Volumes though. KODI will happily access SMB shares, so it doesn't need this at all.

If you access HD_Station as "admin", you can also use the File Manager in KODI to look at /etc/config/shadow to harvest users "encrpyted" passwords, to make it trivial to crack the passwords for any user, including "admin".

Stop running running HybridDesk Station as "admin" to prevent this security hole.

[sovadufafo]

This is only true if you login to HybridDesk Station as "admin".

No no no. I've just verified once again. There is no need to login as admin. I've logged into HD Station with a usual non-admin account and still able to navigate (using KODI) into even admin's home folder.

[pwilson]

This is only true if you login to HybridDesk Station as "admin".

No no no. I've just verified once again. There is no need to login as admin. I've logged into HD Station with a usual non-admin account and still able to navigate (using KODI) into even admin's home folder.

Not good. Please submit a ticket for this issue.
They won't fix it if no one complains.

[spamkutu]

Not tested but if so this is great hole must be fix immediately and hd station still have some bug in firmware 4.1.4 i have to always reinstall its not stay as installed its gone a few time passed broken status or uninstaled state so i have to reinstale borring..

[oliesjeik]

Any news on this issue? I noticed the same thing:

1. Created a mediauser which only has access to the multimedia folder and its 'own' home folder
2. Restricted access to admin and other users home folders

3. Start up HD center and login with this mediauser
4. Start up KODI
5. I'm able to access everybody's home folder?!

[CylonCenturion]

Any news on this issue? I noticed the same thing:

1. Created a mediauser which only has access to the multimedia folder and its 'own' home folder
2. Restricted access to admin and other users home folders

3. Start up HD center and login with this mediauser
4. Start up KODI
5. I'm able to access everybody's home folder?!

Heb je al een ticket naar qnap gestuurd?

Did you submit a ticket to qnap?

[oliesjeik]

Heb je al een ticket naar qnap gestuurd?

Did you submit a ticket to qnap?

Ja dat heb ik gedaan / Yes I did.

It's a shame this issue is still present. It was already reported back in June and is still present..

[CylonCenturion]

Heb je al een ticket naar qnap gestuurd?

Did you submit a ticket to qnap?

Ja dat heb ik gedaan / Yes I did.

It's a shame this issue is still present. It was already reported back in June and is still present..

Maybe there are not enough people that complaining about it.

The more people complain, the quicker is got solved.

[brandon.arnold]

One year later, I see this problem still exists. I have created a ticket, but it is unfortunate that the only way to demonstrably reproduce it is through myKodi. I don't see any other apps that allow you to browse the root hard drive, and using the myKodi example QNAP support will probably reject it outright as unsupported and they are not liable, yadda yadda yadda.

HD Station should be separate from its login screen and should spin up with the privileges of the user who is logged in, not some process root or admin or anything of the sort.

[dolbyman]

don't think QNAP will do anything, because they no longer officially support KODi

[brandon.arnold]

don't think QNAP will do anything, because they no longer officially support KODi

I don't either. Whether or not that is the right policy, however, is another question.

[mazzonna]

The fact that Kodi can do this (supported by QNap or not), indicates that there is a security vulnerability inherent in QNAPs operating system and utilities. I'm new to QNAP, but since this thread was opened nearly two years ago and there are still reports of this issue makes me question a NAS vendors commitment to security. Who's to say that other apps can't be introduced to the system to carry out rogue activities by bypassing security.

[schumaku]

The fact that Kodi can do this (supported by QNap or not), indicates that there is a security vulnerability inherent in QNAPs operating system and utilities.

It's not specific to Kodi - it's a HD Station or newer name Hybrid Station issue. Hybrid Station is accessibly in the first iteration from the local HDMI console.

Who's to say that other apps can't be introduced to the system to carry out rogue activities by bypassing security.

the majority of HD Station installations imply physical access to the NAS - so there it goes, security is equal if not worse then when looking at in simple baseline security. The issue is limited to apps running in the HD Station rooted file system.

[mazzonna]

Hi schumaku.....thanks....that helps to enlighten me somewhat. Does this mean that Hybrid Station and it's associated apps run with 'root' level access, regardless of the user id that has logged in?