IoPC icon indicating copy to clipboard operation
IoPC copied to clipboard

Published 20 hours ago verified publisher icon maksimkurb

Avoid Remote Code Execution vulnerabilities if MQTT is compromised (or publicly accessible)

Open Ten0 opened this issue 10 months ago • 2 comments
trafficstars

If someone can inject messages into MQTT (which seems likely with ~default HA installations), IIUC they can currently inject any key combination onto the computer. This seems dangerous, security-wise: they can open a terminal and run any command, so basically do anything they want.

There seems to be a similar issue with the CommandModule, where it would be nice if it would have an allow-list of environment variables that can be set, and not allow setting all of them: lots of basic programs may have some weird env variables that could enable potentially damaging stuff, e.g write log to an arbitrary file, which may turn into an RCE if considered file is a regularly executed script and they manage to make the log contain a command.

Ten0 avatar Dec 27 '24 10:12 Ten0

Good catch, thanks!

Currently it is possible to provide only one-by-one keyCode to the Java's AWT Robot, but maybe if messages would be sent too frequently and system will be laggy, it can consider two separate keys as a key combination. It's also possible to just press Win on Windows10+, then type cmd and then press enter, no special keys needed at all. I do not know if Keyboard Module has any use-case in real life scenario, it was built as a proof of concept. Probably worth deleting it at all.

Speaking of CommandModule, agree with you, this thing also should be rethinked.

Speaking of access, ideally, control topics should be splitted by module (e.g. /iopc/<device_name>/keyboard/press) to allow users control ACL on their MQTT broker.

Honestly, I don't have enough time currently to finish this project as I moved from my previous apartment with my smart home setup and currently I don't have any scenarios where IoPC would fit in. I would try to find some spare time to make a PR on the New Year weekends but I can't promise it for certain.

maksimkurb avatar Dec 27 '24 19:12 maksimkurb

Ah right, I wrote combination but really I should have written sequence. It's the same vulnerability in practice as you underlined.

Practically though I'm only interested in knowing when my local desktop computer is awake and sending notifications to it, so after some more investigation it looks like I may end up just using some sort of ping integration for checking whether it's up, and using HTML5 push notification integration for notifications...

Ten0 avatar Dec 27 '24 20:12 Ten0