This Week In Security: Owncloud, NXP, 0-Days, And Fingerprints

We’re back! And while the column took a week off for Thanksgiving, the security world didn’t. The most pressing news is an issue in Owncloud, that is already under active exploitation.

The problem is a library that can be convinced to call phpinfo() and include the results in the page response. That function reveals a lot of information about the system Owncloud is running on, including environment variables. In something like a Docker deployment, those environment variables may contain system secrets like admin username and password among others.

Now, there is a bit of a wrinkle here. There is a public exploit, and according to research done by Greynoise Labs, that exploit does not actually work against default installs. This seems to describe the active exploitation attempts, but the researcher that originally found the issue has stated that there is a non-public exploit that does work on default installs. Stay tuned for this other shoe to drop, and update your Owncloud installs if you have them. Continue reading “This Week In Security: Owncloud, NXP, 0-Days, And Fingerprints”

Self-waking Computer For DIY Cloud Storage

self-waking-cloud-storage

[Dominic] decided to take control of his cloud storage by switching to OwnCloud. Unlike most cloud storage solutions, this isn’t a company offering you free space. It’s an open source software package which your run on your own machine. [Dom] didn’t want to leave his box running 24/7 as it would be unused the majority of the time. So he hacked this router to switch on the computer whenever he tries to access the storage.

Obviously this is a Wake-On-Lan type of situation, but the hardware he has chosen to use doesn’t include those features. Since he already had this TP-Link 703n on hand he decided to use it as a controller for the computer. His method is quite clever. The router is running a script that monitors the computer and the bandwidth it’s using. When traffic from the network stops, the router will issue a shutdown command within just a few minutes. It then assigns itself the computer’s IP address so that it can listen for incoming requests and use the relay on that breadboard to turn the box back on. Obviously running the embedded system is much more efficient than having an entire computer turned on all the time, and it’s WiFi capabilities mean no cords to run to the home network.