RuneAudio Forum

Embedded hi-fi music player
https://www.runeaudio.com/forum/

Is this project dead?

https://www.runeaudio.com/forum/is-this-project-dead-t4536-10.html

Page 2 of 2

Re: Is this project dead?

PostPosted: 31 Mar 2018, 15:07
by pastic
waves wrote:...[stuff]...

gearhead wrote:...[stuff]...


I share this concern, but also willingly admit my lack of skills to judge whether the concern is real in the context of Runeaudio. I did notice in the first arstechnica post linked above that the person wrote: "He said the vulnerability was present only when users enabled remote access and disabled password protection." I would, somewhat daringly suggest that anyone who knowingly does so deserves to get hacked.

The question is, is this remote access enabled by default somehow? It would seem that the WLAN interface is active by default, but if that interface is disabled, the RuneAudio RPi would be entirely behind the router and as such protected. I find no indication that one could gain access from without then. (Also disable UPnP, I guess).

Or am I wrong?

Re: Is this project dead?

PostPosted: 14 Apr 2018, 12:19
by waves
pastic wrote:I share this concern, but also willingly admit my lack of skills to judge whether the concern is real in the context of Runeaudio.

I see no reason to think this is not a concern also for RuneAudio since it is also a localhost server without any authorization of users other than that they (appear to) be on the same LAN. If that is incorrent then it would be wise for developers to explain in detail why RuneAudio would not be vulnerable.

pastic wrote:I did notice in the first arstechnica post linked above that the person wrote: "He said the vulnerability was present only when users enabled remote access and disabled password protection." I would, somewhat daringly suggest that anyone who knowingly does so deserves to get hacked.


That is a misconception AFAICT. DNS Rebind exploits work by having javascript in a malicious browser page access the web UI in a way that fools localhost servers like RuneAudio into thinking the traffic is coming from a LAN user. But it is really the remote malware site that is the source of the traffic. What harm can be done depends on what commands the localhost server has exposed and/or what vulnerabilities there are in the (by now old) versions of PHP etc that RuneAudio runs.

Here is a recent example of how a Usenet client made preemptive changes to prevent DNS Rebind exploits through its web UI
https://sabnzbd.org/wiki/extra/hostname-check.html
It uses https and a hostname verification whitelist. It also has a built in option to password protect access to the web UI.

CVE for the vulnerability in Transmission talked about in earlier posts
https://www.cvedetails.com/cve/CVE-2018-5702/
All times are UTC + 1 hour
Page 2 of 2
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/