Results 1 to 9 of 9
  1. #1
    Untanglit
    Join Date
    Apr 2018
    Posts
    22

    Exclamation Backdoor in Router Backup? Potential Security Issue

    I tried to log in to my Untangle instance (running a Home license) yesterday and noticed that my password continued to "fail". Obviously I've done this hundreds of times, so I knew something was up.

    I went to the physical machine and attempted to log in there - no luck. I tried to get to the recovery terminal - no luck (as the password wasn't valid). No luck on the other terminal on the main screen. I tried to do this: https://support.untangle.com/hc/en-u...Admin-Password. No luck (it said something about the machine code not being updated or valid? do I need to update mobo firmware??).

    So I did what I could only think reasonable - re-install and restore from backup. Went through the process, took a little while but mostly painless (kudos to Untangle engineers), and everything was back up and running. Reset my password obviously, rebooted to ensure everything was good.

    Locked out again.

    So...I'm going to go through the backup tar.gz today to see if malware has been planted, but unless there's a mobo-firmware-level exploit on my machine (which I doubt), it seems like something is persistent in the backup that changes the password on reboot.

    Any help would be appreciated.

    UPDATE:
    I went through the latest backup's tar.gz (all the js files in there) and didn't notice anything amiss. Obviously, I can't read every line of every file but there was nothing that was out of the ordinary or questionable.
    Last edited by LumpySpacePrincess; 11-12-2020 at 05:40 AM. Reason: update

  2. #2
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,400

    Default

    Untangle is debian based. Did you try resetting the root password? Google can tell you how.

  3. #3
    Untanglit
    Join Date
    Apr 2018
    Posts
    22

    Default

    Yeah, like I said in the link I posted (which does what you're talking about), the firmware was complaining about a microcode error so I couldn't do that.

  4. #4
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,400

    Default

    Sorry I don't have anything newer to test on. But I thought you enter single user after the bios finished?

  5. #5
    Untanglit
    Join Date
    Apr 2018
    Posts
    22

    Default

    I'm going to try a BIOS update on the mobo and see if that fixes it. I'll report what happens.

  6. #6
    Untanglit
    Join Date
    Nov 2019
    Posts
    21

    Default

    Quote Originally Posted by LumpySpacePrincess View Post
    I tried to log in to my Untangle instance (running a Home license) yesterday and noticed that my password continued to "fail". Obviously I've done this hundreds of times, so I knew something was up.

    I went to the physical machine and attempted to log in there - no luck. I tried to get to the recovery terminal - no luck (as the password wasn't valid). No luck on the other terminal on the main screen. I tried to do this: https://support.untangle.com/hc/en-u...Admin-Password. No luck (it said something about the machine code not being updated or valid? do I need to update mobo firmware??).

    So I did what I could only think reasonable - re-install and restore from backup. Went through the process, took a little while but mostly painless (kudos to Untangle engineers), and everything was back up and running. Reset my password obviously, rebooted to ensure everything was good.

    Locked out again.

    So...I'm going to go through the backup tar.gz today to see if malware has been planted, but unless there's a mobo-firmware-level exploit on my machine (which I doubt), it seems like something is persistent in the backup that changes the password on reboot.

    Any help would be appreciated.

    UPDATE:
    I went through the latest backup's tar.gz (all the js files in there) and didn't notice anything amiss. Obviously, I can't read every line of every file but there was nothing that was out of the ordinary or questionable.
    I had a similar issue to this after updating to 16.0, once I updated I got locked out. I didn't find that reset link until after I did a re-install but it did come in handy because once I restore from the backup I was once again locked me out and the reset link helped me get back in.

  7. #7
    Untanglit
    Join Date
    Apr 2018
    Posts
    22

    Default

    Dang, that sucks but thanks for letting me know - I'm glad this isn't only happening to me.

  8. #8
    Untanglit
    Join Date
    Apr 2018
    Posts
    22

    Default

    I updated the BIOS firmware and was able to reset the admin password. So far a reboot and no problems, but we'll see if anything else comes about.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,485

    Default

    I think Debian dorked with the passwd file again when we jumped to v10 in 15.1. I know some of the accounts on my units started throwing a bad password hash alert once I got to v16.0.

    So now we're in a space were it seems some special characters are too special to be used...

    All of my passwords are alphanumeric only, just LONG for this reason. Got tired of other things breaking. But in this case I still had to reset passwords to get the admin alert to go away. I don't know if these incidents are related, but it feels like they might be.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2