gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: v1.0.0 Beta Release - Pen Testing & Bug Bounty Ready

Browse Source 
- BETA-RELEASE.md: Complete security testing guide
  - Attack surface overview (HAProxy, WAF, LXC, P2P)
  - High-value targets and secrets locations
  - Known weak points (intentional disclosure)
  - Bug bounty scope and reporting guidelines
  - Test environment setup (VirtualBox, Docker)

- SECURITY.md: Updated with Hall of Fame and beta info
- README.md: Version bump to 1.0.0-beta

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-03-15 18:45:29 +01:00
parent 79775faa6e
commit 605841e443
3 changed files with 312 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

276
BETA-RELEASE.md Normal file
View File

@ -0,0 +1,276 @@
# SecuBox v1.0.0 Beta Release
**Release Date:** 2026-03-15
**Status:** Beta — Ready for Pen Testing & Bug Bounty
**Publisher:** [CyberMind.fr](https://cybermind.fr)
---
## Quick Start for Security Researchers
### Get the Code
```bash
git clone https://github.com/CyberMind-FR/secubox-openwrt.git
cd secubox-openwrt
```
### Build for Testing
```bash
# Option 1: Use pre-built packages (recommended)
./secubox-tools/local-build.sh build all
# Option 2: Build with OpenWrt SDK
cd ~/openwrt-sdk/package/
ln -s /path/to/secubox-openwrt secubox
make package/secubox/luci-app-secubox-portal/compile V=s
```
### Deploy to Test Router
```bash
scp bin/packages/*/secubox/*.ipk root@192.168.255.1:/tmp/
ssh root@192.168.255.1 'opkg install /tmp/luci-app-*.ipk'
```
---
## Attack Surface Overview
### Layer 1: Network Edge
| Component | Port | Protocol | Attack Vectors |
|-----------|------|----------|----------------|
| HAProxy | 80, 443 | HTTP/S | Header injection, SNI attacks, SSL stripping |
| mitmproxy WAF | 22222 | HTTP | WAF bypass, rule evasion, memory exhaustion |
| CrowdSec Bouncer | - | nftables | Rule bypass, IP spoofing |
| fw4/nftables | - | L3/L4 | Firewall evasion, fragmentation attacks |
### Layer 2: Application Proxies
| Component | Port | Protocol | Attack Vectors |
|-----------|------|----------|----------------|
| LuCI (uhttpd) | 443 | HTTPS | Auth bypass, XSS, CSRF, path traversal |
| RPCD (ubus) | Unix | JSON-RPC | Privilege escalation, injection |
| Tor Shield | 9050 | SOCKS5 | Deanonymization, circuit analysis |
### Layer 3: LXC Containers
| Container | Port | Service | Attack Vectors |
|-----------|------|---------|----------------|
| Jellyfin | 8096 | Media | Path traversal, transcoding exploits |
| Nextcloud | 8080 | Cloud | SSRF, file upload, WebDAV abuse |
| Gitea | 3000 | Git | RCE via hooks, repo injection |
| Streamlit | 8501+ | Python | Code execution, pickle deserialization |
| PhotoPrism | 2342 | Photos | AI model poisoning, EXIF injection |
### Layer 4: Mesh/P2P
| Component | Port | Protocol | Attack Vectors |
|-----------|------|----------|----------------|
| P2P Hub | 8333 | WebSocket | Message injection, peer impersonation |
| Master Link | 51820 | WireGuard | Key theft, MITM on onboarding |
| Vortex DNS | 53 | DNS | Cache poisoning, zone transfer |
---
## High-Value Targets
### Critical Files (Write Access = Root)
```
/etc/config/network # Network configuration
/etc/config/firewall # Firewall rules
/etc/config/haproxy # Reverse proxy routes
/etc/config/crowdsec # CrowdSec agent config
/etc/shadow # Password hashes
/etc/dropbear/authorized_keys
```
### RPCD Handlers (Shell Code)
```
/usr/libexec/rpcd/luci.* # LuCI backend scripts
/usr/sbin/*ctl # CLI tools (crowdsecctl, haproxyctl, etc.)
/usr/lib/secubox/ # Shared libraries
```
### Secrets
```
/etc/config/smtp-relay # SMTP credentials (option password)
/etc/config/wireguard # WireGuard private keys
/etc/config/dns-provider # DNS API keys (Gandi, OVH, Cloudflare)
/srv/mitmproxy/*.pem # TLS certificates
/etc/crowdsec/local_api_credentials.yaml
```
---
## Known Weak Points (Intentional Disclosure)
### 1. RPCD Shell Injection Risk
Many RPCD handlers use shell scripts with UCI data:
```sh
# Example pattern (potentially vulnerable)
local value=$(uci get config.section.option)
eval "command $value" # ← Shell injection if UCI value contains $(...)
```
**Check:** All `luci.*` handlers in `/usr/libexec/rpcd/`
### 2. WAF Bypass Opportunities
mitmproxy WAF uses pattern matching:
- Large request bodies may exhaust memory
- Chunked encoding edge cases
- Multipart form parsing quirks
- WebSocket upgrade handling
**Check:** `/srv/mitmproxy/haproxy_router.py`
### 3. LXC Container Escapes
Containers run with limited privileges but:
- Some have bind mounts to host paths
- cgroup v2 limits may be bypassable
- Namespace isolation varies per container
**Check:** `/srv/lxc/*/config`
### 4. P2P Mesh Trust
Master Link uses first-contact trust:
- Initial WireGuard key exchange may be interceptable
- Gossip messages are signed but trust chain is shallow
**Check:** `/usr/sbin/master-linkctl`, `/usr/sbin/secubox-p2p`
### 5. Cross-Site Scripting (XSS)
LuCI views render user-controlled data:
- Hostname, MAC addresses, user comments
- Log entries displayed in dashboards
- Report content in HTML emails
**Check:** All `htdocs/luci-static/resources/view/*/` JavaScript files
---
## Bug Bounty Scope
### In Scope
| Severity | Category | Examples |
|----------|----------|----------|
| **Critical** | RCE, Auth Bypass | Shell injection in RPCD, hardcoded credentials |
| **High** | Privilege Escalation | LXC escape, WAF bypass with RCE |
| **Medium** | Information Disclosure | Credential leakage, path traversal |
| **Low** | DoS, XSS | Memory exhaustion, stored XSS in logs |
### Out of Scope
- Self-DoS attacks (user crashing their own router)
- Social engineering
- Physical access attacks
- Third-party software bugs (OpenWrt core, upstream packages)
- Rate limiting bypasses without impact
---
## Reporting
### Contact
- **Email:** security@cybermind.fr
- **GPG Key:** Available on request
- **GitHub Issues:** [github.com/CyberMind-FR/secubox-openwrt/security](https://github.com/CyberMind-FR/secubox-openwrt/security)
### Report Format
```
## Summary
[One-line description]
## Severity
[Critical/High/Medium/Low]
## Affected Component
[Package name, file path, RPCD method]
## Steps to Reproduce
1. ...
2. ...
3. ...
## Proof of Concept
[Code, screenshots, or video]
## Impact
[What can an attacker achieve?]
## Suggested Fix
[Optional]
```
### Response Timeline
| Phase | Time |
|-------|------|
| Acknowledgment | 24 hours |
| Triage | 72 hours |
| Fix (Critical) | 7 days |
| Fix (High/Medium) | 30 days |
| Public Disclosure | 90 days |
---
## Test Environment Setup
### VirtualBox Appliance
```bash
# Build VM image
./secubox-tools/c3box-vm-builder.sh full
# Import to VirtualBox
VBoxManage import secubox-v1.0.0-beta.ova
```
### Docker (Limited)
```bash
# LuCI-only testing
docker run -p 8080:80 ghcr.io/cybermind-fr/secubox-luci:beta
```
### Real Hardware
Recommended: x86-64 mini PC or ARM64 SBC (NanoPi R4S, Raspberry Pi 4)
---
## Legal
This is an authorized security research program. By participating, you agree to:
1. Only test against systems you own or have permission to test
2. Not access, modify, or delete data beyond what's necessary to demonstrate the vulnerability
3. Report vulnerabilities responsibly before public disclosure
4. Not use discovered vulnerabilities for malicious purposes
**License:** Apache-2.0
**© 2024-2026 CyberMind.fr**
---
## Acknowledgments
Security researchers who report valid vulnerabilities will be credited in:
- `SECURITY.md` Hall of Fame
- Release notes
- Project website
**Ex Tenebris, Lux Securitas**

17
README.md
View File

@ -1,8 +1,8 @@
# SecuBox - Security Suite for OpenWrt
**Version:** 0.18.0
**Last Updated:** 2026-03-04
**Status:** Production Ready
**Version:** 1.0.0-beta
**Last Updated:** 2026-03-15
**Status:** Beta — Ready for Pen Testing & Bug Bounty
**Modules:** 86 LuCI Applications
[![Build OpenWrt Packages](https://github.com/CyberMind-FR/secubox-openwrt/actions/workflows/build-openwrt-packages.yml/badge.svg)](https://github.com/CyberMind-FR/secubox-openwrt/actions/workflows/build-openwrt-packages.yml)
@ -262,9 +262,14 @@ SecuBox includes an MCP server for AI integration:
| Version | Status | Focus |
|---------|--------|-------|
| **v0.17** | Released | Core Mesh, 38 modules |
| **v0.18** | Current | P2P Hub, AI Gateway, 86 modules |
| **v0.19** | Planned | Full P2P intelligence |
| **v1.0** | Planned | ANSSI certification |
| **v0.18** | Released | P2P Hub, AI Gateway, 86 modules |
| **v0.19** | Released | Full P2P intelligence |
| **v1.0** | **Beta** | Pen testing, bug bounty, ANSSI prep |
| **v1.1** | Planned | ANSSI certification, GA release |
### Beta Release
See [BETA-RELEASE.md](BETA-RELEASE.md) for security testing guidelines and bug bounty scope.
---

28
SECURITY.md
View File

@ -15,11 +15,19 @@ This document describes the security policy for SecuBox firmware, in compliance
| Version | Support Status | End of Support |
|---------|---------------|----------------|
| 0.20.x | ✅ Current | Active development |
| 1.0.x | ✅ Current (Beta) | Active development |
| 0.19.x | ✅ LTS | March 2027 |
| 0.18.x | ⚠️ Security only | September 2026 |
| < 0.18 | EOL | Unsupported |
### v1.0.0 Beta Release
The v1.0.0 Beta is now available for security testing. See [BETA-RELEASE.md](BETA-RELEASE.md) for:
- Attack surface overview
- High-value targets
- Known weak points (intentional disclosure)
- Bug bounty scope and reporting guidelines
**Support policy:**
- **Current:** All bug fixes and security patches
- **LTS (Long Term Support):** Critical security patches only, 18 months
@ -225,5 +233,19 @@ Notre-Dame-du-Cruet
---
_Last updated: 2026-03-04_
_Document version: 1.0_
---
## Hall of Fame
Security researchers who have responsibly disclosed vulnerabilities:
| Researcher | Date | Severity | Description |
|------------|------|----------|-------------|
| *Your name here* | — | — | — |
We thank all contributors who help make SecuBox more secure.
---
_Last updated: 2026-03-15_
_Document version: 1.1_