From 605841e4439d2b66622f24a0c16c7218a188f05a Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Sun, 15 Mar 2026 18:45:29 +0100 Subject: [PATCH] docs: v1.0.0 Beta Release - Pen Testing & Bug Bounty Ready - BETA-RELEASE.md: Complete security testing guide - Attack surface overview (HAProxy, WAF, LXC, P2P) - High-value targets and secrets locations - Known weak points (intentional disclosure) - Bug bounty scope and reporting guidelines - Test environment setup (VirtualBox, Docker) - SECURITY.md: Updated with Hall of Fame and beta info - README.md: Version bump to 1.0.0-beta Co-Authored-By: Claude Opus 4.5 --- BETA-RELEASE.md | 276 ++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 17 +-- SECURITY.md | 28 ++++- 3 files changed, 312 insertions(+), 9 deletions(-) create mode 100644 BETA-RELEASE.md diff --git a/BETA-RELEASE.md b/BETA-RELEASE.md new file mode 100644 index 00000000..18c26b69 --- /dev/null +++ b/BETA-RELEASE.md @@ -0,0 +1,276 @@ +# SecuBox v1.0.0 Beta Release + +**Release Date:** 2026-03-15 +**Status:** Beta — Ready for Pen Testing & Bug Bounty +**Publisher:** [CyberMind.fr](https://cybermind.fr) + +--- + +## Quick Start for Security Researchers + +### Get the Code + +```bash +git clone https://github.com/CyberMind-FR/secubox-openwrt.git +cd secubox-openwrt +``` + +### Build for Testing + +```bash +# Option 1: Use pre-built packages (recommended) +./secubox-tools/local-build.sh build all + +# Option 2: Build with OpenWrt SDK +cd ~/openwrt-sdk/package/ +ln -s /path/to/secubox-openwrt secubox +make package/secubox/luci-app-secubox-portal/compile V=s +``` + +### Deploy to Test Router + +```bash +scp bin/packages/*/secubox/*.ipk root@192.168.255.1:/tmp/ +ssh root@192.168.255.1 'opkg install /tmp/luci-app-*.ipk' +``` + +--- + +## Attack Surface Overview + +### Layer 1: Network Edge + +| Component | Port | Protocol | Attack Vectors | +|-----------|------|----------|----------------| +| HAProxy | 80, 443 | HTTP/S | Header injection, SNI attacks, SSL stripping | +| mitmproxy WAF | 22222 | HTTP | WAF bypass, rule evasion, memory exhaustion | +| CrowdSec Bouncer | - | nftables | Rule bypass, IP spoofing | +| fw4/nftables | - | L3/L4 | Firewall evasion, fragmentation attacks | + +### Layer 2: Application Proxies + +| Component | Port | Protocol | Attack Vectors | +|-----------|------|----------|----------------| +| LuCI (uhttpd) | 443 | HTTPS | Auth bypass, XSS, CSRF, path traversal | +| RPCD (ubus) | Unix | JSON-RPC | Privilege escalation, injection | +| Tor Shield | 9050 | SOCKS5 | Deanonymization, circuit analysis | + +### Layer 3: LXC Containers + +| Container | Port | Service | Attack Vectors | +|-----------|------|---------|----------------| +| Jellyfin | 8096 | Media | Path traversal, transcoding exploits | +| Nextcloud | 8080 | Cloud | SSRF, file upload, WebDAV abuse | +| Gitea | 3000 | Git | RCE via hooks, repo injection | +| Streamlit | 8501+ | Python | Code execution, pickle deserialization | +| PhotoPrism | 2342 | Photos | AI model poisoning, EXIF injection | + +### Layer 4: Mesh/P2P + +| Component | Port | Protocol | Attack Vectors | +|-----------|------|----------|----------------| +| P2P Hub | 8333 | WebSocket | Message injection, peer impersonation | +| Master Link | 51820 | WireGuard | Key theft, MITM on onboarding | +| Vortex DNS | 53 | DNS | Cache poisoning, zone transfer | + +--- + +## High-Value Targets + +### Critical Files (Write Access = Root) + +``` +/etc/config/network # Network configuration +/etc/config/firewall # Firewall rules +/etc/config/haproxy # Reverse proxy routes +/etc/config/crowdsec # CrowdSec agent config +/etc/shadow # Password hashes +/etc/dropbear/authorized_keys +``` + +### RPCD Handlers (Shell Code) + +``` +/usr/libexec/rpcd/luci.* # LuCI backend scripts +/usr/sbin/*ctl # CLI tools (crowdsecctl, haproxyctl, etc.) +/usr/lib/secubox/ # Shared libraries +``` + +### Secrets + +``` +/etc/config/smtp-relay # SMTP credentials (option password) +/etc/config/wireguard # WireGuard private keys +/etc/config/dns-provider # DNS API keys (Gandi, OVH, Cloudflare) +/srv/mitmproxy/*.pem # TLS certificates +/etc/crowdsec/local_api_credentials.yaml +``` + +--- + +## Known Weak Points (Intentional Disclosure) + +### 1. RPCD Shell Injection Risk + +Many RPCD handlers use shell scripts with UCI data: +```sh +# Example pattern (potentially vulnerable) +local value=$(uci get config.section.option) +eval "command $value" # ← Shell injection if UCI value contains $(...) +``` + +**Check:** All `luci.*` handlers in `/usr/libexec/rpcd/` + +### 2. WAF Bypass Opportunities + +mitmproxy WAF uses pattern matching: +- Large request bodies may exhaust memory +- Chunked encoding edge cases +- Multipart form parsing quirks +- WebSocket upgrade handling + +**Check:** `/srv/mitmproxy/haproxy_router.py` + +### 3. LXC Container Escapes + +Containers run with limited privileges but: +- Some have bind mounts to host paths +- cgroup v2 limits may be bypassable +- Namespace isolation varies per container + +**Check:** `/srv/lxc/*/config` + +### 4. P2P Mesh Trust + +Master Link uses first-contact trust: +- Initial WireGuard key exchange may be interceptable +- Gossip messages are signed but trust chain is shallow + +**Check:** `/usr/sbin/master-linkctl`, `/usr/sbin/secubox-p2p` + +### 5. Cross-Site Scripting (XSS) + +LuCI views render user-controlled data: +- Hostname, MAC addresses, user comments +- Log entries displayed in dashboards +- Report content in HTML emails + +**Check:** All `htdocs/luci-static/resources/view/*/` JavaScript files + +--- + +## Bug Bounty Scope + +### In Scope + +| Severity | Category | Examples | +|----------|----------|----------| +| **Critical** | RCE, Auth Bypass | Shell injection in RPCD, hardcoded credentials | +| **High** | Privilege Escalation | LXC escape, WAF bypass with RCE | +| **Medium** | Information Disclosure | Credential leakage, path traversal | +| **Low** | DoS, XSS | Memory exhaustion, stored XSS in logs | + +### Out of Scope + +- Self-DoS attacks (user crashing their own router) +- Social engineering +- Physical access attacks +- Third-party software bugs (OpenWrt core, upstream packages) +- Rate limiting bypasses without impact + +--- + +## Reporting + +### Contact + +- **Email:** security@cybermind.fr +- **GPG Key:** Available on request +- **GitHub Issues:** [github.com/CyberMind-FR/secubox-openwrt/security](https://github.com/CyberMind-FR/secubox-openwrt/security) + +### Report Format + +``` +## Summary +[One-line description] + +## Severity +[Critical/High/Medium/Low] + +## Affected Component +[Package name, file path, RPCD method] + +## Steps to Reproduce +1. ... +2. ... +3. ... + +## Proof of Concept +[Code, screenshots, or video] + +## Impact +[What can an attacker achieve?] + +## Suggested Fix +[Optional] +``` + +### Response Timeline + +| Phase | Time | +|-------|------| +| Acknowledgment | 24 hours | +| Triage | 72 hours | +| Fix (Critical) | 7 days | +| Fix (High/Medium) | 30 days | +| Public Disclosure | 90 days | + +--- + +## Test Environment Setup + +### VirtualBox Appliance + +```bash +# Build VM image +./secubox-tools/c3box-vm-builder.sh full + +# Import to VirtualBox +VBoxManage import secubox-v1.0.0-beta.ova +``` + +### Docker (Limited) + +```bash +# LuCI-only testing +docker run -p 8080:80 ghcr.io/cybermind-fr/secubox-luci:beta +``` + +### Real Hardware + +Recommended: x86-64 mini PC or ARM64 SBC (NanoPi R4S, Raspberry Pi 4) + +--- + +## Legal + +This is an authorized security research program. By participating, you agree to: + +1. Only test against systems you own or have permission to test +2. Not access, modify, or delete data beyond what's necessary to demonstrate the vulnerability +3. Report vulnerabilities responsibly before public disclosure +4. Not use discovered vulnerabilities for malicious purposes + +**License:** Apache-2.0 +**© 2024-2026 CyberMind.fr** + +--- + +## Acknowledgments + +Security researchers who report valid vulnerabilities will be credited in: +- `SECURITY.md` Hall of Fame +- Release notes +- Project website + +**Ex Tenebris, Lux Securitas** diff --git a/README.md b/README.md index 7f47b8e6..aeae98b5 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # SecuBox - Security Suite for OpenWrt -**Version:** 0.18.0 -**Last Updated:** 2026-03-04 -**Status:** Production Ready +**Version:** 1.0.0-beta +**Last Updated:** 2026-03-15 +**Status:** Beta — Ready for Pen Testing & Bug Bounty **Modules:** 86 LuCI Applications [![Build OpenWrt Packages](https://github.com/CyberMind-FR/secubox-openwrt/actions/workflows/build-openwrt-packages.yml/badge.svg)](https://github.com/CyberMind-FR/secubox-openwrt/actions/workflows/build-openwrt-packages.yml) @@ -262,9 +262,14 @@ SecuBox includes an MCP server for AI integration: | Version | Status | Focus | |---------|--------|-------| | **v0.17** | Released | Core Mesh, 38 modules | -| **v0.18** | Current | P2P Hub, AI Gateway, 86 modules | -| **v0.19** | Planned | Full P2P intelligence | -| **v1.0** | Planned | ANSSI certification | +| **v0.18** | Released | P2P Hub, AI Gateway, 86 modules | +| **v0.19** | Released | Full P2P intelligence | +| **v1.0** | **Beta** | Pen testing, bug bounty, ANSSI prep | +| **v1.1** | Planned | ANSSI certification, GA release | + +### Beta Release + +See [BETA-RELEASE.md](BETA-RELEASE.md) for security testing guidelines and bug bounty scope. --- diff --git a/SECURITY.md b/SECURITY.md index 0c693df2..dc4ebdb0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,11 +15,19 @@ This document describes the security policy for SecuBox firmware, in compliance | Version | Support Status | End of Support | |---------|---------------|----------------| -| 0.20.x | ✅ Current | Active development | +| 1.0.x | ✅ Current (Beta) | Active development | | 0.19.x | ✅ LTS | March 2027 | | 0.18.x | ⚠️ Security only | September 2026 | | < 0.18 | ❌ EOL | Unsupported | +### v1.0.0 Beta Release + +The v1.0.0 Beta is now available for security testing. See [BETA-RELEASE.md](BETA-RELEASE.md) for: +- Attack surface overview +- High-value targets +- Known weak points (intentional disclosure) +- Bug bounty scope and reporting guidelines + **Support policy:** - **Current:** All bug fixes and security patches - **LTS (Long Term Support):** Critical security patches only, 18 months @@ -225,5 +233,19 @@ Notre-Dame-du-Cruet --- -_Last updated: 2026-03-04_ -_Document version: 1.0_ +--- + +## Hall of Fame + +Security researchers who have responsibly disclosed vulnerabilities: + +| Researcher | Date | Severity | Description | +|------------|------|----------|-------------| +| *Your name here* | — | — | — | + +We thank all contributors who help make SecuBox more secure. + +--- + +_Last updated: 2026-03-15_ +_Document version: 1.1_