gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4fa322d1fd
secubox-openwrt/BETA-RELEASE.md
CyberMind-FR 605841e443 docs: v1.0.0 Beta Release - Pen Testing & Bug Bounty Ready 
- BETA-RELEASE.md: Complete security testing guide
  - Attack surface overview (HAProxy, WAF, LXC, P2P)
  - High-value targets and secrets locations
  - Known weak points (intentional disclosure)
  - Bug bounty scope and reporting guidelines
  - Test environment setup (VirtualBox, Docker)

- SECURITY.md: Updated with Hall of Fame and beta info
- README.md: Version bump to 1.0.0-beta

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 18:45:29 +01:00

277 lines
6.8 KiB
Markdown
Raw Blame History

# SecuBox v1.0.0 Beta Release
**Release Date:** 2026-03-15
**Status:** Beta — Ready for Pen Testing & Bug Bounty
**Publisher:** [CyberMind.fr](https://cybermind.fr)
---
## Quick Start for Security Researchers
### Get the Code
```bash
git clone https://github.com/CyberMind-FR/secubox-openwrt.git
cd secubox-openwrt
```
### Build for Testing
```bash
# Option 1: Use pre-built packages (recommended)
./secubox-tools/local-build.sh build all
# Option 2: Build with OpenWrt SDK
cd ~/openwrt-sdk/package/
ln -s /path/to/secubox-openwrt secubox
make package/secubox/luci-app-secubox-portal/compile V=s
```
### Deploy to Test Router
```bash
scp bin/packages/*/secubox/*.ipk root@192.168.255.1:/tmp/
ssh root@192.168.255.1 'opkg install /tmp/luci-app-*.ipk'
```
---
## Attack Surface Overview
### Layer 1: Network Edge
| Component | Port | Protocol | Attack Vectors |
|-----------|------|----------|----------------|
| HAProxy | 80, 443 | HTTP/S | Header injection, SNI attacks, SSL stripping |
| mitmproxy WAF | 22222 | HTTP | WAF bypass, rule evasion, memory exhaustion |
| CrowdSec Bouncer | - | nftables | Rule bypass, IP spoofing |
| fw4/nftables | - | L3/L4 | Firewall evasion, fragmentation attacks |
### Layer 2: Application Proxies
| Component | Port | Protocol | Attack Vectors |
|-----------|------|----------|----------------|
| LuCI (uhttpd) | 443 | HTTPS | Auth bypass, XSS, CSRF, path traversal |
| RPCD (ubus) | Unix | JSON-RPC | Privilege escalation, injection |
| Tor Shield | 9050 | SOCKS5 | Deanonymization, circuit analysis |
### Layer 3: LXC Containers
| Container | Port | Service | Attack Vectors |
|-----------|------|---------|----------------|
| Jellyfin | 8096 | Media | Path traversal, transcoding exploits |
| Nextcloud | 8080 | Cloud | SSRF, file upload, WebDAV abuse |
| Gitea | 3000 | Git | RCE via hooks, repo injection |
| Streamlit | 8501+ | Python | Code execution, pickle deserialization |
| PhotoPrism | 2342 | Photos | AI model poisoning, EXIF injection |
### Layer 4: Mesh/P2P
| Component | Port | Protocol | Attack Vectors |
|-----------|------|----------|----------------|
| P2P Hub | 8333 | WebSocket | Message injection, peer impersonation |
| Master Link | 51820 | WireGuard | Key theft, MITM on onboarding |
| Vortex DNS | 53 | DNS | Cache poisoning, zone transfer |
---
## High-Value Targets
### Critical Files (Write Access = Root)
```
/etc/config/network # Network configuration
/etc/config/firewall # Firewall rules
/etc/config/haproxy # Reverse proxy routes
/etc/config/crowdsec # CrowdSec agent config
/etc/shadow # Password hashes
/etc/dropbear/authorized_keys
```
### RPCD Handlers (Shell Code)
```
/usr/libexec/rpcd/luci.* # LuCI backend scripts
/usr/sbin/*ctl # CLI tools (crowdsecctl, haproxyctl, etc.)
/usr/lib/secubox/ # Shared libraries
```
### Secrets
```
/etc/config/smtp-relay # SMTP credentials (option password)
/etc/config/wireguard # WireGuard private keys
/etc/config/dns-provider # DNS API keys (Gandi, OVH, Cloudflare)
/srv/mitmproxy/*.pem # TLS certificates
/etc/crowdsec/local_api_credentials.yaml
```
---
## Known Weak Points (Intentional Disclosure)
### 1. RPCD Shell Injection Risk
Many RPCD handlers use shell scripts with UCI data:
```sh
# Example pattern (potentially vulnerable)
local value=$(uci get config.section.option)
eval "command $value" # ← Shell injection if UCI value contains $(...)
```
**Check:** All `luci.*` handlers in `/usr/libexec/rpcd/`
### 2. WAF Bypass Opportunities
mitmproxy WAF uses pattern matching:
- Large request bodies may exhaust memory
- Chunked encoding edge cases
- Multipart form parsing quirks
- WebSocket upgrade handling
**Check:** `/srv/mitmproxy/haproxy_router.py`
### 3. LXC Container Escapes
Containers run with limited privileges but:
- Some have bind mounts to host paths
- cgroup v2 limits may be bypassable
- Namespace isolation varies per container
**Check:** `/srv/lxc/*/config`
### 4. P2P Mesh Trust
Master Link uses first-contact trust:
- Initial WireGuard key exchange may be interceptable
- Gossip messages are signed but trust chain is shallow
**Check:** `/usr/sbin/master-linkctl`, `/usr/sbin/secubox-p2p`
### 5. Cross-Site Scripting (XSS)
LuCI views render user-controlled data:
- Hostname, MAC addresses, user comments
- Log entries displayed in dashboards
- Report content in HTML emails
**Check:** All `htdocs/luci-static/resources/view/*/` JavaScript files
---
## Bug Bounty Scope
### In Scope
| Severity | Category | Examples |
|----------|----------|----------|
| **Critical** | RCE, Auth Bypass | Shell injection in RPCD, hardcoded credentials |
| **High** | Privilege Escalation | LXC escape, WAF bypass with RCE |
| **Medium** | Information Disclosure | Credential leakage, path traversal |
| **Low** | DoS, XSS | Memory exhaustion, stored XSS in logs |
### Out of Scope
- Self-DoS attacks (user crashing their own router)
- Social engineering
- Physical access attacks
- Third-party software bugs (OpenWrt core, upstream packages)
- Rate limiting bypasses without impact
---
## Reporting
### Contact
- **Email:** security@cybermind.fr
- **GPG Key:** Available on request
- **GitHub Issues:** [github.com/CyberMind-FR/secubox-openwrt/security](https://github.com/CyberMind-FR/secubox-openwrt/security)
### Report Format
```
## Summary
[One-line description]
## Severity
[Critical/High/Medium/Low]
## Affected Component
[Package name, file path, RPCD method]
## Steps to Reproduce
1. ...
2. ...
3. ...
## Proof of Concept
[Code, screenshots, or video]
## Impact
[What can an attacker achieve?]
## Suggested Fix
[Optional]
```
### Response Timeline
| Phase | Time |
|-------|------|
| Acknowledgment | 24 hours |
| Triage | 72 hours |
| Fix (Critical) | 7 days |
| Fix (High/Medium) | 30 days |
| Public Disclosure | 90 days |
---
## Test Environment Setup
### VirtualBox Appliance
```bash
# Build VM image
./secubox-tools/c3box-vm-builder.sh full
# Import to VirtualBox
VBoxManage import secubox-v1.0.0-beta.ova
```
### Docker (Limited)
```bash
# LuCI-only testing
docker run -p 8080:80 ghcr.io/cybermind-fr/secubox-luci:beta
```
### Real Hardware
Recommended: x86-64 mini PC or ARM64 SBC (NanoPi R4S, Raspberry Pi 4)
---
## Legal
This is an authorized security research program. By participating, you agree to:
1. Only test against systems you own or have permission to test
2. Not access, modify, or delete data beyond what's necessary to demonstrate the vulnerability
3. Report vulnerabilities responsibly before public disclosure
4. Not use discovered vulnerabilities for malicious purposes
**License:** Apache-2.0
**© 2024-2026 CyberMind.fr**
---
## Acknowledgments
Security researchers who report valid vulnerabilities will be credited in:
- `SECURITY.md` Hall of Fame
- Release notes
- Project website
**Ex Tenebris, Lux Securitas**
Reference in New Issue View Git Blame Copy Permalink