Orange Pi 5 Ubuntu Jammy Server vulnerability

bulgaru

Hello, everyone!

I wanted to let you know of a serious vulnerability when it comes to Ubuntu Jammy Server on OPi 5 (don't know if it applies to other models / OSes / builds).

The attack vector is currently unknown, but the penetration of the system is immediate with root access to the attacker.

Symptoms:

• presence of "tamkjll" file/folder in root directory
• presence of "data" folder directory in root directory, containing UFO.apk within
• folders named "arm", "x86", etc in the root directory
• loss of ssh access
• overheating CPU
  

Troubleshooting steps:

• changed the default root password - NO EFFECT
• disabled password ssh access - NO EFFECT
• exposed ssh with a different port - NO EFFECT
• closed all ports except 22, 80, 443, and a couple technical ones - SUCCESS
  

Preliminary conclusions:
It seems that the attacker expoits a zero-day vulnerability by attacking one of the exposed ports. After gaining root access, the attacker downloads malicious code that hijacks the device. Seems to be related to Mirai Botnet, according to my research. The Ububtu distro needs to be audited for exposed ports that allow the attacker gain root access. It seems to happen regardless of the root password currently used, which begs the question of how on earth the attacker is capable of running the code with sudo priviledges.

Steps to reproduce:

• install Ubuntu Server from OPi website
• change root password, disable ssh password access
• expose the device to the web
  

My main concern is that the distro provided via the OPi website is vulnerable out-of-the box. Given that it's a Server distro, it can create a sense of false security when it comes to using it with the devices exposed to the web. Moreover, there may be plenty of infected devices out there already, that are present in the attacker's database and they will be hijacked regardless if they reset and reinstall their system.

Any help would be very much welcome!

aali

Hello! I just wish to supply a enormous thumbs up with the great information you may have here for this post. I am returning to your blog for more soon.        Bioma Probiotics

comewe7091

Oh my! an incredible article man. Thanks a lot Unfortunately I am experiencing issues with ur rss . Don’t know why I am struggling to subscribe it. Perhaps there is somebody getting identical rss issues? Anyone who can help kindly respond. Appreciate it        bokep indonesia

comewe7091

Excellent! I thank you your contribution to this matter. It has been insightful. my blog: how to turn a girl on        บาคาร่า88

aali

Still, I would have appreciated one scene showing how his limitless knowledge afforded him relationship-handling tact.        new88

wohoba1482

Absolutely   indited content , Really enjoyed  reading through .        sbobet777 login

xcvfyuik

An interesting discussion may be worth comment. I do think that you simply write on this topic, it will not certainly be a taboo subject but normally consumers are insufficient to communicate on such topics. To a higher. Cheers        https://new88838.com

comewe7091

Immediately the website might irrefutably obtain famous one of the most associated with publishing customers, because of its diligent articles or just crucial evaluations.        kingthai999

aali

Many thanks for creating the effort to discuss this, I feel strongly about this and like learning a great deal more on this subject. If feasible, as you gain expertise, would you mind updating your weblog with a great deal more details? It’s very useful for me.        789bet

wohoba1482

Obviously I like your web-site, however you have to test the spelling on quite a few of your posts. Several of them are rife with spelling issues and I find it very bothersome to inform you. On the other hand I will surely come again again!        hb88