WebREPL unsafe?

[HermannSW]

Thanks for your detailed comments.

Instead, you add dependency on CPython, and a particular 3rd-party module for it, named "websocket".

Just because of the history, because I did not start based on webrepl_cli.py but instead based on aivarannamaa's client from this forum thread:
viewtopic.php?f=2&t=3124&p=29865#p29865

However, this fact isn't disclosed anywhere.

It is, see the imports:
https://github.com/Hermann-SW/webrepl/b ... _client.py


as well as that it runs under Python v2 as well as v3:



I did a major rewrite of webrepl_client.py over the last days, and updated documentation in README.md as well:
https://github.com/Hermann-SW/webrepl#webrepl-shell
Do you think I should add the dependencies (imports) there? Only websocket or threading as well? Others? Should I add that webrepl_client.py runs for both Python versions as well?


Btw, websocket module runs in webrepl_client.py and not on MicroPython, so no 3rd party modules needed in MicroPython for me! I will just import machine module and use its machine.PWM to drop payload from drone, with ESP-01s attached running MicroPython. The remote MicroPython session will be run on mobile Pi ZeroW on ground:

https://www.esp8266.com/viewtopic.php?f ... 320#p78320

[HermannSW]

The interned strings are not alone reason for "unsafe", password can be determined easily without looking into qstr pool:

Code: Select all

$ webrepl_client.py 192.168.4.1
Password:

WebREPL connected
>>> f = open('webrepl_cfg.py')
>>> f.read()
,"PASS = 'abcd'\n"
>>> 

[SpotlightKid]

@HermannSW: What do you expect? A microprocessor architecture is not like a server or desktop system. There's no memory protection, the file system usually has no access control and it's single-user. The OS code, the user code (incl. third-party code the user installed) and the REPL all can potentially do the same things.

Like pfalcon said: you`re looking at the wrong level for security enforcement.

[HermannSW]

OK, but you can get MicroPython (more) "safe" by

• storing "some_hash(password)" in webrepl_cfg.py and comparing "some_hash(input)" against it for login
• clearing (only) password from interned strings after login (successfull and unsuccessful)

[HermannSW]

Currently WebREPL seems not to support "wss:" protocol:
viewtopic.php?f=2&t=5338

With "wss:" it would not be a problem for webrepl.html to send password over the wire as is.

Without it webrepl.html could send "some_hash(password)" to WebREPL and let that compare against stored hash.

I think that WebREPL can be made "secure" with these three changes.

P.S:
Just thinking again, challenge-response needs to be added as well, otherwise (without "wss:" the hash could just be captured [eg. with Ettercap tool] and reused with modified client).

[pfalcon]

I did a major rewrite of webrepl_client.py over the last days, and updated documentation in README.md as well:
https://github.com/Hermann-SW/webrepl#webrepl-shell
Do you think I should add the dependencies (imports) there? Only websocket or threading as well? Others? Should I add that webrepl_client.py runs for both Python versions as well?

I think that any author of software tools should, whenever possible, provide any information which is useful by users. In some cases, e.g. when you take an existing tool, and modify infrastructure in/around it considerably, then "whenever possible" goes "almost mandatory". That's my IMHO of course. And I express it based on the fact that your fork exists not just on its own, but also as a PR to the upstream repository: https://github.com/micropython/webrepl/pull/37 . Please consider that as the reply to that PR, why it couldn't be merged to upstream (from my opinion, as the original author of those tools). But definitely please work on your fork - that's how it's intended to be, that there's an ecosystem around MicroPython consisting from independent parties, each having a freedom, and bearing responsibility, with the work they do.

I will just import machine module and use its machine.PWM to drop ... from drone, with ESP-01s attached running MicroPython.

I'm really open-minded person, but reading this again and again makes me cringe on the think that MicroPython forum can be banned in various countries and territories due to alleged questionable-speak. So, please consider redacting your posts.

[pfalcon]

I think that WebREPL can be made "secure" with these three changes.

P.S:
Just thinking again, challenge-response needs to be added as well, otherwise (without "wss:" the hash could just be captured [eg. with Ettercap tool] and reused with modified client).

You probably didn't read previous replies thoroughly enough, so let me summarize it:

• WebREPL is intended to provide complete, unconstrained access to MicroPython command line. (Not to drop stuff or something)
• WebREPL is intended to be used only within fully secured/protected local network, and should not be used otherwise. (So someone using Ettercap would be you or your authorized buddy.)
• WebREPL is intended to run on as small systems as possible, and thus should avoid extra dependencies.

WebREPL can be made "more secure", but not without conflicting with the requirements above. So, someone proposing patches would include impact analysis of the added features on the resource usage. And someone interested in security would likely use an existing protocol like SSH or TLS anyway (the conclusion you seem to have arrived at too).

[HermannSW]

I have been questioned about the use of the word in this this posting of related thread as well:
https://www.esp8266.com/viewtopic.php?f ... t=4#p78481
Although the only reason to use it was because I used the same wording from the youtube video I started with, I did replace it 20 times in that thread with "payload", so "servo payload drop mechanism".

I cleaned up my github project mentioning it as well with using "payload":
https://github.com/Hermann-SW/wireless- ... -E52-drone

I changed it to "payload" in the one place I used it in this thread, but cannot change the two mentions in your postings.


You have made very clear the limited design scope of WebREPL and why it does not need security.
As long as WebREPL is only used that way all is fine.

But it will be used outside of that scope and make IoT devices insecure like missing SSL in those devices.
(only because of this missing security I was able to intercept Android to drone traffic in github project above)


Anyway, I really like WebREPL and will use it for my private projects, thanks for WebREPL.

[HermannSW]

I think that any author of software tools should, whenever possible, provide any information which is useful by users.

What are you missing in documentation about WebREPL shell?
https://github.com/Hermann-SW/webrepl#webrepl-shell