Aug 192019
 

TL;DR: SphinxSearch comes with a insecure default configuration that opens a listener on port 9306. No auth required. Connections using a mysql client are possible.

I recently stumbled upon SphinxSearch. A fast database that can do full-text search much faster than MySQL/MariaDB (at least in my scenario) and runs on lower ressources than Lucene, Solr or Elasticsearch (which also performed the worst in my scenario).

One thing I came accross while installing it was the default configuration. In the default configuration SphinxSearch has a listener on TCP port 9306 with no authentication. Actually authentication is not implemented in SphinxSearch as far as I know. This would make you think that this listener is at least limited to localhost? Nope. The default setup creates a listener on 0.0.0.0:9306 (reading all interfaces, any IP port 9306) and allows connections without credentials using the MySQL client.

This is a screenshot from the official documentation as of August 2019:

“Archive” screenshot

I have tried contacting the SphinxSearch team using the website form and via Skype since July, but no reply.

How to fix it?
Just go to your SphinxSearch configuration and edit the listen variable to include only localhost or put a (host) firewall like iptables in front of your installation.

Sample of a localhost listener configuration:

[..]
searchd
 {
         listen                  = localhost:9312
         listen                  = localhost:9306:mysql41
[..]

At the time of writing the Internet has 100+ exposed installations. Some of them might be on purpose or the data might not be a secret, but for some it might be an issue. I know at least one project for email archiving which uses SphinxSearch – piler. Users should check it immediately.

This is an example of a SphinxSearch login using mysqlclient:

root@vmd292 ~/sphinx/sphinx-3.1.1/bin # mysql -P9306 -h127.0.0.1
 Welcome to the MariaDB monitor.  Commands end with ; or \g.
 Your MySQL connection id is 1
 Server version: 3.1.1 (commit 612d99f) Copyright (c) 2000, 2018, 
Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show tables;

+---------------+-------------+

| Index         | Type        |

+---------------+-------------+

| idx1_template | local       |

| idx1p0        | local       |

| idx1p1        | local       |

| idx1p10       | local       |

| idx1p11       | local       |

| idx1p12       | local       |

| idx1p13       | local       |

| idx1p14       | local       |

| idx1p15       | local       |

| idx1p16       | local       |

| idx1p17       | local       |

| idx1p18       | local       |

| idx1p19       | local       |

| idx1p2        | local       |

| idx1p20       | local       |

| idx1p3        | local       |

| idx1p4        | local       |

| idx1p5        | local       |

| idx1p6        | local       |

| idx1p7        | local       |

| idx1p8        | local       |

| idx1p9        | local       |

| test1         | distributed |

+---------------+-------------+

23 rows in set (0.001 sec)
MySQL [(none)]> quit
 Bye
 root@vmd292 ~/sphinx/sphinx-3.1.1/bin # 
Dec 082019
 

When it comes to pentests you sometimes have access to the source code (opensource applications or grey-/whitebox tests). It started using tools to help me analyze the code. So far I had only Java code to analyze, but it was quite interesting to see the different tools and the results. Let me write down my personal findings.

The tools

I tried 3 different tools: Sonarqube, PMD and SpotBugs (successor to FindBugs).

First problem – .class vs .java

SpotBugs is able to analyze .jar or .class files directly, while the other two need source files, so for Java we need disassemblers. While I like jd-gui for quickly looking into files, I found its results not really useable for source code analysis. cfr yielded much better results, but was veeeery slow sometimes.

The setup

PMD and SpotBugs can simply be downloaded and run, while Sonarqube is a docker container that needs some more tweaks. Especially importing your files is tricky, because it can not be done wrong the webinterface. You need to log in via WebUI, create the API key, log into the docker container, get sonar-scan, copy the files into the docker container and run sonar-scan to import them. Not painful, because it can be scripted, but much more work compared to simply running SpotBugs and opening your directory with .jar files. And here is the next issue:

Input formats and the tools

For my Java example the 3 tools require different input formats. My project is a single .jar file and the second test I did was a folder with some .jar files and some .class files.

SpotBugs I simply told the directory and it started unzipping the .jar file recursively and analyzing the .class files within. Awesome.

PMD needs .java files, so I had to recursively unzip the .jar files (the initial .jar contained other .jar files) and the reverse the .class files into .java files. Not that great.

SonarQube needs .java AND .class files. You can bypass the .class restriction, but it will produce more false-positives according to the developers. So I needed to put all .class and .java files in directories (/bin and /src) for SonarQube. Not that great.

Speed

I was very impressed by the speed of SpotBugs. It is close to instant on a normal business laptop. PMD was slower, but acceptable. SonarQube took some hours on the same hardware (Lenovo T480 laptop). Without having exact numbers PMD was about 5x slower than SpotBugs and SonarQube about 1000x slower.

SpotBugs clear winner. SonarQube clear loser.

Results

This may be the most important part – findings. I found all of the solutions to report many false positives, which is pretty bad. I would expect these tools to help me safe time. Instead it is stealing my time to check false positives. I mean .. in the time I used to check false positives I could have read the code ..

SonarQube did pretty good regarding findings. It found the most – but also the most false positives.

SpotBugs found a lot of bugs and false positives, too. Second most in my test. Good for a quick overview.

PMD comes last and mostly found issues in code quality, not security bugs. Something I was not looking for.

Personal Rating

Personally I would use SpotBugs in quick assessments and SonarQube if you have more time or need a deeper analysis. I will personally not use PMD as it doesnt perform better in any of my tests.