I am using the Mycroft device for a pentesting thesis that I am finishing against this open source assistant and another company-owned device. After performing a Nmap scan against Mycroft, the Nmap tool outputed that it is vulnerable to CVE-2007-6750 (denial of service attacks) and CVE-2023-28370 (phishing redirection with a crafted url). Therefore, I tried to verify them, the things that I tried were:
CVE-2007-6750: I used the iaxflood tool, which is very powerful, and was very effective with multiple devices that I own. However, with Mycroft it was not sucessful at all, I verified it by sending pings to Mycroft while the attack was running and I could check that it was not making any effect. Is Mycroft protected against DoS attacks? Does it have a firewall or something that makes the attack not working?
CVE-2023-28370: What I frist tried was to know what files the server had, in order to do so I made several requests with the Postman tool. All of them were not successful, they outputed 404 Error. Then, I used the dirbuster, dirsearch and gobuster tools to discover directories on the server and I couldn’t find anything.
I need to justify why both attacks are not working as expected in my thesis, so I would be grateful if someone could help me with that and tell me what is hapenning.
Even though the kernel running on the MK2 seems to not be 6.x yet:
$ uname -a
Linux neon 5.15.72-v8+ #1 SMP PREEMPT Thu Oct 6 20:29:02 EDT 2022 aarch64 GNU/Linux
We need more information to be informative. What software is the device running? If you aren’t sure, you can describe the logo you see when the unit powers on, that’d tell us.
@goldyfruit was principally responsible for that image, so is best equipped to describe it, though I should note that both it and the original Mycroft-core are abandonware. The state of affairs:
As to the nature of the thing itself, I should also clarify that there are two elements. The Assistant, either Mycroft-core or a derivative, is software. That docker image, and the various Mycroft-based smart speaker images, are each separate, more or less opinionated implementations of the Assistant. Put differently, you aren’t running a docker version of the Mark II, you’re running a dockerized version of the Assistant.
Goldyfruit is now maintaining OVOS’ docker image (see FAQ) which we regard as much more “official” than MycroftAI did theirs. Our image kinda resembles what we put on a Mark II, when you run our smart speaker distro, but we’d sooner put most retail customers on NeonOS (see FAQ) which runs a heavily configured OVOS stack on a heavily opinionated system, with a whole bunch of their own utilities atop. Largely what we were hoping for in the first place, you might say, but not dockerized, afaik.
Mycroft’s software was split into two main versions, their Core, and their Dinkum rewrite. Neither is being maintained. If you need to complete your thesis based on the Mycroft software, there isn’t any technical support available from them but there is a lot of information here and on their website, which I think you’ll be able use to figure out what best to base your thesis on.
If you have more flexibility, I suggest you switch to either the OS offered by OVOS or Neon AI. There are many shared components between the Mycroft, OVOS, and Neon AI operating systems. The latter two are actively maintained, and we’ll appreciate hearing of any vulnerabilities you find.
