| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Jun 2007 16:27:51 +0200 From: "Knud Erik Højgaard" <kokanin@...il.com> To: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: using matasano's blackbag/deezee to find 0day and stuff remote un-passworded root access in IBM's totalstorage ds400 storage thingie, like this: # download deezee from http://www.matasano.com/tools/deezee.tar.gz # download firmware for totalstorage ds400 lort# wget -q http://parker.vslib.cz/MIRRORS/ftp.adaptec.com/tmp0001/oem/ibm/IBM_TotalStorage_DS_Series_FW_v4.15.zip lort# unzip -q IBM_TotalStorage_DS_Series_FW_v4.15.zip lort# rm IBM_TotalStorage_DS_Series_FW_v4.15.zip lort# ls Copy of IBM_TotalStorage_DS_Series_FW_v4.15.upgrade README_Single_IBM_TotalStorage_DS_Series_FW_v4.15.txt.TXT lort# mv Copy\ of\ IBM_TotalStorage_DS_Series_FW_v4.15.upgrade ds400.4.15.fw lort# ../deezee/deezee ds400.4.15.fw Scanning file ds400.4.15.fw for compressed components Compressed size: 21898976 bytes Compressed segment found. Expanded to 2181580 bytes Compressed segment found. Expanded to 16777216 bytes Compressed segment found. Expanded to 67108864 bytes lort# mkdir /mnt/1 /mnt/2 lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.1 -u 1 lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.2 -u 2 lort# mount_ext2fs /dev/md1 /mnt/1 lort# mount_ext2fs /dev/md2 /mnt/2 # part where you look for vulnerabilities intentionally skipped lort# cat /mnt/2/etc/shadow root::11430:0:10000:::: bin:*:8902:0:10000:::: daemon:*:8902:0:10000:::: ftp:*:8902:0:10000:::: named:*:8902:0:10000:::: nobody:*:0:0:10000:::: user::11430:0:10000:::: manager::11430:0:10000:::: administrator::11430:0:10000:::: operator::11430:0:10000:::: lort# cat /mnt/2/etc/inetd.conf # See "man 8 inetd" for more information. # # If you make changes to this file, either reboot your machine or send the # inetd a HUP signal: # Do a "ps x" as root and look up the pid of inetd. Then do a # "kill -HUP <pid of inetd>". # The inetd will re-read this file whenever it gets that signal. # # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> # # If you want telnetd not to "keep-alives" (e.g. if it runs over a ISDN # uplink), add "-n". See 'man telnetd' for more deatails. # telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd cli stream tcp nowait root /usr/sbin/tcpd in.telnetd -L /etc/eurologic/bin/cli login stream tcp nowait root /usr/sbin/tcpd in.rlogind shell stream tcp nowait.500 root /usr/sbin/tcpd in.rshd -Lh # # End. lort# grep ^telnet /mnt/2/etc/services telnet 6000/tcp # sit back and laugh at the passwordless accounts and the undocumented telnet daemon. -- Knud _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists