| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Oct 2009 23:31:09 -0500
From: Rohit Patnaik <quanticle@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Riorey "RIOS" Hardcoded Password Vulnerability
The really ironic thing is that this product is designed to improve the
security of your site (by mitigating DDoS attacks). Instead, it degrades
security by having a security hole large enough to drive a bus through.
--Rohit Patnaik
On Wed, Oct 7, 2009 at 6:03 PM,
<full-disclosure-bounces@...ts.grok.org.uk>wrote:
> Title: Riorey "RIOS" Hardcoded Password Vulnerability
>
> Severity: High (Full root access to the device)
> Date: 07 October 2009
> Versions Affected: RIOS 4.6.6 , 4.7.0 possibly others
> Discovered on: 25 July 2009
> Vendor URL: www.riorey.com
> Author: Marek Kroemeke
>
> Overview:
>
> Riorey DDoS mitigation appliences (www.riorey.com) are vulnerable to
> taking a full control
> over affected devices via a hardcoded username and password used to create
> a SSH tunnel between the RView application and the device itself.
>
>
> Details:
>
> Riorey devices running affected "RIOS" versions have a hardcoded username
> and password
> that is then used by the RView software to connect on port 8022 in order to
> create
> a SSH tunnel. This allows the attacker to login as user 'dbuser' using
> the hardcoded password, and due to an old Linux kernel version used -
> escalate privilages
> through several vulnerabilities and eventually take the full control over
> the device.
>
> Additionally - the web interface advices the user to reset the admin
> password for security reasons,
> but the RView application still uses the hardcoded password in order to
> create the SSH tunnel which
> may result in a false sense of security.
>
> Proof of Concept:
>
> Open your favorite SSH client and use the following detials in order to
> login:
>
> port: 8022
> username: dbadmin
> password: sq!us3r
>
> -- cut --
> root@...reyXXXXXXX dbuser # id
> uid=0(root) gid=0(root) groups=0(root)
> root@...reyXXXXXXX dbuser # uname -a
> Linux rioreyXXXXXXX 2.6.16.6 #23 SMP Fri Oct 24 19:29:08 EDT 2008 x86_64
> Dual-Core AMD Opteron(tm) Processor 1210 HE AuthenticAMD GNU/Linux
> -- cut --
>
>
> Mitigation:
>
> Login to the device via SSH using the above details, and reset the password
> using the 'passwd' command.
>
>
> Vendor Contact:
> 30 July 2009 - Initial vendor contact
> 31 July 2009 - Vendor replies advising to use a firewall in front of the
> device
> 01 August 2009 - Vendor replies that next software release will address
> this problem, work in progress
> 09 August 2009 - Vendor sends an email confirming that it's not ready yet
> but will be by the end of the month
> 16 August 2009 - Confirmation about realease day of a patched version - 05
> October 2009
> 07 October 2009 - Releasing the vulnerability report.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists