Bugtraq mailing list archives
Remote Root Compromise On All RapidStream VPN Appliances
From: james lin <james_lin () RAPIDSTREAM COM>
Date: Wed, 16 Aug 2000 09:56:15 -0700
Hard coded rsadmin for SSH was put in during 2.1 Beta for support purpose but it was removed in the 2.1 release. The released Rapidstream 2000, Rapidstream 4000, Rapidstream 6000 and Rapidstream 8000 products will not be infected by the reported attack. If you have a Rapidstream 2.1 Beta box, please configure a policy to block SSHD (port 22) as indicated in the report. James Lin Software Director
- -----Original Message-----
From: Loki [mailto:loki.loa () subdimension com]
Sent: Monday, August 14, 2000 12:29 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Remote Root Compromise On All RapidStream VPN Appliances
Date: 8-14-00
Time: 12:40p PST
*/ You have been infected by the Bubonic Loki /*
OVERVIEW
RapidStream has hard-coded the 'rsadmin' account into the sshd
binary
in the
appliance OS. The account has been given a 'null' password in
which password assignment and authentication was expected to be
handled by the
RapidStream software itself. The vendor failed to realize that
arbitrary
commands could be appended to the ssh string when connecting to the
SSH server
on the remote vpn. This in effect could lead to many things,
including
the
ability to spawn a remote root shell on the vpn.
e.g. [root@attacker]# ssh -l rsadmin <ip of vpn> "/bin/sh -i;"
e.g. [root@attacker]# ssh -l rsadmin <ip of vpn> "vi /etc/shadow"
SYSTEMS AFFECTED
I have not yet tested this with other VPN appliances that have
installed SSH
as their choice for remote access.
1. RapidStream 8000 Family
2. RapidStream 6000 Family
3. RapidStream 4000 Family
4. RapidStream 2000 Family
IMPACT
1. Attacker can use VPN to ftp, and even install and run packet
sniffers on the
VPN which will allow him to sniff all traffic coming in and out of
the
VPN.
Due to the fact that the administrator is not aware of the ability
to
spawn
root shells, the intruder can go completely undetected.
2. Immediate remote root access to VPN
3. Can download /etc/shadow file to crack accounts including root.
This will give
the attacker the default password for all root accounts for all
deployed
RapidStream products.
SOLUTION
RapidStream has been contacted and is working on a new revision in
which SSHD
comes uninstalled. For those that do not wish to wait can put the
VPN
appliance
behind a firewall where port 22 has been closed. An alternative is
to
use the
vulnerability to ssh into the vpn and turn off SSHD yourself.
SHOUTS
#RootHat, Lamagra, Safety, BillyBobCat Pennington, Faisal, Mega,
Lockdown, King
Art"hur" and all the gang! "TIMMMY!, LIVIN A LIE!"
Also mad shouts out to muh fiance! "Mahal Kita!"
"Shouts to the fellow herd of the evil cow people, cow go moo!"
moo?
-
----------------------------------------------------------------------
Loki [LoA]
loki.loa () subdimension com
-
----------------------------------------------------------------------
PGP Key fingerprint = 67 1D 12 BE 61 D6 63 B2 6A 8C F8 A1 80 88 1B
4
[jbrill () nasa gov]# ./crack /etc/passwd > passwd.cr
[jbrill () nasa gov]# su - root
[root () nasa gov]#
-
----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
iQA/AwUBOZmvLU3Vi9lbkWzpEQLd3ACgs5zegiIhKGfXpMBKqgffCtoojuMAniWk
3sxt7DnSeFQ/6mGeNriPkxxr
=MY8V
-----END PGP SIGNATURE-----
Current thread:
- Remote Root Compromise On All RapidStream VPN Appliances Loki (Aug 15)
- <Possible follow-ups>
- Remote Root Compromise On All RapidStream VPN Appliances james lin (Aug 17)