<<< Date Index >>>     <<< Thread Index >>>

eSeSIX Thintune thin client multiple vulnerabilities



eSeSIX Thintune thin client multiple vulnerabilities

IT-Consult, 2004-07-24


Background
- --------

Thintune is a series of thin client appliances sold by eSeSIX GmbH, Germany.
They offer ICA, RDP, X11 and SSH support based on a customized Linux
platform. See http://www.thintune.com for details.


Affected Product
- --------------

All Linux-based Thintune models with firmware <= 2.4.38

The following device was tested:

Thintune M, Firmware version 2.4.38-32-D
VIA Centaur processor (533 MHz), 128 MB RAM
Software version: JSTREAM II 2.4.38

According to the vendor, all Linux based Thintune models with firmware
version up to (and including) v2.4.38 are affected. The vulnerabilities
1, 2, 3 and 4 are fixed in firmware version 2.4.39. eSeSIX claims that
Windows CE based Thintune models are not vulnerable.


Vulnerabilities
- -------------

1. REMOTE ROOT SHELL / BACKDOOR

By connecting to an undocumented process on the Thintune over the network
an attacker can gain full control over the thin client without notice by
the local user. This includes running installed programs, transferring
files to and from the network, powering down the system and updating the
firmware.

Details:
There is an undocumented process listening on TCP port 25072 that can be
given one of the following commands after authenticating by a short
password. This password ("jstwo") is hardcoded into the /usr/bin/radmin
shell script and cannot be changed via the configuration interface. [1]

shell     -  give root shell
version   -  show hardware version
beep      -  start beeping
restart   -  reboot immediately
poweroff  -  power off immediately
info      -  display pop-up message via xmsg
firmware  -  download firmware from given URL
getreg    -  get local configuration settings

Exploit:
$ nc 192.168.1.77 25702
JSRAFV-1
jstwo                  <- hardcoded password
+yep
shell                  <- one of several commands shown above
+yep here you are ...
id                     <- run "id" to show my privileges
uid=0(root) gid=0(root)

The Thintune firmware includes BusyBox v0.47 which gives you access to nc,
dd, tar, mount, kill, powerdown and other utilities. In my case, there was
about 4MB of free space on the flash card used as hard drive.

According to the vendor, this backdoor is used by the eSeSIX support team
when the management software is not available at the customer site or is
not working correctly.

[1] Of course you could change the hardcoded password after exploiting
    vulnerabilities #1 or #3 and gaining a root shell.

Recommended fix:
Upgrade to firmware v2.4.39. (The backdoor stays in place but uses a
challenge-response system for authentication.)

Temporary workaround:
Open local root shell by exploiting vulnerability #3 (see below), edit
/etc/inetd.conf and delete the line concerning port 25702. Reboot.


2. DETERMINE PASSWORDS REMOTELY

All configuration settings can be aquired remotely, including saved user
names and passwords for RDP and ICA connections as well passwords for the
local VNC server, the JStream control center and the screensaver.

Details:
The Keeper library [2] is used to store all JStream configuration settings.
Configuration files are stored in the /root/.keeper/ directory. Every
section of the database has its own subdirectory and every configuration
setting is put into a file in that subdirectory.

[2] http://kempelen.iit.bme.hu/~mszeredi/keeper/keeper.html

By browsing the local filesystem or (more comfortably) using the "getreg"
command shown above, one can remotely read out this Keeper database. The
following sections and keys may be particularly interesting for an attacker:

desktop shadow_password  -  VNC password (VNC is called "shadowing")
security adminpassword   -  control center (administrator) password
security userpassword    -  screen saver password

ica con_0_9              -  username for first ICA connection
ica con_0_10             -  password for first ICA connection
ica con_0_11             -  domain for first ICA connection
ica con_0_3              -  address for first ICA connection

rdp con_0_6              -  username for first RDP connection
rdp con_0_7              -  password for first RDP connection
rdp con_0_8              -  domain for first RDP connection
rdp con_0_3              -  address for first RDP connection

Connection settings and passwords for other protocols can be found in the
rdppro, ssh, tarantella and rexec subdirectories in the same way.

All passwords are stored in cleartext in the corresponding files.

Exploit:
$ nc 192.168.1.77 25702
JSRAFV-1
jstwo
+yep
getreg
+yep enter section and key
desktop shadow_password
myVNCpwd

Recommended fix:
Upgrade to firmware v2.4.39.

Temporary workaround:
Open local root shell by exploiting vulnerability #3 (see below), edit
/etc/inetd.conf and delete the line concerning port 25702. Reboot.


3. LOCAL ROOT SHELL

Any local user of the thin client can launch a local root shell by pressing
some keys and entering a special password. Attackers could use this shell
to aquire all passwords in the Keeper database (see above).

This feature has not been documented, but is shown to the customer during
support sessions when needed.

Exploit:

Press <CTRL><SHIFT><ALT><DEL> and enter "maertsJ" as password. An xterm
window is launched that runs with root privileges. The password is
hardcoded into the /usr/bin/lshell executable and cannot be changed.

For an alternate attack vector, use the Phoenix web browser to open the file
/usr/bin/lshell with itself (see below).

Recommended fix:
Upgrade to firmware v2.4.39, which uses a challenge-response system for
authentication.

Temporary workaround:
Delete /usr/bin/lshell.
(Be sure to apply workarounds for vulnerabilities 1 and 2 first.)


4. VIEW CLEARTEXT PASSWORDS LOCALLY VIA WEB BROWSER

Any local user can browse the complete filesystem by using an existing web
browser connection and entering a simple URL into the address bar. As the
control center, screensaver and VNC passwords are stored in cleartext files,
they can be read by a local attacker.

Details:
The Thintune software supports WWW acess for end users via the Phoenix web
browser (now called Mozilla Firefox).

Entering "file:///" into the Phoenix URL address bar shows the root
directory of the local filesystem. As Phoenix is run with root privileges,
there are no restrictions concerning the files that can be viewed.

Using this technique, cleartext passwords can be found in several files.
Some examples:

/root/.keeper/desktop/shadow_password         - VNC
/root/.keeper/desktop/security/adminpassword  - control center
/root/.keeper/security/userpassword           - screen saver password
/usr/bin/radmin                               - remote control (see Vuln.#1)

Note: Web browsing has to be enabled by the administrator in the JStream
control center by creating a Web connection. Access to the JStream control
center can be password protected. Nevertheless, by exploiting vulnerability
3 and viewing the configuration file a local attacker can easily determine
this password and get access to the control center.

Recommended fix:
Upgrade to firmware v2.4.39. (The browser has been put into a sandbox.)

Temporary workaround:
Delete all Phoenix connections.


5. PROBLEMATIC PASSWORD CHECKING

When prompted for the control center and lshell passwords, you do not have
to press <Enter> to complete your input. Authentication takes place as soon
as you have given the right password. This could make password guessing much
easier.

Example:

Password is "a". No matter if you try "automobile", "any" or
"afternoon" -- as soon as you press the first "a" you are authenticated.

Recommended fix:
No fix is available at the moment.

Temporary workaround:
Choose long passwords.



Method used for reseach
- ---------------------

- Try browsing the local filesystem via the "file:///"-URL.
  Further examination gives the following interesting details:

  * local configuration files are placed in /root/.keeper

  * Two files in /root/.keeper/security/ show the administrator and
    screensaver passwords in cleartext.

  * /usr/bin/radmin seems to be a shell script that offers remote control
    commands. Password is shown in cleartext.

- Opening /usr/bin/lshell (local shell?) via the web browser gives password
  prompt. Password is not known at this point

  * /root/.icewm/keys shows that lshell can be run by pressing
    <CTRL><ALT><SHIFT><DEL>

- Nmap portscan against Thintune shows open TCP port 25702 (among others).
  Connecting to this port gives the "JSRAFV-1" reply that was found in local
  file /usr/bin/radmin before.

- Gain remote root shell by giving the password found in /usr/bin/radmin and
  transfer local filesystem over the network using dd and nc.

- Viewing /usr/bin/lshell in hex-editor on remote system shows cleartext
  password for local shell access.

- Browsing the /root/.keeper/ directory shows all connection settings in
  cleartext.

- Playing with the "getreg" command reveals that all settings can be aquired
  remotely.


Disclosure Timeline
- -----------------

2004-05-29  Vulnerabilities found by Dirk Loss
2004-06-02  Vendor notification per phone and E-Mail
2004-06-07  Vendor confirms vulnerabilities and promises fixing the problems
            in next firmware release
2004-07-16  New firmware v2.4.39 released including fixes for problems 1-4
2004-07-24  Public disclosure


Contact
- -----

Dirk Loss, IT-Consult Ralf Emons e.K., Münster, Germany
Mail: dirk.loss@xxxxxxxxxxxxxx
Tel: +49-251-97416-0
WWW: http://www.it-consult.net


Disclaimer
- --------

This advisory does not claim to be complete or to be usable for any purpose.
Especially information on the vulnerable systems may be inaccurate or wrong.
Possible supplied exploit code is not to be used for malicious purposes, but
for educational purposes only.


Legal Notices
- -----------

Copyright (c) 2004 IT-Consult Ralf Emons e.K.

Permission is granted for the redistribution of
unaltered versions of this text in any medium.