OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Remote Root Compromise On All RapidStream VPN Appliances
From: james lin (james_linRAPIDSTREAM.COM)
Date: Wed Aug 16 2000 - 11:56:15 CDT


Hard coded rsadmin for SSH was put in during 2.1 Beta for support purpose
but it was removed in the 2.1 release. The released Rapidstream 2000,
Rapidstream 4000, Rapidstream 6000 and Rapidstream 8000 products will not be
infected by the reported attack.

If you have a Rapidstream 2.1 Beta box, please configure a policy to block
SSHD (port 22) as indicated in the report.

James Lin
Software Director

> - -----Original Message-----
> From: Loki [mailto:loki.loasubdimension.com]
> Sent: Monday, August 14, 2000 12:29 PM
> To: BUGTRAQSECURITYFOCUS.COM
> Subject: Remote Root Compromise On All RapidStream VPN Appliances
>
>
> Date: 8-14-00
> Time: 12:40p PST
>
> */ You have been infected by the Bubonic Loki /*
>
> OVERVIEW
> RapidStream has hard-coded the 'rsadmin' account into the sshd
> binary
> in the
> appliance OS. The account has been given a 'null' password in
> which password assignment and authentication was expected to be
> handled by the
> RapidStream software itself. The vendor failed to realize that
> arbitrary
> commands could be appended to the ssh string when connecting to the
> SSH server
> on the remote vpn. This in effect could lead to many things,
> including
> the
> ability to spawn a remote root shell on the vpn.
>
> e.g. [rootattacker]# ssh -l rsadmin <ip of vpn> "/bin/sh -i;"
> e.g. [rootattacker]# ssh -l rsadmin <ip of vpn> "vi /etc/shadow"
>
>
> SYSTEMS AFFECTED
> I have not yet tested this with other VPN appliances that have
> installed SSH
> as their choice for remote access.
>
> 1. RapidStream 8000 Family
> 2. RapidStream 6000 Family
> 3. RapidStream 4000 Family
> 4. RapidStream 2000 Family
>
>
> IMPACT
> 1. Attacker can use VPN to ftp, and even install and run packet
> sniffers on the
> VPN which will allow him to sniff all traffic coming in and out of
> the
> VPN.
> Due to the fact that the administrator is not aware of the ability
> to
> spawn
> root shells, the intruder can go completely undetected.
>
> 2. Immediate remote root access to VPN
>
> 3. Can download /etc/shadow file to crack accounts including root.
> This will give
> the attacker the default password for all root accounts for all
> deployed
> RapidStream products.
>
> SOLUTION
> RapidStream has been contacted and is working on a new revision in
> which SSHD
> comes uninstalled. For those that do not wish to wait can put the
> VPN
> appliance
> behind a firewall where port 22 has been closed. An alternative is
> to
> use the
> vulnerability to ssh into the vpn and turn off SSHD yourself.
>
> SHOUTS
> #RootHat, Lamagra, Safety, BillyBobCat Pennington, Faisal, Mega,
> Lockdown, King
> Art"hur" and all the gang! "TIMMMY!, LIVIN A LIE!"
> Also mad shouts out to muh fiance! "Mahal Kita!"
>
> "Shouts to the fellow herd of the evil cow people, cow go moo!"
> moo?
>
>
> -
> ----------------------------------------------------------------------
> Loki [LoA]
> loki.loasubdimension.com
> -
> ----------------------------------------------------------------------
> PGP Key fingerprint = 67 1D 12 BE 61 D6 63 B2 6A 8C F8 A1 80 88 1B
> 4
> [jbrillnasa.gov]# ./crack /etc/passwd > passwd.cr
> [jbrillnasa.gov]# su - root
> [rootnasa.gov]#
> -
> ----------------------------------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.0.2
>
> iQA/AwUBOZmvLU3Vi9lbkWzpEQLd3ACgs5zegiIhKGfXpMBKqgffCtoojuMAniWk
> 3sxt7DnSeFQ/6mGeNriPkxxr
> =MY8V
> -----END PGP SIGNATURE-----
>