----------------------------------------------------------------------------
---
ADVISORY: NULL password authentication for 'rsadmin' account
in sshd binary
VENDOR: RapidStream VPN Appliances
ISSUE DATE: 08-14-00
DISCOVERED BY: Loki
[EMAIL PROTECTED]
----------------------------------------------------------------------------
---
A. SYSTEMS AFFECTED:
----------------------------------------------------------------------------
---
1. RapidStream 8000 Family
2. RapidStream 6000 Family
3. RapidStream 4000 Family
4. RapidStream 2000 Family
----------------------------------------------------------------------------
---
B. OVERVIEW:
----------------------------------------------------------------------------
---
RapidStream has hard-coded the 'rsadmin' account into the sshd binary in the
appliance OS. The account has been given a 'null' password in
which password assignment and authentication was expected to be handled by
the
RapidStream software itself. The vendor failed to realize that arbitrary
commands could be appended to the ssh string when connecting to the SSH
server
on the remote vpn. This in effect could lead to many things, including the
ability to spawn a remote root shell on the vpn.
I have not yet tested this on other VPN appliances that utilize SSHD on
their systems for
remote administration.
e.g. [root@somewhere]# ssh -l rsadmin <ip of vpn> "/bin/sh -i;"
e.g. [root@somewhere]# ssh -l rsadmin <ip of vpn> "vi /etc/shadow"
----------------------------------------------------------------------------
---
C. IMPACT:
----------------------------------------------------------------------------
---
1. Attacker can use VPN to ftp, and even install and run packet sniffers on
the
VPN which will allow him to sniff all traffic coming in and out of the VPN.
Due to the fact that the administrator is not aware of the ability to spawn
root shells, the intruder can go completely undetected.
2. Immediate remote root access to VPN
3. Can download /etc/shadow file to crack accounts including root. This will
give
the attacker the default password for all root accounts for all deployed
RapidStream products.
----------------------------------------------------------------------------
---
D. SOLUTION:
----------------------------------------------------------------------------
---
RapidStream has been contacted and is working on a new revision in which
SSHD
comes uninstalled. For those that do not wish to wait can put the VPN
appliance
behind a firewall where port 22 has been closed. An alternative is to use
the
vulnerability to ssh into the vpn and turn off SSHD yourself.
----------------------------------------------------------------------------
---
----------------------------------------------------------------------------
---
E. SHOUTS
----------------------------------------------------------------------------
---
Safety! Faisal Jawdat, Art Stine, "TIMMY!", Crimson, Lockdown, Mega,
#RootHat, qr00t, LoA! Everyone else I missed.
----------------------------------------------------------------------------
---
----------------------------------------------------------------------
Loki [LoA]
[EMAIL PROTECTED]
----------------------------------------------------------------------
PGP Key fingerprint = 67 1D 12 BE 61 D6 63 B2 6A 8C F8 A1 80 88 1B 4
[[EMAIL PROTECTED]]# ./crack /etc/passwd > passwd.cr
[[EMAIL PROTECTED]]# su - root
[[EMAIL PROTECTED]]#
----------------------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
