The IBM Totalstorage ds400 comes with unpassworded root access.
942bd506a1c40530286a2a87b1e0d69ffbee5d0dfa2a936655ff74e14f898b9fremote un-passworded root access in IBM's totalstorage ds400 storage
thingie, like this:
# download deezee from http://www.matasano.com/tools/deezee.tar.gz
# download firmware for totalstorage ds400
lort# wget -q http://parker.vslib.cz/MIRRORS/ftp.adaptec.com/tmp0001/oem/ibm/IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# unzip -q IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# rm IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# ls
Copy of IBM_TotalStorage_DS_Series_FW_v4.15.upgrade
README_Single_IBM_TotalStorage_DS_Series_FW_v4.15.txt.TXT
lort# mv Copy\ of\ IBM_TotalStorage_DS_Series_FW_v4.15.upgrade ds400.4.15.fw
lort# ../deezee/deezee ds400.4.15.fw
Scanning file ds400.4.15.fw for compressed components
Compressed size: 21898976 bytes
Compressed segment found. Expanded to 2181580 bytes
Compressed segment found. Expanded to 16777216 bytes
Compressed segment found. Expanded to 67108864 bytes
lort# mkdir /mnt/1 /mnt/2
lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.1 -u 1
lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.2 -u 2
lort# mount_ext2fs /dev/md1 /mnt/1
lort# mount_ext2fs /dev/md2 /mnt/2
# part where you look for vulnerabilities intentionally skipped
lort# cat /mnt/2/etc/shadow
root::11430:0:10000::::
bin:*:8902:0:10000::::
daemon:*:8902:0:10000::::
ftp:*:8902:0:10000::::
named:*:8902:0:10000::::
nobody:*:0:0:10000::::
user::11430:0:10000::::
manager::11430:0:10000::::
administrator::11430:0:10000::::
operator::11430:0:10000::::
lort# cat /mnt/2/etc/inetd.conf
# See "man 8 inetd" for more information.
#
# If you make changes to this file, either reboot your machine or send the
# inetd a HUP signal:
# Do a "ps x" as root and look up the pid of inetd. Then do a
# "kill -HUP <pid of inetd>".
# The inetd will re-read this file whenever it gets that signal.
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
# If you want telnetd not to "keep-alives" (e.g. if it runs over a ISDN
# uplink), add "-n". See 'man telnetd' for more deatails.
#
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
cli stream tcp nowait root /usr/sbin/tcpd
in.telnetd -L /etc/eurologic/bin/cli
login stream tcp nowait root /usr/sbin/tcpd in.rlogind
shell stream tcp nowait.500 root /usr/sbin/tcpd in.rshd -Lh
#
# End.
lort# grep ^telnet /mnt/2/etc/services
telnet 6000/tcp
# sit back and laugh at the passwordless accounts and the undocumented
telnet daemon.
--
Knud
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed