what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

vpn-root.txt

vpn-root.txt
Posted Aug 31, 2000
Authored by Loki

RapidStream has hard-coded the 'rsadmin' account into the sshd binary in the appliance OS. The account has been given a 'null' password in which password assignment and authentication was expected to be handled by the RapidStream software itself. The vendor failed to realize that arbitrary commands could be appended to the ssh string when connecting to the SSH server on the remote vpn. This in effect could lead to many things, including the ability to spawn a remote root shell on the vpn.

tags | exploit, remote, arbitrary, shell, root
SHA-256 | 4b922cd0b6565086e642ee2ff57903babce23e38618ab193b67f145f89db55fd

vpn-root.txt

Change Mirror Download
  Date: 8-14-00
Time: 12:40p PST

*/ You have been infected by the Bubonic Loki /*


OVERVIEW
---------

RapidStream has hard-coded the 'rsadmin' account into the sshd
binary in the appliance OS. The account has been given a 'null' password
in which password assignment and authentication was expected to be
handled by the RapidStream software itself. The vendor failed to realize that
arbitrary commands could be appended to the ssh string when connecting to
the SSH server on the remote vpn. This in effect could lead to many things,
including the ability to spawn a remote root shell on the vpn.

e.g. [root@attacker]# ssh -l rsadmin <ip of vpn> "/bin/sh -i;"
e.g. [root@attacker]# ssh -l rsadmin <ip of vpn> "vi /etc/shadow"


SYSTEMS AFFECTED
I have not yet tested this with other VPN appliances that have
installed SSH as their choice for remote access.

1. RapidStream 8000 Family
2. RapidStream 6000 Family
3. RapidStream 4000 Family
4. RapidStream 2000 Family


IMPACT
------

1. Attacker can use VPN to ftp, and even install and run packet
sniffers on the VPN which will allow him to sniff all traffic coming in and out
of the VPN. Due to the fact that the administrator is not aware of the
ability to spawn root shells, the intruder can go completely undetected.

2. Immediate remote root access to VPN

3. Can download /etc/shadow file to crack accounts including
root. This will give the attacker the default password for all root accounts for all
deployed RapidStream products.

SOLUTION
---------

RapidStream has been contacted and is working on a new revision
in which SSHD comes uninstalled. For those that do not wish to wait can put the
VPN appliance behind a firewall where port 22 has been closed. An alternative
is to use the vulnerability to ssh into the vpn and turn off SSHD yourself.

SHOUTS
#RootHat, Lamagra, Safety, BillyBobCat Pennington, Faisal, Mega,
Lockdown, King
Art"hur" and all the gang! "TIMMMY!, LIVIN A LIE!"
Also mad shouts out to muh fiance! "Mahal Kita!"

"Shouts to the fellow herd of the evil cow people, cow go moo!"
moo?


----------------------------------------------------------------------
Loki [LoA]
loki.loa@subdimension.com
----------------------------------------------------------------------
PGP Key fingerprint = 67 1D 12 BE 61 D6 63 B2 6A 8C F8 A1 80 88 1B 4
----------------------------------------------------------------------
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close