[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : RapidStream VPN vulnerability

Title: RapidStream VPN vulnerability
Released by: Loki
Date: 14th August 2000
Printable version: Click here


Date: 8-14-00

Time: 12:40p PST





OVERVIEW

RapidStream has hard-coded the 'rsadmin' account into the sshd binary in the

appliance OS. The account has been given a 'null' password in

which password assignment and authentication was expected to be handled by the

RapidStream software itself. The vendor failed to realize that arbitrary

commands could be appended to the ssh string when connecting to the SSH server

on the remote vpn. This in effect could lead to many things, including the

ability to spawn a remote root shell on the vpn.



e.g. [root@attacker]# ssh -l rsadmin  "/bin/sh -i;"

e.g. [root@attacker]# ssh -l rsadmin  "vi /etc/shadow"





SYSTEMS AFFECTED

I have not yet tested this with other VPN appliances that have installed SSH

as their choice for remote access.



1. RapidStream 8000 Family

2. RapidStream 6000 Family

3. RapidStream 4000 Family

4. RapidStream 2000 Family





IMPACT

1. Attacker can use VPN to ftp, and even install and run packet sniffers on the

VPN which will allow him to sniff all traffic coming in and out of the VPN.

Due to the fact that the administrator is not aware of the ability to spawn

root shells, the intruder can go completely undetected.



2. Immediate remote root access to VPN



3. Can download /etc/shadow file to crack accounts including root. This will give

the attacker the default password for all root accounts for all deployed

RapidStream products.



SOLUTION

RapidStream has been contacted and is working on a new revision in which SSHD

comes uninstalled. For those that do not wish to wait can put the VPN appliance

behind a firewall where port 22 has been closed. An alternative is to use the

vulnerability to ssh into the vpn and turn off SSHD yourself.



SHOUTS

#RootHat, Lamagra, Safety, BillyBobCat Pennington, Faisal, Mega, Lockdown, King

Art"hur" and all the gang! "TIMMMY!, LIVIN A LIE!"

Also mad shouts out to muh fiance! "Mahal Kita!"



"Shouts to the fellow herd of the evil cow people, cow go moo!"

moo?





----------------------------------------------------------------------

Loki [LoA]

loki.loa@subdimension.com

----------------------------------------------------------------------

PGP Key fingerprint =  67 1D 12 BE 61 D6 63 B2  6A 8C F8 A1 80 88 1B 4

[jbrill@nasa.gov]# ./crack /etc/passwd > passwd.cr

[jbrill@nasa.gov]# su - root

[root@nasa.gov]#

----------------------------------------------------------------------










(C) 1999-2000 All rights reserved.