remote un-passworded root access in IBM's totalstorage ds400 storage
thingie, like this:
# download deezee from http://www.matasano.com/tools/deezee.tar.gz
# download firmware for totalstorage ds400
lort# wget -q http://parker.vslib.cz/MIRRORS/ftp.adaptec.com/tmp0001/oem/ibm/IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# unzip -q IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# rm IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# ls
Copy of IBM_TotalStorage_DS_Series_FW_v4.15.upgrade
README_Single_IBM_TotalStorage_DS_Series_FW_v4.15.txt.TXT
lort# mv Copy\ of\ IBM_TotalStorage_DS_Series_FW_v4.15.upgrade ds400.4.15.fw
lort# ../deezee/deezee ds400.4.15.fw
Scanning file ds400.4.15.fw for compressed components
Compressed size: 21898976 bytes
Compressed segment found.  Expanded to 2181580 bytes
Compressed segment found.  Expanded to 16777216 bytes
Compressed segment found.  Expanded to 67108864 bytes
lort# mkdir /mnt/1 /mnt/2
lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.1 -u 1
lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.2 -u 2
lort# mount_ext2fs /dev/md1 /mnt/1
lort# mount_ext2fs /dev/md2 /mnt/2

# part where you look for vulnerabilities intentionally skipped

lort# cat /mnt/2/etc/shadow
root::11430:0:10000::::
bin:*:8902:0:10000::::
daemon:*:8902:0:10000::::
ftp:*:8902:0:10000::::
named:*:8902:0:10000::::
nobody:*:0:0:10000::::
user::11430:0:10000::::
manager::11430:0:10000::::
administrator::11430:0:10000::::
operator::11430:0:10000::::
lort# cat /mnt/2/etc/inetd.conf
# See "man 8 inetd" for more information.
#
# If you make changes to this file, either reboot your machine or send the
# inetd a HUP signal:
# Do a "ps x" as root and look up the pid of inetd. Then do a
# "kill -HUP <pid of inetd>".
# The inetd will re-read this file whenever it gets that signal.
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
# If you want telnetd not to "keep-alives" (e.g. if it runs over a ISDN
# uplink), add "-n".  See 'man telnetd' for more deatails.
#
telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
cli             stream  tcp     nowait  root    /usr/sbin/tcpd
in.telnetd -L /etc/eurologic/bin/cli
login   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
shell   stream  tcp     nowait.500      root    /usr/sbin/tcpd  in.rshd -Lh
#
# End.
lort# grep ^telnet /mnt/2/etc/services
telnet          6000/tcp

# sit back and laugh at the passwordless accounts and the undocumented
telnet daemon.

--
Knud

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/