COMMAND
RapidStream VPN Appliances
SYSTEMS AFFECTED
RapidStream VPN Appliances
PROBLEM
Loki Loa found following. Hard coded rsadmin for SSH was put in
during 2.1 Beta for support purpose but it was removed in the 2.1
release.
If you have a Rapidstream 2.1 Beta box, please configure a policy
to block SSHD (port 22) as indicated in the report.
RapidStream has hard-coded the 'rsadmin' account into the sshd
binary in the appliance OS. The account has been given a 'null'
password in which password assignment and authentication was
expected to be handled by the RapidStream software itself. The
vendor failed to realize that arbitrary commands could be appended
to the ssh string when connecting to the SSH server on the remote
vpn. This in effect could lead to many things, including the
ability to spawn a remote root shell on the vpn.
e.g. [root@attacker]# ssh -l rsadmin <ip of vpn> "/bin/sh -i;"
e.g. [root@attacker]# ssh -l rsadmin <ip of vpn> "vi /etc/shadow"
Impact:
1. Attacker can use VPN to ftp, and even install and run packet
sniffers on the VPN which will allow him to sniff all traffic
coming in and out of the VPN. Due to the fact that the
administrator is not aware of the ability to spawn root shells,
the intruder can go completely undetected.
2. Immediate remote root access to VPN
3. Can download /etc/shadow file to crack accounts including root.
This will give the attacker the default password for all root
accounts for all deployed RapidStream products.
SOLUTION
RapidStream has been contacted and is working on a new revision in
which SSHD comes uninstalled. For those that do not wish to wait
can put the VPN appliance behind a firewall where port 22 has been
closed. An alternative is to use the vulnerability to ssh into
the vpn and turn off SSHD yourself.
The released Rapidstream 2000, Rapidstream 4000, Rapidstream 6000
and Rapidstream 8000 products will not be infected by the reported
attack.