eSeSIX Thintune thin client multiple vulnerabilities IT-Consult, 2004-07-24 Background - -------- Thintune is a series of thin client appliances sold by eSeSIX GmbH, Germany. They offer ICA, RDP, X11 and SSH support based on a customized Linux platform. See http://www.thintune.com for details. Affected Product - -------------- All Linux-based Thintune models with firmware <= 2.4.38 The following device was tested: Thintune M, Firmware version 2.4.38-32-D VIA Centaur processor (533 MHz), 128 MB RAM Software version: JSTREAM II 2.4.38 According to the vendor, all Linux based Thintune models with firmware version up to (and including) v2.4.38 are affected. The vulnerabilities 1, 2, 3 and 4 are fixed in firmware version 2.4.39. eSeSIX claims that Windows CE based Thintune models are not vulnerable. Vulnerabilities - ------------- 1. REMOTE ROOT SHELL / BACKDOOR By connecting to an undocumented process on the Thintune over the network an attacker can gain full control over the thin client without notice by the local user. This includes running installed programs, transferring files to and from the network, powering down the system and updating the firmware. Details: There is an undocumented process listening on TCP port 25072 that can be given one of the following commands after authenticating by a short password. This password ("jstwo") is hardcoded into the /usr/bin/radmin shell script and cannot be changed via the configuration interface. [1] shell - give root shell version - show hardware version beep - start beeping restart - reboot immediately poweroff - power off immediately info - display pop-up message via xmsg firmware - download firmware from given URL getreg - get local configuration settings Exploit: $ nc 192.168.1.77 25702 JSRAFV-1 jstwo <- hardcoded password +yep shell <- one of several commands shown above +yep here you are ... id <- run "id" to show my privileges uid=0(root) gid=0(root) The Thintune firmware includes BusyBox v0.47 which gives you access to nc, dd, tar, mount, kill, powerdown and other utilities. In my case, there was about 4MB of free space on the flash card used as hard drive. According to the vendor, this backdoor is used by the eSeSIX support team when the management software is not available at the customer site or is not working correctly. [1] Of course you could change the hardcoded password after exploiting vulnerabilities #1 or #3 and gaining a root shell. Recommended fix: Upgrade to firmware v2.4.39. (The backdoor stays in place but uses a challenge-response system for authentication.) Temporary workaround: Open local root shell by exploiting vulnerability #3 (see below), edit /etc/inetd.conf and delete the line concerning port 25702. Reboot. 2. DETERMINE PASSWORDS REMOTELY All configuration settings can be aquired remotely, including saved user names and passwords for RDP and ICA connections as well passwords for the local VNC server, the JStream control center and the screensaver. Details: The Keeper library [2] is used to store all JStream configuration settings. Configuration files are stored in the /root/.keeper/ directory. Every section of the database has its own subdirectory and every configuration setting is put into a file in that subdirectory. [2] http://kempelen.iit.bme.hu/~mszeredi/keeper/keeper.html By browsing the local filesystem or (more comfortably) using the "getreg" command shown above, one can remotely read out this Keeper database. The following sections and keys may be particularly interesting for an attacker: desktop shadow_password - VNC password (VNC is called "shadowing") security adminpassword - control center (administrator) password security userpassword - screen saver password ica con_0_9 - username for first ICA connection ica con_0_10 - password for first ICA connection ica con_0_11 - domain for first ICA connection ica con_0_3 - address for first ICA connection rdp con_0_6 - username for first RDP connection rdp con_0_7 - password for first RDP connection rdp con_0_8 - domain for first RDP connection rdp con_0_3 - address for first RDP connection Connection settings and passwords for other protocols can be found in the rdppro, ssh, tarantella and rexec subdirectories in the same way. All passwords are stored in cleartext in the corresponding files. Exploit: $ nc 192.168.1.77 25702 JSRAFV-1 jstwo +yep getreg +yep enter section and key desktop shadow_password myVNCpwd Recommended fix: Upgrade to firmware v2.4.39. Temporary workaround: Open local root shell by exploiting vulnerability #3 (see below), edit /etc/inetd.conf and delete the line concerning port 25702. Reboot. 3. LOCAL ROOT SHELL Any local user of the thin client can launch a local root shell by pressing some keys and entering a special password. Attackers could use this shell to aquire all passwords in the Keeper database (see above). This feature has not been documented, but is shown to the customer during support sessions when needed. Exploit: Press and enter "maertsJ" as password. An xterm window is launched that runs with root privileges. The password is hardcoded into the /usr/bin/lshell executable and cannot be changed. For an alternate attack vector, use the Phoenix web browser to open the file /usr/bin/lshell with itself (see below). Recommended fix: Upgrade to firmware v2.4.39, which uses a challenge-response system for authentication. Temporary workaround: Delete /usr/bin/lshell. (Be sure to apply workarounds for vulnerabilities 1 and 2 first.) 4. VIEW CLEARTEXT PASSWORDS LOCALLY VIA WEB BROWSER Any local user can browse the complete filesystem by using an existing web browser connection and entering a simple URL into the address bar. As the control center, screensaver and VNC passwords are stored in cleartext files, they can be read by a local attacker. Details: The Thintune software supports WWW acess for end users via the Phoenix web browser (now called Mozilla Firefox). Entering "file:///" into the Phoenix URL address bar shows the root directory of the local filesystem. As Phoenix is run with root privileges, there are no restrictions concerning the files that can be viewed. Using this technique, cleartext passwords can be found in several files. Some examples: /root/.keeper/desktop/shadow_password - VNC /root/.keeper/desktop/security/adminpassword - control center /root/.keeper/security/userpassword - screen saver password /usr/bin/radmin - remote control (see Vuln.#1) Note: Web browsing has to be enabled by the administrator in the JStream control center by creating a Web connection. Access to the JStream control center can be password protected. Nevertheless, by exploiting vulnerability 3 and viewing the configuration file a local attacker can easily determine this password and get access to the control center. Recommended fix: Upgrade to firmware v2.4.39. (The browser has been put into a sandbox.) Temporary workaround: Delete all Phoenix connections. 5. PROBLEMATIC PASSWORD CHECKING When prompted for the control center and lshell passwords, you do not have to press to complete your input. Authentication takes place as soon as you have given the right password. This could make password guessing much easier. Example: Password is "a". No matter if you try "automobile", "any" or "afternoon" -- as soon as you press the first "a" you are authenticated. Recommended fix: No fix is available at the moment. Temporary workaround: Choose long passwords. Method used for reseach - --------------------- - Try browsing the local filesystem via the "file:///"-URL. Further examination gives the following interesting details: * local configuration files are placed in /root/.keeper * Two files in /root/.keeper/security/ show the administrator and screensaver passwords in cleartext. * /usr/bin/radmin seems to be a shell script that offers remote control commands. Password is shown in cleartext. - Opening /usr/bin/lshell (local shell?) via the web browser gives password prompt. Password is not known at this point * /root/.icewm/keys shows that lshell can be run by pressing - Nmap portscan against Thintune shows open TCP port 25702 (among others). Connecting to this port gives the "JSRAFV-1" reply that was found in local file /usr/bin/radmin before. - Gain remote root shell by giving the password found in /usr/bin/radmin and transfer local filesystem over the network using dd and nc. - Viewing /usr/bin/lshell in hex-editor on remote system shows cleartext password for local shell access. - Browsing the /root/.keeper/ directory shows all connection settings in cleartext. - Playing with the "getreg" command reveals that all settings can be aquired remotely. Disclosure Timeline - ----------------- 2004-05-29 Vulnerabilities found by Dirk Loss 2004-06-02 Vendor notification per phone and E-Mail 2004-06-07 Vendor confirms vulnerabilities and promises fixing the problems in next firmware release 2004-07-16 New firmware v2.4.39 released including fixes for problems 1-4 2004-07-24 Public disclosure Contact - ----- Dirk Loss, IT-Consult Ralf Emons e.K., Münster, Germany Mail: dirk.loss@it-consult.net Tel: +49-251-97416-0 WWW: http://www.it-consult.net Disclaimer - -------- This advisory does not claim to be complete or to be usable for any purpose. Especially information on the vulnerable systems may be inaccurate or wrong. Possible supplied exploit code is not to be used for malicious purposes, but for educational purposes only. Legal Notices - ----------- Copyright (c) 2004 IT-Consult Ralf Emons e.K. Permission is granted for the redistribution of unaltered versions of this text in any medium.