iLiad Huge exploit found in 2.7

[design256]

Quote:

Originally Posted by Antartica

Oh! I'm happy. I'll be upgrading to 2.7 today, then :-).

Do it quickly! I bet that this and Xserver will be patched on IDS today.

[Alexander Turcic]

Quote:

Originally Posted by jæd

Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw...

And what would be the risk of having an "unsecured" iLiad ATM?

[CommanderROR]

Congrats on your find.

I have no clue what this actually does, but it sounds great anyway...:-)

[jæd]

Quote:

Originally Posted by Alexander Turcic

And what would be the risk of having an "unsecured" iLiad ATM?

Someone might hit you over the head with it...?

But seriously... I'm glad this was brought out in the open... I think it shows willingness to work with Irex in making their product better. Lets see how soon they fix this...!

[arivero]

Quote:

Originally Posted by jæd

But seriously... I'm glad this was brought out in the open... I think it shows willingness to work with Irex in making their product better. Lets see how soon they fix this...!

I insist: it is not a security hole, so you do not need to fix it. It *seems* a security hole because it works the way www holes work, but it is a dialog window that only shows in the main console, so it is not a security issue. It is the same thing that claiming that GRUB has security holes!

The PDF hole in 2.4 was a different issue; just because the confirmation window was not drawn in the the screen (it was, but the screen was not updated, remember) there was possible to do a pdf asking the user "click in this cross, then click this one and see what happens", the seconf cross subtly drawn over the OK button. It needs not to be so ovvious, it could be for instance a sudoku square asking two sequencial clicks, or some "start demo" thing. In spain we call this kind of deception a "Cuartango" trick, because this researcher in the CSIC did some work on deception windows over MSWindows.

[arivero]

Quote:

Originally Posted by Mike Kostousov

uupi!!! It works!

Code:

`/bin/sh /opt/content/books/a.sh`

(...)

Now, I will try to compile somthing for iLiad (my be cross-compiler for zaurus will succseed). BTW, I think, it is the most careful way is to mount MMC with ext2, and try to do everything there..

Yes, in fact a minor issue is that the internal filesystems for documents are vfat, and I think that the USB also mounts vfat; the MMC mounts -t auto, I think, so a ext2 filesystem is feasible there, in theory. I have not seen yet the mounting for CF cards.

Of course having files in vfat implies two problems: small one, that you can not have linked files. Bigger one, that you can not set a file to be an executable, so you must rely on /bin/sh or some other way around.

I am not sure which is the easiest/safest/careful way to proceed. The people on the librie installed a Sxx.sh in the rc.5 or whatever it starts, and this one waited in the dark for a minute or two and then searched for "hook.sh" files in the SD/MMD/MemoryStick to execute. Other alternative is to do the same thing as a last line of the startup script in the home directory of root, but Dher already got to hang the machine last time he edited that script.

[DHer]

Well, it would have worked if i had added an & at the end of the line to push netcat in the background.

So there's no reason not to try it again. (see the old thread for details on obtaining netcat and this line)

[arivero]

Quote:

Originally Posted by DHer

Well, it would have worked if i had added an & at the end of the line t

It is valuable advise. Some other people can be tempted about startup scripts now, and it is not wise to let them to hang when you can not reflash yourself


Other trick I can think is to get the executable of rxvt, hoping it still works, and do a small shell script waiting some minutes (to let the user get off from the testing network dialog), then switching on the network, then running rxvt against a external xdisplay. Your method, netcat based, had the adventages of being permanent and of not needing a Unix/Xwindows counterpart.

[arivero]

Quote:

Originally Posted by Antartica

What's next in my todo list queue: investigate the pageBar protocol and doing a simple viewer using SDL... Now that we can test it :-)~~~! Yipieee!!!

Also, we need some hints about the update protocol. We can do single updates of the whole screen by calling the displayMgrClient utility, but I really would like to enable the update mode of the Ink aplications, I mean Scribble and now the new Keyboard. This will happily explained in the open by iRex in the future (and also the pageBar protocol), you could try to ask them first!

[design256]

Quote:

Originally Posted by arivero

It is valuable advise. Some other people can be tempted about startup scripts now, and it is not wise to let them to hang when you can not reflash yourself


Other trick I can think is to get the executable of rxvt, hoping it still works, and do a small shell script waiting some minutes (to let the user get off from the testing network dialog), then switching on the network, then running rxvt against a external xdisplay. Your method, netcat based, had the adventages of being permanent and of not needing a Unix/Xwindows counterpart.

how about moving /usr/bin/downloadMgr out of the way and replacing it with a short script that starts the network and runs dropbear? That way, when you press the IDS button it starts your shell. No worries about bricking it on startup either. You can always move downloadMgr back into place when you want to do a real update...

[Mike Kostousov]

First, we need to compile dropbear. I already did it, but Zaurus development enviroment is little bit old (glibc 2.2.2, but iLiad has 2.3.3). Or, may be somebody has dropbear for iLiad?

[arivero]

Quote:

Originally Posted by Mike Kostousov

First, we need to compile dropbear. I already did it, but Zaurus development enviroment is little bit old (glibc 2.2.2, but iLiad has 2.3.3). Or, may be somebody has dropbear for iLiad?

Someone with a copy of 2.4 filesystem (I lost mine) could send to you, or to mobileread ftp site, a copy of the dropbear inside. You need also to replace /etc/passwd or to create a new user, and I think that the integrity of /etc/passwd (as well as the integrity of the registry) is checked now during the startup. Netcat had the adventage of not needing to know the root password nor to change it, and it was to be run in any nontrivial port, so relatively safe from scanners.

[design256]

Quote:

Originally Posted by arivero

Someone with a copy of 2.4 filesystem (I lost mine) could send to you, or to mobileread ftp site, a copy of the dropbear inside. You need also to replace /etc/passwd or to create a new user, and I think that the integrity of /etc/passwd (as well as the integrity of the registry) is checked now during the startup. Netcat had the adventage of not needing to know the root password nor to change it, and it was to be run in any nontrivial port, so relatively safe from scanners.

You could compile tsh statically with the Zaurus toolchain. It will easily run on any port and the executable is tiny. I use it as a backdoor to rescue broken systems remotely.


http://freshmeat.net/projects/tsh/

[Mike Kostousov]

Quote:

Originally Posted by arivero

Someone with a copy of 2.4 filesystem (I lost mine) could send to you, or to mobileread ftp site, a copy of the dropbear inside. You need also to replace /etc/passwd or to create a new user, and I think that the integrity of /etc/passwd (as well as the integrity of the registry) is checked now during the startup. Netcat had the adventage of not needing to know the root password nor to change it, and it was to be run in any nontrivial port, so relatively safe from scanners.

I think - to replace passwd is better way. I created network profile with this quoted key and chosed this profile by default. Now, by pressing network button this script is being executed. So, I am just need to create script which will change /etc/passwd, start dropbeal and etc. But what happens if integrity check fails?

[arivero]

Quote:

Originally Posted by Mike Kostousov

I think - to replace passwd is better way. I created network profile with this quoted key and chosed this profile by default. Now, by pressing network button this script is being executed.

Wow!! Of course, it stores the key, and it uses it when you start a connection. I had not thought of it, because I thought that if the test fails it was not going to store the key.
Now, This seems a safe way to script execution by itself; if you do not want script execution anymore, you delete the profile and voila! It is somehow risky in the sense that if you change the connection and it really gets to contact iDS, it could update the system if you are not fast enough to remove the internet cable nor swicht your wifi router off.

A minor problem is that we do not know exactly at which point the hack is being executed. We can conjecture it is in the line "iwconfig $ethIf key $key" of the script wireless.sh, but on the other hand the authors of the script (Alexis, Matthijs and Edwin, some of them you know from iRex forums) took already some wrapping measures (namely, key="$4").

Quote:

So, I am just need to create script which will change /etc/passwd, start dropbeal and etc. But what happens if integrity check fails?

Let me to check the scripts and I will tell you in this same posting. (Back in a couple minutes.) (Here I am). It seems that the integrity checks are done in do_updates.sh in the /usr/bin directory. It checks

Code:

updates_done=0
new_password='Ko2IxrVVzZZT.'

echo -n 'Checking for patches:'

if [ -x /usr/sbin/dropbearmulti ]
then
        echo -n ' rm_sshd'
        /usr/bin/ipkg remove -force-depends dropbear
        updates_done=1
fi

if [ "`grep '^root:' /etc/passwd | cut -d: -f2`" != "${new_password}" ]
then
        echo -n ' passwd'
        sed -i "s,^\\([^:]*\\):[^:]*:0:,\\1:${new_password}:0:," /etc/passwd
        updates_done=1
fi

And it cheks also for registry modifications. As you see, if the check for the password fails, it just sets the password to the fixed one.