iLiad Huge exploit found in 2.7

[Mike Kostousov]

Yes. I don't think, that system will waste 4KB, but to check first is a good way for copying key. But the best - to check existance authorized_key, if it exsits, to check that it doesn't contain id_rsa.pub etc. But it was quick way

[scotty1024]

Quote:

Originally Posted by Mike Kostousov

Yes. I don't think, that system will waste 4KB, but to check first is a good way for copying key. But the best - to check existance authorized_key, if it exsits, to check that it doesn't contain id_rsa.pub etc. But it was quick way

Your way works and isn't wasting 4kb.

Did you know scp isn't working? dropbear needs an scp handler to actually do inbound scp...

[arivero]

Quote:

Originally Posted by scotty1024

Your way works and isn't wasting 4kb.
.

I confirm this, after some reading of the chip + driver specifications (it is not a open Source driver, but it is a very popular one)

[RibRdb2]

It sounds like the 2.7.1 patch disables the exploit for the network key. Can anyone confirm this?

[TadW]

Quote:

Originally Posted by RibRdb2

It sounds like the 2.7.1 patch disables the exploit for the network key. Can anyone confirm this?

Yes, pretty sure it does. Perhaps it's better to wait with the upgrade until someone posted a way to regain root access.

Quote:

Security Fixes

* Security fix for Xserver leak
* Security fix for leak in Profiles

[Henry Loenwind]

Here's another set of scripts that can make your life easier. This also works as a first time setup (2.7 only).

Note: This is using the startup.sh hook from I survived 2.7.1 and the dropbear.tar from earlier in this thread.


(1) Attach your iLiad to your PC. Put the content of the dropbear.tar into the root directory, "F:\" or whatever it is on your PC.

(2) Create a file named "startup.sh" and put it there, too. Content:

Code:

#!/bin/sh
# ATTN: Changing this script can brick your iLiad
cp /mnt/free/daemon.sh /tmp/daemon.sh
chmod 755 /tmp/daemon.sh
/tmp/daemon.sh &

(3) Create a file named "daemon.sh" and put it there, too. Content:

Code:

#!/bin/sh
if [ ! -d /home/root/.ssh ];then
        mkdir /home/root/.ssh
fi
if [ ! -f /home/root/.ssh/authorized_keys ];then
        cp /mnt/free/id_rsa.pub /home/root/.ssh/authorized_keys
fi
if [ ! -x /tmp/dropbear ];then
        cp /mnt/free/dropbear /tmp
        chmod 755 /tmp/dropbear
fi
if [ ! -x /tmp/dropbearkey ];then
        cp /mnt/free/dropbearkey /tmp
        chmod 755 /tmp/dropbearkey
fi
if [ ! -f /mnt/free/dropbear_dss_host_key ];then
        /tmp/dropbearkey -t dss -f /mnt/free/dropbear_dss_host_key
fi
if [ ! -e /mnt/free/dropbear_rsa_host_key ];then
        /tmp/dropbearkey -t rsa -f /mnt/free/dropbear_rsa_host_key
fi

touch /mnt/free/newspapers/del_to_start_network.txt
while [ 1 ]
do
        sleep 30
        if [ ! -e /mnt/free/newspapers/del_to_start_network.txt ];then
                touch /mnt/free/newspapers/del_to_start_network.txt
                /usr/bin/wired.sh start dhcp
                sleep 5
                /usr/bin/killall dropbear
                /tmp/dropbear -d /mnt/free/dropbear_dss_host_key -r /mnt/free/dropbear_rsa_host_key
        fi
done

(4) Put your id_rsa.pub there, too. You need to pull it from you ssh client. If you don't know how, you'd better abort here.

(5) Disconnect your iLiad from your PC and connect it to your LAN instead.

(6) Now on the iLiad; start creating a new connection profile. Choose a WEP protected wireless connection. Name and SID don't matter. When you are asked for the WEP key enter this:

Code:

`/bin/sh /mnt/free/startup.sh`

(7) Press test. The iLiad should now display "Searching", if it diplays "Unsuccessfull" you made some mistake. Abourt and retry from step 6 or step 1.

(8) While the iLiad is still "Searching", abort the creation of the connection profile. Don't save it, you won't need it anymore.

(9) Press the "NEWS" button. There should be a new file called "del_to_start_network.txt". Delete it. After 1 to 30 seconds, the network should become active. 5 seconds later the ssh daemon is started.

(10) Use ssh to connect your iLiad.

(11) Create a new file "/etc/rc5.d/S99zWHATEVER" (where WHATEVER is whatever you want) and make it executable ("chmod 755 /etc/rc5.d/S99zWHATEVER"). Put in the content from I survived 2.7.1. Content:

Code:

#!/bin/sh
# ATTN: Changing this script can brick your iLiad

if test -f /mnt/card/startup.sh
then
  /bin/sh /mnt/card/startup.sh
fi
if test -f /mnt/free/startup.sh
then
  /bin/sh /mnt/free/startup.sh
fi

(12) Reboot your iLiad.

(13) Execute step 9 and 10 again and notice that every time you delete that file, the wired network becomes active and the ssh daemon is started for you.

This should also survive the update to 2.7.1, and may survive 2.7.x, but it's unlikely it'll survive 2.8.

[scotty1024]

@Henry Loenwind

An elegant piece or work and excellent documentation. Well done!

That said, everyone needs to keep in mind that if you crash your iLiad's boot sequence (er_registery accident, or whatever) this boot up won't work as you won't be able to remove the lock file.

But for everyday access to launch dropbear and let you in, an elegant solution.

Remember, let's be safe out there.

[Henry Loenwind]

Quote:

Originally Posted by scotty1024

That said, everyone needs to keep in mind that if you crash your iLiad's boot sequence (er_registery accident, or whatever) this boot up won't work as you won't be able to remove the lock file.

Uh, thanks for that remark, it reminded me about 2 little flaws (/mnt/FREE and chmod +x) with step 11. I updated my howto and added the /mnt/card safeguard.

---

Also, someone asked how to install ipdf?

Code:

cp /mnt/free/ipdf /usr/bin/
mv /usr/bin/xpdf /usr/bin/xpdf.original
ln -s /usr/bin/ipdf /usr/bin/xpdf

---

Problems with step 11? Create the file on your PC, put it onto the iLiad together with the other scriptfile, the type in the following on the iLiad's command line:

Code:

cp /mnt/free/S99zWHATEVER /etc/rc5.d/
chmod 755 /etc/rc5.d/S99zWHATEVER

[scotty1024]

Quote:

Originally Posted by Henry Loenwind

Code:

#!/bin/sh

if test -f /mnt/free/startup.sh
then
  /bin/sh /mnt/free/startup.sh
fi
if test -f /mnt/card/startup.sh
then
  /bin/sh /mnt/card/startup.sh
fi

Since your script never exits you need to add a &:

Code:

#!/bin/sh

if test -f /mnt/free/startup.sh
then
  /bin/sh /mnt/free/startup.sh &
fi
if test -f /mnt/card/startup.sh
then
  /bin/sh /mnt/card/startup.sh
fi

Otherwise the rc script hangs.

[Henry Loenwind]

Quote:

Originally Posted by scotty1024

Since your script never exits you need to add a &:

That's already at the end of the startup.sh. But changing to sourcing would be an enhancement here, no need to start a new process for cp+chmod...

(The daemon.sh is the one that's not exiting. I copy that to /tmp so it won't run from a file system that will be unmounted.)

Edit: But I found it makes more sense to check for a startup.sh on the card first, in case the startup.sh in the internal memory was corrupted (bad edit or so). Changed the script and added a warning on the "dangerous" scripts.

[narve]

First: After the .sh extension, much of this is un-necessary. I've created a launcher that launches dropbear (and starts wlan while at it). This is way safer -- no risk of bricking your iliad (at least as far as I know), and better for battery life and security because you don't start dropbear until you are going to use it. If anyone is interested, I can post it here. But first I have to get it working, which leads nicely to the second paragraph:

I can't login. I get "Server refused our key". I've generated a 1024 bit RSA key using Putty (yes, I'm a windowsluser), saved it where it should be etc. Everything seems to be in order, but I still can't log in...

Can anyone help me out here? What kind of key do you need to generate? DSA? RSA? Different bit length? Dropbear specific files?

[narve]

Quote:

Originally Posted by narve

Can anyone help me out here? What kind of key do you need to generate? DSA? RSA? Different bit length? Dropbear specific files?

Found the problem: Occasionally, the /mnt/free filesystem is mounted read-only. In a weird way, so windows say the file is saved or deleted, but when I refresh the view the file is not deleted and the file contens hasn't been changed. When I start the terminal, I can not change the file I was editing because the fs is mounted read-only. I can (it seems) create new files, but not change the existing ones. Even if I delete a file X, I can not create a new file called X afterwards... this is very strange. But it could be caused by an unclean un-mount, perhaps I had a read-lock on any of the files when I plugged the USB cable.

So my key file had wrong contents... Will try again tomorrow, out of battery now


Anyone else have similar problems with un-clean USB disconnections? Or are everybody but me either using Linux or disconnecting properly (disconnect hardware wizard etc... which I never use -- haven't seen this problem before)