The really ironic thing is that this product is designed to improve the security of your site (by mitigating DDoS attacks). Instead, it degrades security by having a security hole large enough to drive a bus through.
--Rohit Patnaik On Wed, Oct 7, 2009 at 6:03 PM, <[email protected]>wrote: > Title: Riorey "RIOS" Hardcoded Password Vulnerability > > Severity: High (Full root access to the device) > Date: 07 October 2009 > Versions Affected: RIOS 4.6.6 , 4.7.0 possibly others > Discovered on: 25 July 2009 > Vendor URL: www.riorey.com > Author: Marek Kroemeke > > Overview: > > Riorey DDoS mitigation appliences (www.riorey.com) are vulnerable to > taking a full control > over affected devices via a hardcoded username and password used to create > a SSH tunnel between the RView application and the device itself. > > > Details: > > Riorey devices running affected "RIOS" versions have a hardcoded username > and password > that is then used by the RView software to connect on port 8022 in order to > create > a SSH tunnel. This allows the attacker to login as user 'dbuser' using > the hardcoded password, and due to an old Linux kernel version used - > escalate privilages > through several vulnerabilities and eventually take the full control over > the device. > > Additionally - the web interface advices the user to reset the admin > password for security reasons, > but the RView application still uses the hardcoded password in order to > create the SSH tunnel which > may result in a false sense of security. > > Proof of Concept: > > Open your favorite SSH client and use the following detials in order to > login: > > port: 8022 > username: dbadmin > password: sq!us3r > > -- cut -- > r...@rioreyxxxxxxx dbuser # id > uid=0(root) gid=0(root) groups=0(root) > r...@rioreyxxxxxxx dbuser # uname -a > Linux rioreyXXXXXXX 2.6.16.6 #23 SMP Fri Oct 24 19:29:08 EDT 2008 x86_64 > Dual-Core AMD Opteron(tm) Processor 1210 HE AuthenticAMD GNU/Linux > -- cut -- > > > Mitigation: > > Login to the device via SSH using the above details, and reset the password > using the 'passwd' command. > > > Vendor Contact: > 30 July 2009 - Initial vendor contact > 31 July 2009 - Vendor replies advising to use a firewall in front of the > device > 01 August 2009 - Vendor replies that next software release will address > this problem, work in progress > 09 August 2009 - Vendor sends an email confirming that it's not ready yet > but will be by the end of the month > 16 August 2009 - Confirmation about realease day of a patched version - 05 > October 2009 > 07 October 2009 - Releasing the vulnerability report. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
