Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

rapidstream.vpn.txt

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 6
rapidstream.vpn.txt
rapidstream.vpn.txt
rapidstream.vpn.txt

Date: 8-14-00
Time: 12:40p PST


OVERVIEW
RapidStream has hard-coded the 'rsadmin' account into rapidstream.vpn.txt

Date: 8-14-00
Time: 12:40p PST


OVERVIEW
RapidStream has hard-coded the 'rsadmin' account into the sshd binary in the
appliance OS. The account has been given a 'null' password in
which password assignment and authentication was expected to be handled by the
RapidStream software itself. The vendor failed to realize that arbitrary
commands could be appended to the ssh string when connecting to the SSH server
on the remote vpn. This in effect could lead to many things, including the
ability to spawn a remote root shell on the vpn.

e.g. [root@attacker]# ssh -l rsadmin <ip of vpn> "/bin/sh -i;"
e.g. [root@attacker]# ssh -l rsadmin <ip of vpn> "vi /etc/shadow"


SYSTEMS AFFECTED
I have not yet tested this with other VPN appliances that have installed SSH
as their choice for remote access.

1. RapidStream 8000 Family
2. RapidStream 6000 Family
3. RapidStream 4000 Family
4. RapidStream 2000 Family


IMPACT
1. Attacker can use VPN to ftp, and even install and run packet sniffers on the
VPN which will allow him to sniff all traffic coming in and out of the VPN.
Due to the fact that the administrator is not aware of the ability to spawn
root shells, the intruder can go completely undetected.

2. Immediate remote root access to VPN

3. Can download /etc/shadow file to crack accounts including root. This will give
the attacker the default password for all root accounts for all deployed
RapidStream products.

SOLUTION
RapidStream has been contacted and is working on a new revision in which SSHD
comes uninstalled. For those that do not wish to wait can put the VPN appliance
behind a firewall where port 22 has been closed. An alternative is to use the
vulnerability to ssh into the vpn and turn off SSHD yourself.

SHOUTS
#RootHat, Lamagra, Safety, BillyBobCat Pennington, Faisal, Mega, Lockdown, King
Art"hur" and all the gang! "TIMMMY!, LIVIN A LIE!"
Also mad shouts out to muh fiance! "Mahal Kita!"

"Shouts to the fellow herd of the evil cow people, cow go moo!"
moo?


----------------------------------------------------------------------
Loki [LoA]
This email address is being protected from spambots. You need JavaScript enabled to view it.
----------------------------------------------------------------------
PGP Key fingerprint = 67 1D 12 BE 61 D6 63 B2 6A 8C F8 A1 80 88 1B 4
[This email address is being protected from spambots. You need JavaScript enabled to view it.]# ./crack /etc/passwd > passwd.cr
[This email address is being protected from spambots. You need JavaScript enabled to view it.]# su - root
[This email address is being protected from spambots. You need JavaScript enabled to view it.]#
----------------------------------------------------------------------
Social Media Share