The folks over at RISE Security have discovered a vulnerability with the default Eee PC Xandros installation.
It appears as though the pre-installed version of Samba (that is enabled by default) can be exploited to facilitate root access to the machine.
You can read more at the links below:
[RISE Security via Engadget]
{ 27 comments }
There’s been some discussion of this in the forums already. The consensus seems to be that for most users, this is a very minor concern, and not nearly the threat these boys make it out to be.
I set up a root password for mine. I would think that would help decrease the risk.
Patrick
Theres also a fairly nasty local root exploit for the 2.6.17->2.6.24.1 kernel out, so having a root password won’t help a whole lot. Also effects Ubuntu 7.10 and quite a few current distros
http://www.milw0rm.com/exploits/5092
Hello Everyone, just got an eepc and saw this, not sure what this vunerability means as am a linux newbie, would a better anti virus than the one that ships with it (AVclam) sort the problem out ?, any advice appreciated, cheers
Uh, oh. Kernel is rooted. I better buy Vista, that’ll keep hax0r5 away.
Brian, this is not to do with viruses. What it means is that you’ll need to install a newer version of the samba package, without the vulnerability. Basically, use the Synaptic package manager to upgrade the “samba” package to a newer version, when it becomes available (probably already is available) – just make sure the version number is ABOVE 3.0.24, as 3.0.24 is the one with this bug. Ubuntu for instance currently has samba 3.0.26a, which likely has this issue fixed.
If you can’t find a newer version, you may want to use Synaptic to uninstall samba, although you will lose the ability to access windows file shares and windows shared printers, etc. If you’d prefer doing either of these from the command line (aka the terminal, the console), then, to upgrade samba type:
sudo apt-get update
sudo apt-get install samba
Alternatively, to remove samba:
sudo apt-get remove samba
This should work. if the asus eee pc doesn’t have “sudo”, then just type “su” first, it’ll ask for your root password if you have one, then run the commands without the “sudo” in front (ie just “apt-get update”, “apt-get install samba”, etc). Hope this helps someone!
– Marianne, the scarily geeky girl
actually the new one could also have version 3.0.24; debian etch has variants like 3.0.24.etch1 etc
The ASUS EeePC does have “sudo”.
@Brian: to open the terminal press Ctrl+Alt+T on your ASUS EeePC.
Even if the consensus on the forums is that this isn’t a concern, in the real world it should be.
I run nmap, nessus and metasploit on my eee (I’m an information security consultant) and demonstrated the vulnerability in the office today. It works like this: anyone on the same local network (open wifi hotspot, wifi hotspot with shared key, office network, school network, hotel network, etc) as a vulnerable eee can gain root access to it in a couple of minutes.
A successful attacker could gain access to anything stored on a vulnerable eee and could also modify the software to gain access to anything processed on it: passwords to web sites (webmail, social networking, banking, etc), browsing history, email, etc.
Passwords and anti-virus do not make any difference. The only solutions are to remove samba, upgrade samba to a non-vulnerable version (doesn’t currently appear possible via aptitude) or firewall it with iptables (which requires a non-trivial kernel rebuild).
Personally, I’ve rebuilt the kernel and installed the firewall, reducing the risk to negligible. Instructions are at wiki.eeeuser.com but, as I write, it isn’t trivial.
Removing samba is easier, and not many people actually use it a whole lot anyway.
Thanks so much for all the info to everyone, I have chosen to remove samba and just wondered what implications this would have on my machine and it’s use as am unsure the purpose of samba, it comes up on google as a windows compatible package of some sort, could anyone put it in plain english for me of what it does, purpose etc. Also I’m having problems getting firestarter and wondered if anyone else has had errors just trying to download it via the control panel ?, much appreciated and thanks again
Hi All,
I have an eee and personally I’m not too concerned about the samba hole, as I’m normally behind my home router which acts as a hardware firewall. Anyone using routers at home also not need worry (if they trust their house-mates that is!). However, having said that, if I were to log on to an untrusted network, I would stop the samba service by issuing:
sudo /etc/init.d/smb stop
This would avoid removing the samba service.
Hope this helps,
Tris
Stopping the samba service is good, but I want to add that people will need to do this again every time they turn on the EEE on an untrusted network. Samba will still be re-enabled every time you turn on/reboot the EEE with Tris’ suggestion.
I don’t have my EEE yet(getting it later today, thank you Newegg/UPS) so I don’t know the specific command to remove it from the startup of the machine, but you should be able to disable it permanently, without having to remove it. This would mean that it is installed, but turned off by default, as opposed to how it is now: installed, and on by default. I could explain the steps to figure out what commands you need to run to disable it, but those are kinda long-winded if you don’t already know your way around a linux box.
Removing it is probably one of the easiest ways to be safe against this problem, but if you ever think you will need it, disabling it by default will probably be most ideal, so that you don’t have to worry about it 99% of the time, and the 1% of the time that you need to use it, you can explicitly enable it by hand. (via “sudo /etc/init.d/smb start”, similar to how Tris said to stop it)
I’ll try to post a follow-up later tonight with simple instructions on how to leave it installed but disabled by default.
Sorry, that command should have been:
/etc/init.d/samba stop
To permanently disable the service, execute
sudo update-rc.d -f samba remove
and to re-enable it:
sudo update-rc.d samba defaults
I am in the same catagory as Brian, but trying to learn. How can I tell what version of Samba I have and how can I tell what version it is updating to using the update command in Terminal? I ran update when I first got it (thru Synaptic) but that was in December.
Hi All,
I’m not sure if Brian’s question was answered? Basically samba allows the Eee PC to access windows shares and printers, and also share directories and printers so windows can access them. The daemon part of samba (smbd) is the part allowing folders/printers to be shared. If you don’t plan on sharing folders to windows on your Eee, I would just disable the service as described in my previous post. To update the samba package you can just issue:
sudo apt-get install samba
Apt will then check to see if you have the latest version installed. I’m not on my Eee now, but I don’t think there are any updates for samba as yet.
Cheers,
Tris
I don’t know why some people think this is not a real problem. Check this to see how easy was to get root access to a EEE:
http://edge.i-hacked.com/category/hacking/hardware
No, those are not specialty tools, you can get them anywhere easily. (Using them is another story).
I’m surprised also that Asus has not released any patch.
In the mean time, the easier way to disable Samba is to edit the /etc/init.d/samba file or to edit the /usr/sbin/services.sh script. I don’t think those changes would survive an update (from Asus for example), but update-rc.d just don’t work (maybe is the unionfs filesystem or that the EEE pc uses a customized init system).
Regards,
MV
I followed Tris’s advice and disabled the Samba service:
sudo update-rc.d -f samba remove
However, when I open a terminal window and run “ps -e | grep smbd” I get the following results:
2621 ? 00:00:00 smbd
2622 ? 00:00:00 smbd
Does that mean it is still running?
(I also tried removing Samba via the Synaptic package manager in Full Desktop mode, but I got a couple of errors…unfortunately, I didn’t copy the error messages.)
Chris: Correct, it is still ruinning. To stop it, you need to run:
sudo /etc/init.d/samba stop
Also, I tried Tris’ update-rc.d -f command, and it removes samba links from the rc*.d yet samba still runs after a reboot? I don’t have any more time to look into it tonight, but is samba perhaps being started from another place? As a quick and nasty way to stop it I guess I could put the /etc/init.d/samba stop in /etc/rc.local
Putting an entry into rc.local doesn’t work, so for now I have made the samba process non-executable (so it doesn’t start up at boot):
sudo chmod -x /etc/init.d/samba
When I get home from work today, I am going to try and update samba to 3.0.28.
Oops! I obviously missed MValdez post about stopping it automatically loading via the /usr/sbin/services.sh file
OK! I commented out (i.e. preceded with a “#”) the following lines from /usr/sbin/services.sh:
mkdir -p /tmp/.samba
/usr/sbin/invoke-rc.d samba start
After re-starting the system, Samba is no longer running. Thanks, everyone, for your help!
Thanks for all the advice to everyone !
I’ve got two sessions of smbd running on my eee pc. Tris’s commands didn’t stop it or disable it from starting up. Moreover, I can’t delete the directory that the smbd file is contained in. Have I been rooted out of my own computer?
HI at all,
i’ve executed apt-get update and apt-get install samba …
but after the installation, samba version is the same.. 3.0.24 why this?
There aren’t the upgraded packages or is coz i’ve forgotted something?
thanku all
to update samba to solve this security issue, just type in terminal the command lines from this (french) site : (as of today, end of april, no asus or simple synaptic update available)
http://forum.inforeseau.com/faille-de-securite-samba-partage-windows-sur-eee-t147.html
kudos to him
edit : well sorry, everything is here in the wiki :
http://wiki.eeeuser.com/howto:sambasecurityfix
Comments on this entry are closed.
{ 1 trackback }