[plug] dodgy PixelNet/NetGateway product
leon at brooks.smileys.net
Sat Oct 7 19:22:20 WST 2000
Niall Young wrote:
> It was completely insecure - around 20 (absolutely unnecessary) ports open,
> known exploits found for half a dozen of these, seemed to be in an old state
> of maintenance package wise with a web interface to control a minimal subset
> of services. I was pretty shocked.
Welcome to the new wave of, umm, Linux products. I've seen similar stupidity
with NT "black boxes" that the customers routinely doorbell every week to keep
from crashing horribly (better to crash them predictably), and wouldn't ever
know if the box suffered 0wn3rs|-|1p.
> But it gets worse - the client was never supplied the root password, not
> even the reseller was given this, and maintenance seems only possible through
> PixelNet on a yearly subscription basis.
Have they left the usual LILO holes?
Even if not, you can put the disk in another machine and copy a known password
into the root entry of /etc/shadow.
Life would be much easier if I had the source code.
More information about the plug