[plug] dodgy PixelNet/NetGateway

Niall Young niall at linuxsolutions.net.au
Sun Oct 8 11:06:23 WST 2000


On Sat, 7 Oct 2000, Leon Brooks wrote:

> > It was completely insecure - around 20 (absolutely unnecessary) ports open,
> > known exploits found for half a dozen of these, seemed to be in an old state
>
> from crashing horribly (better to crash them predictably), and wouldn't ever
> know if the box suffered 0wn3rs|-|1p.

This is what scares me so much - they've lost control over their own hardware,
not just to the company supplying this product but to anyone else with half a
clue - there goes their gateway, there goes their network, there goes their IP.

> > But it gets worse - the client was never supplied the root password, not
> > even the reseller was given this, and maintenance seems only possible through
> > PixelNet on a yearly subscription basis.
>
> Have they left the usual LILO holes?

Nup - as far as keeping the box under their control, they did their job.

> Even if not, you can put the disk in another machine and copy a known password
> into the root entry of /etc/shadow.

Yep, it's not a problem to gain access - the point of my email was just to see
if others had encountered this or similar products.  (Steve, it was local)  I'd
rather give my client all of the facts and let them make the decision about
whether we should crack into it and take control of what they've paid for, or
make the supplier/author clean up their own mess, or replace it completely.  It
just scares me that insecure products are being deployed en masse, and
consumer's rights are being violated.

--                                                              
Niall Young						
             Linux Solutions -- www.linuxsolutions.net.au
     Providing Internet and Audio/Video Solutions and Consulting
 PH: 0407 421 537 -- PO BOX 1117, Gwelup WA 6018 -- GPG ID: 8B3AE631








More information about the plug mailing list