bit-tech.net

Eee PC vulnerable to crackers

Eee PC vulnerable to crackers

The Eee PC: as attractive to ne'er-do-wells as it is to size-concious road warriors?

RISE Security, a Brazilian network security firm, has discovered that the popular Eee PC from Asus may be vulnerable to remote explotation.

The tiny UMPC-styled notebook runs a customised version of Xandros Linux by default, with a friendly interface slapped on top to simplify things for those not up-to-speed on desktop Linux. Like any other Linux install, Xandros comes with a metric tonne of extras in order for it to do various things. One of these extras is the Samba package, which is responsible for allowing the Eee PC to connect to CIFS network shares – as used by Windows-based computers.

It's this package which is causing problems according to RISE. The default version installed with the Eee is 3.0.24, which is vulnerable to a heap overflow attack first discovered in April last year. By exploiting the flaw in the outdated version of Samba, it's possible to attack the system over the network in order to gain root privileges – the Linux equivalent of the SYSTEM account in Windows.

The update mechanism offered via the Easy Interface is currently only offering BIOS updates plus a fix for the Voice Commander software – no system tweaks. Users who have unlocked the Advanced (aka Desktop) Interface are recommended to manually update Samba to 3.0.28. If you're not comfortable with manually updating the software installed on the Eee, I'd recommend staying clear of any untrusted networks and disabling the wireless card whenever you're not using it.

Anybody feeling uneasy at having outdated and vulnerable services running by default on their Eee, or is it a load of fuss over nothing? Share your thoughts over in the forums.

7 Comments

Discuss in the forums Reply
steveo_mcg 12th February 2008, 09:11 Quote
Its a bit worrying they don't at least keep on top of security updates. I can understand having a fixed set of packages (debain has been doing it for years) but for goodness sake release security update patches.
airchie 12th February 2008, 10:50 Quote
Yeah, with the popularity of the eee it seems like suicide to have them all running about with vulnerabilities... :/
Glider 12th February 2008, 11:06 Quote
Can't you just update it?
hawky84 12th February 2008, 11:16 Quote
this is a bit disturbing, as it is titled as EASY.

don't they use something nice like portage?
Glider 12th February 2008, 11:47 Quote
Every crack is easy once you just need to google it ;) But don't jump on the "OMG it's unsafe bandwagon". Script kiddies have next to none chance of breaking in, just because their scripts don't expect a Windows desktop . And then again, how many attacks towards your desktop pc have you got? There are much more interesting targets for crackers than average joes porn warehouse.
hawky84 12th February 2008, 11:53 Quote
when i said titled as easy i was talking about the eee not the hack. it should be easy for the user of the system to be update any aspect of the system using something like portage, etc
steveo_mcg 12th February 2008, 12:22 Quote
Quote:
Originally Posted by Glider
Can't you just update it?

I believe it uses old repos, so you'd have to do it manually or update to a more modern distro.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums