Promise VTrak M500f/Support Case Log

From fakedWiki
Revision as of 13:15, 5 August 2011 by Jan (talk | contribs)
Jump to: navigation, search

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Template:Quote

Request:- 3rd August 2011 at 3:56 {{Quote|Please read the previous conversation, i got it when the / partition was full the last time. serial console, et voilá. As you should see from the logs, the most recent firmware version is installed, i did that somewhen this year.

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 4:8 {{Quote|Did the problem start after the firmware update? It is obvious that firmware code is damaged. The possible solution could be to re-flash the controller.

Request:- 3rd August 2011 at 4:22 {{Quote|I'm not really sure if you understood what i said, the issue it that the / partition is being filled up with the php-error.log because there's badly written PHP code in the webinterface. That, or a not-so-optimal setting for error reporting. To me it's no surprise that the CLI bails out and drops me to a root shell when it rans out of resources. To answer your question, the problem existed before the update, that's why i updated the firmware - but now i know it's not a problem with the controller firmware, but rather with the webinterface.

Please, read my previous messages!

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 4:29 {{Quote|I did carefully study your previous messages and I just need to ask you some additional questions to understand what is wrong with system. It really looks like that controller of the system is deffective and needs to be replaced. You mentioned that you got a message that /tmp is full. I assume, that message was in browser, right? Can I see the full error message?


Request:- 3rd August 2011 at 4:32 {{Quote|Yes, that message was in the browser, but i don't have it anymore, because i purged the logfile in islavista. i'm about to try to force it to fill up again, let's see if this is exploitable ... islavista over telnet, without authentication, would be pretty serious.

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 4:47 {{Quote|I assume that system has hardware problem that generates this logfile. In the event log there are many HDD timeouts and resets. So are you able to run the web management now?

Request:- 3rd August 2011 at 4:53 {{Quote|Okay, you didn't read my messages. It's not the hardware. I'm really considering doing a Full Disclosure now. Potential remote root access via Telnet should be made public, if you're not willing to understand the very simple issue that causes this.

(But, to be polite and answer your question: Yes, i can access the web management, AFTER GETTING ROOT ACCESS and freeing up some space manually.)

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 4:59 {{Quote|I understand you very well. The fact is that with healthy system you absolutely should not get the root access and being able to manipulate with file system. And device has very serious problem if you can do this. In addition, there are unhealthy messages in the event log of the subsystem.

It is not nessesary to open the telnet session. The controler of the system must be replaced.

Request:- 3rd August 2011 at 5:6 {{Quote|Are you kidding me? Are you fucking kidding me? Please, go through my messages and tell me what i wrote that is causing the / partition to fill up, because if you don't, i'll hit "publish" and make this open to the public. You didn't even understand what i want to use Telnet for, did you? I will use Telnet to see if i can get the islavista shell even via network, instead of only via the serial console, to make this "root exploit" a "remote root exploit".

Please, look up "Full Disclosure" on Wikipedia.

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 5:12 {{Quote|Dear Jan,

I am not going to continue the conversation unless you will change your way of talking. I just can repeat you one more time, you should not even know the word "islavista" related to this device. You need a new controller.

Request:- 3rd August 2011 at 5:17 {{Quote|We could have sorted this out nice and easy, if you would have understood the basic problem that has nothing to do with any piece of hardware at all, but only with your sub-par PHP code and configuration.

I'll call your marketing dept, let's see what they say about this vulnerability. If you have any stock options with Promise, better sell them off quickly.

Date of closure: 8/3/2011 5:19:08 AM Reason for closure: Customer refuses the solution and suggested to sell Promise stocks.

Request:- 3rd August 2011 at 5:35 {{Quote|You didn't even understand THAT: i don't need a solution, i really don't care about this storage, it's just an old backup, long out of warranty, not really used for anything serious.

but YOU need a solution, and that's how to fix this vulnerability in YOUR storage firmware.

ah, fuck it, you won't understand it anyway.

Response By:- Sergiy Voskoboynikov 3rd August 2011 at 6:5 {{Quote|We do appreciate that you found a problem with our system. This system is already discontinued and we do not plan the updates. However, I will pass this information to our developers.

Thank you. Date of closure: 8/3/2011 5:38:14 AM Reason for closure: Closed by the user, since the error does not exist any more !

Response By:- Joris Piepers 3rd August 2011 at 6:26 {{Quote|Customer will disclose the exploit on the internet as this is a security gap.

Response By:- Joris Piepers 3rd August 2011 at 6:27 {{Quote|as this is a exploit.

Response By:- Joris Piepers 3rd August 2011 at 7:20 {{Quote|Hello Jan Grewe,

Can you please disclose the website where you are going to disclose this info?

Request:- 3rd August 2011 at 7:29 {{Quote|Hi Joris,

i will first publish it on my own domain and then send the link/post it to the Full Disclosure mailing list and probably also others on SecLists.Org

cheers, Jan

Response By:- Sergiy Voskoboynikov 5th August 2011 at 0:9 {{Quote|Dear Jan,

Could you share with us what exactly are you going to publish?

Request:- 5th August 2011 at 2:16 {{Quote|Hi Sergiy, i'm still working on the full analysis of the M500f's firmware, so i can apply it to the firmware for other of your devices, but here's my progress to far: http://faked.org/wiki/Promise_VTrak_M500f

In theory that should be enough proof for everybody to reproduce the results, but i want to make this watertight: could you point me to where the mtdblocks that get mounted to /islavista/[conf+fw+sw] come from, and where i can find the file "update.sr3"? Thanks!

Response By:- Sergiy Voskoboynikov 5th August 2011 at 3:14 {{Quote|Hi Jan,

Now you're more specific. We could more constructive dialog from the beginning. I will need to perform some tests and I will contact you again with the results.

As for information that you ask, I could not provide it to you now because this information is confidential.

Request:- 5th August 2011 at 3:30 {{Quote|Well, we could have gotten there a lot faster and easier if you wouldn't have tried to convince me that this is because of faulty hardware - which i pointed out to you multiple times by telling you to read my previous messages.

How about we start now with the "constructive dialog", for example by you giving me the information i need, because sooner or later i will find out myself, and of course i'll make that information available to others because you don't do. Now if i wouldn't have to find out myself how to get them, but just get them, there's nothing i could publish, right?

On a sidenote, where do you provide the sourcecode for your firmware? As you're using GPL licensed code, you MUST release the corresponding source code, in case you didn't know... a good starting point: http://gpl-violations.org/faq/vendor-faq.html

Retrieved from "https://wiki.faked.org/index.php?title=Promise_VTrak_M500f/Support_Case_Log&oldid=330"