Public Vulnerability Reports

StarOS Static Private Key Usage Vulnerability

03.29.03

BACKGROUND

StarOS is a wireless networking operating system designed for ISPs. More information about the product is available at http://www.star-os.com.

DESCRIPTION

Valuemount Network Corp.'s StarOS operating system insecurely uses a static secure shell (SSH) private key and salt value across all systems, allowing an attacker to launch man-in-the-middle (MiTM) and high-speed brute-force attacks.

StarOS, also known as Station Router, utilizes the a static SSH private keys, that can be obtained through the analysis of a virtual machine memory dump.

With possession of these keys and physical access to a system running StarOS, an attacker can launch a stealth MiTM attack using a publicly available tool known as SSHarp, which is available at http://stealth.7350.org/7350ssharp.tgz.

StarOS also utilizes the same salt value of "st" when using the function crypt() on passwords. An attacker can exploit this vulnerability in a brute-force attack by generating pre-computed dictionary files, thereby greatly increasing the speed of such an attack.

ANALYSIS

An attacker who can gain access to a network running StarOS can launch a stealth MiTM attack due to the use of a static key. Successful exploitation would allow an attacker to completely compromise the system while completely avoiding detection. An attacker also has the ability to generate a pre-crypted dictionary file to use in a high-speed brute-force attack.

iDEFENSE has proof of concept exploit code demonstrating the impact of this vulnerability.

DETECTION

iDEFENSE has verified the existence of these vulnerabilities in the latest version of StarOS, version 1.10.4rc2 build 2947, dated Dec. 19, 2002. Other versions of StarOS are also suspected to be vulnerable.

VENDOR RESPONSE

This issue has reportedly been addressed in the latest version of StarOS.

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned to this issue.

DISCLOSURE TIMELINE

02/13/2003   Exploit acquired by iDEFENSE
02/25/2003   Initial vendor notification
03/15/2003   iDEFENSE Clients notified
03/29/2003   Public Disclosure

CREDIT

The contributor wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.