[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] some distros for Raspberry Pi have sshd enabled and default logins.

To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] some distros for Raspberry Pi have sshd enabled and default logins.
From: larry Cashdollar <larry0@xxxxxx>
Date: Sat, 04 Aug 2012 00:36:24 +0000 (GMT)

<html><body><div><pre>Vapid Labs
Larry W. Cashdollar
8/2/2012


Since a some RaspberryPi users maybe unaware of the security implications of 
sshd I thought I should just make a note of some issues.

RaspberryPi image Occidentalis v0.1

>From the site:<br><br>"Adafruit &lt;3 Raspberry Pi - especially how easy it is 
>to hack circuits using the electronics breakout pins! But sadly, the latest 
>official <br>distro "July 15 Raspbian Wheezy" did not have many of the 
>delicious hackables built in. That's why we decided to roll our own 
><br>distribution. 

Our distro is based on "Wheezy" but comes with hardware SPI, I2C, one wire, and 
WiFi support for our wifi adapters. It also has <br>some things to make overall 
hacking easier such sshd on startup (with key generation on first boot) and  
Bonjour (so you can simply <br>ssh raspberrypi.local from any computer on the 
local network)"

Enables ssh by default but doesn't prompt user to change root &amp; pi account 
passwords. 

http://learn.adafruit.com/adafruit-raspberry-pi-educational-linux-distro/occidentalis-v0-dot-1

Arch Linux ARM

"Arch Linux ARM is based on Arch Linux, which aims for simplicity and full 
control to the end user. Note that this distribution may not <br>be suitable 
for beginners."

Default login of root/root with sshd enabled, doesn't prompt to change password.

http://downloads.raspberrypi.org/images/archlinuxarm/archlinuxarm-13-06-2012/archlinuxarm-13-06-2012.zip

If your going to enabled sshd by default please prompt the user to change the 
default password upon first boot. If your going to connect <br>these PIs to a 
network be sure to use secure 
passwords.<br><br><br>http://vapid.dhs.org/advisories/raspberrypi_image_security.txt<br><br></pre></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] some distros for Raspberry Pi have sshd enabled and default logins.
  - From: rancor

Prev by Date: [Full-disclosure] ZDI-12-135 : Apple QuickTime JPEG2k Sample Size Atom Remote Code Execution Vulnerability
Next by Date: [Full-disclosure] [ MDVSA-2012:123 ] libreoffice
Previous by thread: [Full-disclosure] ZDI-12-135 : Apple QuickTime JPEG2k Sample Size Atom Remote Code Execution Vulnerability
Next by thread: Re: [Full-disclosure] some distros for Raspberry Pi have sshd enabled and default logins.
Index(es):
- Date
- Thread