Saturday, December 13, 2008

Xandros Insecure At Heart

Who hasn't heard of the EEE laptops? Well, for those of you not in the know there are some nice, cheap, and incredibly small laptops called EEE. These things, by default, run a strange linux OS called Xandros. I have had the extreme displeasure of using this thing.

I was at Best Buy when I first got to use an Asus and the Xandros operating system. It first seemed like a kids toy to me as there was no way for me to access the desktop. I only got giant pictures and menus to navigate through. This made me very annoyed as I used the opened Mozilla browser as a shitty file browser (file:///). Well, until I actually had found the file browser application that I could use (which I didn't like at all, this thing has midnight commander, yet they decided to use a file browser which was a pain to do certain small tasks). This wasn't very helpful as I could not figure out how to open up a simple terminal! All I really wanted to do was check out some of the specs and binaries this thing had, but the child-like interfaces were really hard to find my way through. So, I made a shell script and opened it with bash (created a file using the file browser and then manually had to make it open /bin/bash). Finally, I had access to a shell!

After a bit of looking around at strange things, like certain design choices that they seemed to not have supported, or at least in this version. I decided I wanted to look a little more at the internals of how this thing works. One problem, I had to get root to be able to get all the information I'll be wanting. Well, this whole process took about 5 minutes for me to gain root access. I first issued su and tried guessing the password. That was to no avail so I tried to sudo /bin/bash hoping "user" (yes, default name) was a sudoer. Confused at the whole # prompt, I had to re-assure myself that I wasn't dreaming so I issued a whoami. Staring me in the face was the word, "root". No way, this couldn't be THAT horrible at security. After a bit of talking with my friend online (took place outside of Best Buy) I found that the sudoers file was any user with no password by DEFAULT. With a little bit of research I came to an even worse reality about Xandros, if you modified the sudoers file it would have a problem booting! So, by default, you can issue any command as root without needing a password and you have to have incredible technical skills in order to fix this serious problem?!

I thought that maybe that was all, but others had told me about more problems with this OS. One good example being the user is called "user" no matter what and you can't change it. How ridiculous! This thing is going to be the easiest thing to get into ever!

End result, the EEE machines would be awesome if Xandros did not come on it. Get one if you want, but make sure to change the operating system for both sanity and security's sake.

No comments: