Out of the Box, the ASUS Eee PC is Incredibly Insecure

HDM pointed out on the Metasploit blog that the guys from RISE Security rooted an ASUS Eee PC quite easily. They used Metasploit to exploit a Samba vulnerability that was published in July 2007 – almost seven months ago.

Why is ASUS shipping new products with vulnerabilities that are serious enough to allow attackers to gain root access through commonly used security tools such as the Metasploit Framework?

Carl at CandyFOSS doesn’t think this could realistically be exploited, but I’m not so sure.

I’ve searched all over ASUS’s support website, and have not found a downloadable patch for this problem. One of my school districts just ordered 60 Eee PCs , and you can rest assured there’s no way I’m letting these devices out of the box until I can find a fix.

Anyone out there who has one of these machines, can you confirm if there is a patch that is automatically installed through the update process to address this vulnerability?

The ISC has a brief write-up of additional information the Eee PC reveals in it’s default configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *