[Roberto] recently discovered a clever way to gain root access to an HP t520 thin client computer. These computers run HP’s ThinPro operating system. The OS is based on Linux and is basically just a lightweight system designed to boot into a virtual desktop image loaded from a server. [Roberto’s] discovery works on systems that are running in “kiosk mode”.
The setup for the attack is incredibly simple. The attacker first stops the virtual desktop image from loading. Then, the connection settings are edited. The host field is filled with garbage, which will prevent the connection from actually working properly. The real trick is in the “command line arguments” field. The attacker simply needs to add the argument “&& xterm”. When the connection is launched, it will first fail and then launch the xterm program. This gives the attacker a command shell running under the context of whichever user the original software is running as.
The next step is to escalate privileges to root. [Roberto] discovered a special command that the default user can run as root using sudo. The “”hpobl” command launches the HP Easy Setup Wizard. Once the wizard is opened, the attacker clicks on the “Thank You” link, which will then load up the HP website in a version of Firefox. The final step is to edit Firefox’s default email program association to xterm. Now when the attacker visits an address like “mailto:email@example.com”, Firefox (running as root) launches xterm with full root privileges. These types of attacks are nothing new, but it’s interesting to see that they still persist even in newer software.
While watching his thin client boot up [Nav] noticed that it’s using some type of Linux kernel. He wondered if it were possible to run a full-blow desktop distribution on the device. A little poking around he got a Debian desktop distribution running on a thin client.
The hardware he’s working with is an HP t5325. It’s meant to be a dumb client, connecting to a backend machine like a Windows Terminal Server or via SSH. But it’s got a 1.2 GHz ARM processor and [Nav’s] preliminary investigations revealed the it’s running a version of Debian for ARM. He used CTRL-C during the boot sequence to derail that process and dump him to a shell. The login was easy enough to guess as the username and password are both ‘root’.
Once he’s got that root access it was slash and burn time. He got rid of the HP-specific setup and made way for additional Debian modules like the apt system. This isn’t trivial, but he’s worked out a bunch of sticking points which makes the process easier. With the repository tools loaded you can install Xserver and Gnome for a full-blown desktop on the embedded hardware.
[Bissinblob] has about 70 of these WYSE 3125SE thin clients and is offering them up at $15 a piece plus shipping. That’s quite a steal!
The specs are as follows:
- NS Geode GX1 core (SC2200)266Mhz
- Flash 32MB
- RAM 64MB
- Video 1280×1024(at 8-bit color), 1024×768 (at 16-bit)
- 10/100 network
- 3x usb
- 1x serial
- 1x parallel
- 2x PS/2
Be sure to let us know what you’re doing with them if you happen to get one. If you have something lying around that needs to go, feel free to post it on our classifieds.
[David Cranor], along with [Max Lobovsky’s] help, managed to build a thin client that uses an NTSC television as a monitor for only $6. This is his first foray into the world of ARM architecture and he has vowed to never use an AVR again. The powerful little chip uses timers to manage sync and DMA to transfer the full 480×240 frame buffer to the screen. Overclocked at 80 MHz there’s a lot of potential in this little board and he plans to take on the challenge of a full-color display for his next trick.
[Jim] was the happy recipient of 11 non working Itona VXL thin clients. The units he received were 800Mhz CPUs with 256 MB of Ram and 256MB of storage. None would power up. Upon internal inspection, he found a common theme. Leaky bulging capacitors in the power supplies. Since these came with custom 50W power supplies, he opted to simply replace the caps instead of replacing the supplies themselves. Now he has 11 fully functional units. There are great pictures and lots of info on his site, but what he doesn’t talk about is what he’s going to do with them.
Why don’t you pop on over to our Hacker Q&A and tell us what you would do with them.
Routers aren’t just for routing network traffic any more. With the help of alternative operating systems such as DD-WRT, Tomato, and OpenWrt, routers are now extremely customizable and can be utilized to suit a number of needs. The main issue with projects built around routers is the need to telnet or SSH into them to get to a console. [Sven Killig] came up with a useful solution that utilizes the USB ports available on an Asus router to display video on a DisplayLink device, allowing a user to sit down and use the device as though it were a physical terminal. This would be a good DIY alternative to commercially available routers that display network graphs, system information, incoming email, and other data.