4948377 2000-03-28 08:32 /73 rader/ Postmaster Mottagare: Bugtraq (import) <10385> Ärende: Security issues with S&P ComStock multiCSP (Linux) ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID: <20000324230903.13640.qmail@msg.net> Date: Fri, 24 Mar 2000 17:09:03 -0600 Reply-To: kadokev@MSG.NET Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: kadokev@MSG.NET To: BUGTRAQ@SECURITYFOCUS.COM Standard & Poor's ComStock (http://www.spcomstock.com/) provides stock quotes and news as a real-time feed on dedicated circuits (ISDN, 56K, T1). ComStock offers a 'Client Site Processor' as a means of receiving their data feed, the MultiCSP I tested against is shipped as a PC running Red Hat Linux 5.1, with version 4.2.4 of 'mcsp', the MultiCSP application software. On January 12th, Standard & Poor, Mcgraw-Hill and ComStock were contacted about the issues detailed below. We have yet to receive any response. I was given access to a brand new MultiCSP unit in early March, and found all of the same issues, with only minor, cosmetic, changes. The MultiCSP system I examined was a textbook example of how NOT to ship a Linux-based 'appliance', with numerous extraneous services enabled, several UN-passworded accounts (including a root-equivalent account), world-writable files, and multiple root holes. It does not appear that there is any effort to update the OS after the machine is deployed at a client site, or to train clients (Most of whom are only familiar with MS-Windows) to update the system. The network connection for the stock quote service is a leased line or other dedicated data feed. The Linux client at customer sites use reserved (private) address space, however the private address space goes through Bay routers on the Concentric network, these routers are Internet accessible. I see no evidence of IP filters anywhere within the network, there is nothing on the Concentric network to prevent leaking of traffic from the 172.23.*.* address space out to the public Internet, or to prevent clients from within the ComStock network forging source IPs on outbound packets, to other clients or to the Internet. The system ships with very weak default passwords for the root account as well as 'support' and 'isdnconfig'. Root can be logged into via telnet. The most obvious root hole on the MultiCSP host is the 'netconfig' account, a UID 0 login with the same password as 'support'. This login goes directly to a menu program. The menu allows for changing the IP addresses, and the ability to edit the MCSP startup script, using the 'vi' editor. The implications are obvious. In March I had access to a newly deployed CSP, and found that the accounts with blank passwords had them set to the (guessable) 'support' password. The new version does not have the menu item for editing the startup script, but has other, equally trivial, opportunities to get a root shell. If you have the misfortune of having a MultiCSP on your network, you have my sympathy. If you can't live without their stock information, It is possible to use the root holes to lock down the box as best you can, then put it behind a firewall with just the CSP TCP port open _inbound_ to the MCSP system from your hosts, or at least a router with equivalent traffic filters. Then pray for the best. Kevin Kadow MSG.Net, Inc. bugtraq@msg.net Copyright 2000 by MSG.Net, Inc, No restriction on redistribution in complete and unmodified form. (4948377) ------------------------------------------(Ombruten)