7953906 2002-02-02 19:40 +0100 /250 rader/ Jörg Lübbert <Joerg.Luebbert@t-online.de> Sänt av: joel@lysator.liu.se Importerad: 2002-02-06 01:14 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <20838> Ärende: Vulnerabilities in Astaro Security Linux 2.016 ------------------------------------------------------------ From: Joerg.Luebbert@t-online.de (Jörg Lübbert) To: bugtraq@securityfocus.com Message-ID: <3C5C3288.1030703@kaladix.org> Preamble: Product: Astaro Security Linux Version: 2.016 Vendor: Astaro AG Vendor URL: http://www.astaro.com Vendor status and reply: Vendor has been contacted with posting of this message Description: Astaro develops and distributes the firewall solution Astaro Security Linux. Astaro Security Linux offers extensive protection for local networks against hackers, viruses and other risks of connecting to the Internet. Astaro Security Linux is distributed by a worldwide network of partners who offer local support regarding installation and maintenance. Introduction: Dear BugTraq readers. I've taken a short glimpse on Astaro Security Linux and found out some points of interest that are mostly design flaws. Please note that I am theorising (based on a 1 1/2 hour research only) about the impacts and have not proven their concepts on Astaro Security Linux yet even though most can be proved easily. Some of the vulnerabilities might be local and some might argue about that Astaro Security Linux is a Firewall and no server... but as it uses SSHD it could always be that the "loginuser" account might have been compromised and shell access granted. Vulnerabilities: Summary: 5 Design flaws 2 Completely theorised design flaws 1 Possible design flaw 1 Licensing violation 1 Software bug Category 1: Design flaw Problem 1: Astaro Security Linux chroots various daemons like snmpd and named in an insecure manner. The proc filesystem is mounted within their chroot jails. Furthermore the chroot jail entitled chroot-ipsec provides the proc file system, a bash, ls, cat and most notably mount. Impact 1: Arbitrary users could cause severe damage by breaking the named or snmpd remotely and by misusing the proc file system to reconfigure certain parts of the system configuration under proc/sys. Furthermore proc/kcore could be read to obtain information stored in memory which could lead to system administrator privileges. These could for instance be DES encrypted passwords which leads to another design flaw Exploit 1: None provided Category 2: Design flaw Problem 2: Astaro Security Linux uses the DES algorithm as standard hashing scheme. DES has turned very old and is known to be easily crackable with modern processing power. Impact 2: Arbitrary users who obtain encrypted passwords (see 1) could retreive a 6 letter clear-text password within just some hours using modern processing power and use it to compromise the system. Exploit 2: None provided Category 3: Design flaw Problem 3: Astaro Security Linux runs most of its daemons with UID 0 privileges. Affected daemons are: named or snmpd. These daemons run in a chroot jail. Impact 3: Arbitrary users could remotely crack one of the affected daemons and use UID 0 powers to compromise the whole file system even if these daemons run in a chroot jail. Additional note 3-1: The main design flaw lies within that these daemons run UID 0 within a chroot jail. The daemons itself are not the design flaw (even though BIND 8.2.3 can be considered old). Additional note 3-2: Other daemons with UID 0 are syslogd, klogd, mdw_daemon.pl, cron, aua and sshd. VPN subsystem, SQUID and others haven't been checked by me. Exploit 3: None provided Category 4: Possible design flaw Problem 4: OpenSSL PRNG Internal State Disclosure Vulnerability Impact 4: Please see: http://www.securityfocus.com/bid/3004 Exploit 4: None provided Additional note 4: It was NOT tested if the version of OpenSSL (0.9.6) used in Astaro Security Linux is a security-patched version of OpenSSL 0.9.6 since no sources were provided (5) Category 5: Licensing violation Problem 5: Astaro AG releases software packages without providing their sources and modifications to them as required in §3 of the GNU GPL and neither seems to offer distribution of GPL sources for free within a 3 year period in a written form. Additional note 5: I have not checked every available documentation for a written form of an offer as described in GNU GPL §3 b but only their license (which should normally contain just that) and CD-ROM contents. Category 6: Design flaw Problem 6: Astaro Security Linux has a default limit for simultaneously processes of 8190 soft and 8912 hard and its default cpu-time is "unlimited". Impact 6: Arbitrary users with local access (loginuser) can easily launch fork bombs to consume 100% CPU power and stop the system from operating. Exploit 6: None provided Category 7: Completely theorised design flaw Problem 7: Astaro Security Linux uses a very old version of PAM (0.70 dated 09.10.1999) which maybe contains vulnerabilities. Category 8: Design flaw Problem 8: /proc/version indicates "Linux version 2.4.8-asl-0.010815.0", which indicates the 2.4.8 version of the Linux kernel that contains some security vulnerabilities. Additional information on possible vulnerabilities can be found here: http://www.securityfocus.com/bid/3570 http://www.securityfocus.com/bid/3418 http://www.securityfocus.com/bid/3444 http://www.securityfocus.com/bid/3505 Impact 8: Various, see above URLs. Exploit 8: None provided Additional note 8: Due to absence of source code it could not be proved if this kernel is patched against the security issues mentioned above. Category 9: Completely theorised design flaw Problem 9: Astaro Security Linux seems to rely on an old version of glibc according to ls -l /lib/libc*. Output: -rwxr-xr-x 1 root root 1080268 Sep 15 2000 libc.so.6 If my assumption is correct and the version used was not patched, it could be possible that the system is vulnerable to a "glibc file globbing heap corruption vulnerability". For more information please see: http://www.securityfocus.com/bid/3707 Impact 9: See URL above Exploit 9: None provided Category 10: Software bug (OT for Bugtraq, still included ;) Problem 10: During installation one can choose to install OpenSource software only or OpenSource software and the so called Astaro Security Enterprise Toolkit. When only "OpenSource" was chosen, the installer locks up after entry of the last password (I think this was for lilo). If my assumption is right (that a lilo password is asked for) then no lilo password will be set even though the Enterprise Toolkit was selected and the installation finished successfully. Additional note 10: System tested on was 800MHZ Duron, 128MB RAM, 20GB Maxtor HD, 52X CD-ROM, 3X RTL 8139. Final words: Conclusion, a final word to the Astaro AG: So much about a "Security Linux"... You may have done the firewalling and the configuration interface of your product real good... but you should also read some articles on what could be considered more internal security and work on your products some more. Disclaimer: None of the information provided are meant to aid any destructive purposes. I will furthermore take no responsibility for that anyone will use the information provided for his or her own malicious purposes. This information is intended to aid in improving the current state of Astaro Security Linux, warn companies and individuals who run Astaro Security Linux and should help other designers of Linux distributions to avoid flaws like the ones elaborated on above. Please also not that I am in no way affiliated with Astaro AG or any of their 3rd party affiliates or want to harm Astaro AG and/or their customers. - Jörg Lübbert (aka Kaladis) -- Kaladix Linux - The Secure Linux Distribution URL: http://www.kaladix.org (7953906) /Jörg Lübbert <Joerg.Luebbert@t-online.de>/(Ombruten) 7959512 2002-02-06 20:43 +0100 /76 rader/ Markus Hennig <mhennig@astaro.com> Sänt av: joel@lysator.liu.se Importerad: 2002-02-06 22:58 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <20850> Ärende: Astaro Response: Vulnerabilities in Astaro Security Linux 2.016 ------------------------------------------------------------ From: "Markus Hennig" <mhennig@astaro.com> To: <bugtraq@securityfocus.com> Message-ID: <522A69BCBAD4D543B1638679965FBCA937D70E@exchange.intranet.astaro.de> Hi, thankyou for the testing, we will fix the relevant issues in Up2Date 2.021, which will be out really soon. All Astaro users please note, that some of the mentioned issues are pretty theoretical and none of them contain any remote vulnerabilities. Best Regards, Markus > -----Original Message----- > From: Jörg Lübbert [mailto:Joerg.Luebbert@t-online.de] > Sent: Saturday, February 02, 2002 7:40 PM > To: bugtraq@securityfocus.com > Subject: Vulnerabilities in Astaro Security Linux 2.016 > > > Preamble: > > Product: Astaro Security Linux > > Version: 2.016 > > Vendor: Astaro AG > > Vendor URL: http://www.astaro.com > > Vendor status and reply: Vendor has been contacted with > posting of this > message > > Description: > Astaro develops and distributes the firewall solution Astaro Security > Linux. Astaro Security Linux offers extensive protection for local > networks against hackers, viruses and other risks of > connecting to the > Internet. Astaro Security Linux is distributed by a worldwide > network of > partners who offer local support regarding installation and > maintenance. > > Introduction: > Dear BugTraq readers. I've taken a short glimpse on Astaro Security > Linux and found out some points of interest that are mostly design > flaws. Please note that I am theorising (based on a 1 1/2 > hour research > only) about the impacts and have not proven their concepts on Astaro > Security Linux yet even though most can be proved easily. > > Some of the vulnerabilities might be local and some might argue about > that Astaro Security Linux is a Firewall and no server... but > as it uses > SSHD it could always be that the "loginuser" account might have been > compromised and shell access granted. > > > > Vulnerabilities: > > Summary: > 5 Design flaws > 2 Completely theorised design flaws > 1 Possible design flaw > 1 Licensing violation > 1 Software bug > > > > Category 1: Design flaw > (7959512) /Markus Hennig <mhennig@astaro.com>/(Ombruten)