Re: Sol2.x Mouse EXPLOIT info - CORRECTION

[cklaus () shadow net (Christopher Klaus)]

> Why ifconfig never shows up PROMISC flag on 2.X, even if it *is* in PROMISC
> mode ? 

Sun has already acknowledged that their interface drivers do not support
a promisc flag and it will be awhile before it is incorporated (if ever?).
HP-UX is the only Unix vendor that I think that does not use a 
promiscuous interface.   If you are relying on ifconfig to test for
sniffers, many intruders already replace ifconfig.  A decent solution
that more vendors should incorporate is S/key will stop much of the 
compromising due to sniffed passwords.

> What's up with a "+" in /etc/hosts.equiv in Solaris 1.1.2 aka 4.1.4, or

Here is an example of a well known vulnerability that everyone has complained
about once and it still persists after How many years?


> Why DEC ships off Ultrix 4.X with a weirdo /.rhosts which contains --
> "#       @(#).rhosts     8.1     Ultrix  9/18/92"  (taken out of 4.4 ult)

The same problem exists where vendor has shipped or the admin has added # 
comments to hosts.equiv.  It's easy for an intruder to change the hostname
to # and then he is assumed coming from a trusted site.

> Why can't you make mountd on Ultrix 4.X reject mount requests from 
> non-privileged ports? turning on "nfsportmon" in the kernel doesn't
> quite do the job properly. Things that make you go hmmm...

Install a good portmapper so that remote hosts can't easily find what port
mountd is on.  A better solution is to make sure that your routers kill
all NFS packets from remote nets.  

-- 
Christopher William Klaus       Voice: (404)518-0099. Fax: (404)518-0030
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive, Atlanta, GA. 30350-2450.