Bugtraq mailing list archives
Re: SCO World Script Vulnerabilities
From: joe () GONZO BLARG NET (Joe)
Date: Thu, 12 Nov 1998 13:59:46 -0800
And if anyone would like to know what he -really- said, in context, read the article online at: http://www.scoworld.com/html/body_aug98net.html Ben: The set-up described there is fairly secure. (Although I'd used ssh/scp instead of the r_services). The .rhosts files allow "webserver" to log in from only 1 machine on the INTRA-net, from one specific IP address, which is protected (presumably) by a firewall. To top it off, the "webserver" user has no valid shell or password so anyone that gets into the account isn't going to be going anywhere with it. I don't see this as being anything different than having a root window open on your desktop, with ssh installed on all your machines. (Someone sits down, ssh's to another machine and *poof*, they're root.) In fact, it's more secure since user "webserver" was only given enough permission to monitor rudimentary files. Granted, some of the information in those files may allow an intruder to gain further access but if they're sitting at the administrators machine they've already got that. Since the CGI is being accessed by the system administrator, your remark about the "user" being able to plug in any host name is plain silly. If they've got access to the CGI you're ALREADY compromised. Besides, from the shell I've got MORE than enough rope to hang myself. If I'm trying to administer a remote machine over the web I want that same length of rope. I'll grant you this much: It's not going to be the most secure setup in the world, and I'd much prefer netconsole/nocol, but as described the setup in that article is nowhere near as bad as your analysis implied. -- Joe H. Technical Support General Support: support () blarg net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net On Wed, 11 Nov 1998, Ben Laurie wrote:
I don't use SCO any more (well, I can give it up any time, honest), but I still get their mags. So, this morning I was leafing through SCO World, August '98 and September/October '98. Therein we find "Nuthin' but Net", "Administering Your System via the Web" by Jim Mohr. This suggests so many really Bad Things it is difficult to know where to start, but here goes. 1. First, set up .rhosts on all your servers, so the webserver can log in and do stuff. 2. Let the user specify the server name as a CGI parameter. Any name they like. 3. Now, using perl, pass that name, unvetted, to rsh like so: open(MSG,'rsh '.$server.' other stuff'); Wonderful. I wonder if we can find a SCO server running this stuff? Oh, BTW, here's a particular gem I shall treasure forever: "Lowering security to make Web access easier is less of a problem". Yeah, right! Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/ and Technical Director|Email: ben () algroup co uk | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
Current thread:
- Xinetd /tmp race? Balazs Nagy (Nov 10)
- SCO World Script Vulnerabilities Ben Laurie (Nov 11)
- Re: SCO World Script Vulnerabilities Joe (Nov 12)
- WARNING: Another ICQ IP address vulnerability Mnemonix (Nov 11)
- Citadel security exploits? Stout, Bill (Nov 11)
- Re: Xinetd /tmp race? Wayne Schroeder (Nov 11)
- Re: Xinetd /tmp race? Glynn Clements (Nov 11)
- <Possible follow-ups>
- Re: Xinetd /tmp race? Jesús Cea Avión (Nov 12)
- Re: Xinetd /tmp race? Glynn Clements (Nov 12)
- Re: Xinetd /tmp race? Casper Dik (Nov 14)
- Re: Xinetd /tmp race? Marc Heuse (Nov 13)
- Re: Xinetd /tmp race? Pavel Kankovsky (Nov 13)
- Re: Xinetd /tmp race? stanislav shalunov (Nov 13)
(Thread continues...)
- SCO World Script Vulnerabilities Ben Laurie (Nov 11)