Bugtraq mailing list archives

(no subject)

From: joewee () MONKEY ORG (Ejovi Nuwere)
Date: Tue, 9 Nov 1999 15:59:02 -0500


Rob,

w00w00 was planning on addressing this issue, but I just can't control the
urge to speak...

So if I understand correctly, F5 has made many improvements to the
security of BigIP. Now was adding a second account with uid 0 without the
knowlede of the user part of that plan?

support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User
Support:/root:/bin/bash

This is blatently bad security practice, every BigIP box I have come
across has this account. Not only did you add a shell account, but you did
the same for the browser configuration tool:

bigip1:~# cat /var/f5/httpd/basicauth/users
admin:MdA00w00w
support:_J9..1fnHY9nqgjRyOV2
bigip1:~#

Now, I know what your going to say. "It doesn't matter because of
restrictions in sshd_config" BUT! Remember this is a unix machine with a
unix user, I have a few people in the office who would rather allow ANY
location to connect to every box on the network, do you see where I'm
going with this? It isn't that far fetched.

I place load balancers in the router catagory, and anything in that

bigip1:~# ls -la /usr/bin/rlogin
-r-sr-xr-x  1 root  wheel  212992 Apr  6  1999 /usr/bin/rlogin*
bigip1:~#

catagory should be stripped down, to only core tools.

I say this in closing
-r-sr-xr-x  1 root  wheel  212992 Apr  6  1999 /usr/bin/rlogin*
support:_J9..1fnHY9nqgjRyOV2
support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User
Support:/root:/bin/bash

w00giving: w00w00 pronounced wu-wu : ADM

joewee.

PS: BigIP is by far the best load balancer in the industry. I love it.

Guy is discussing an issue that affects older versions of BIG/ip.
As he points out, the risk is from internal users.  In older versions
of BIG/ip, there is effectively only one user and that user has root
privileges.  That user could execute commands as root through a shell
escape in our web-based user interface.

As of Version 2.1, this is no longer possible.  The current version
of BIG/ip is 2.1.2.  The software update is available for free over
the net to all customers with support contracts.

In Version 2.1, in response to customer feedback, we removed the shell

escape capability and also changed to multiple user levels in the
web-based user interface.

BIG/ip is a default-deny device, both for administrative traffic to
it,
and for traffic passing through it.  The product uses SSH for command
line access and SSL for web access.  We welcome any feedback on how we

can make the product more secure.

Thanks!

Rob Gilde
Product Development Manager
voice: 206-505-0857
email: rob () f5 com

F5 Networks, Inc.
200 First Avenue West, Suite 500
Seattle, WA 98119
http://www.f5.com
1-888-88BIGIP


----------------------------
Ejovi Nuwere [www.ejovi.net]
In God we trust.
The rest we monitor.
----------------------------

Current thread:

Re: Insecure handling of NetSol maintainer passwords, (continued)
- - - Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
    - networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
    - [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
    - Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)
  - Remote DoS Attack in TransSoft's Broker Ftp Server v3.5 Vulnerability Ussr Labs (Nov 08)
  - FreeBSD 3.3's seyon vulnerability Brock Tellier (Nov 08)
    - Re: FreeBSD 3.3's seyon vulnerability Bill Fumerola (Nov 09)
  - Re: MS Outlook alert : Cuartango Active Setup Bronek Kozicki (Nov 09)
- IE4/5 "file://" buffer overflow UNYUN (Nov 08)
  - Re: IE4/5 "file://" buffer overflow Mikael Olsson (Nov 09)
  - (no subject) Ejovi Nuwere (Nov 09)
  - Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability Ussr Labs (Nov 09)
  - Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability Ussr Labs (Nov 10)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Chuck Phillips (Nov 07)