Bugtraq mailing list archives
(no subject)
From: joewee () MONKEY ORG (Ejovi Nuwere)
Date: Tue, 9 Nov 1999 15:59:02 -0500
Rob, w00w00 was planning on addressing this issue, but I just can't control the urge to speak... So if I understand correctly, F5 has made many improvements to the security of BigIP. Now was adding a second account with uid 0 without the knowlede of the user part of that plan? support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User Support:/root:/bin/bash This is blatently bad security practice, every BigIP box I have come across has this account. Not only did you add a shell account, but you did the same for the browser configuration tool: bigip1:~# cat /var/f5/httpd/basicauth/users admin:MdA00w00w support:_J9..1fnHY9nqgjRyOV2 bigip1:~# Now, I know what your going to say. "It doesn't matter because of restrictions in sshd_config" BUT! Remember this is a unix machine with a unix user, I have a few people in the office who would rather allow ANY location to connect to every box on the network, do you see where I'm going with this? It isn't that far fetched. I place load balancers in the router catagory, and anything in that bigip1:~# ls -la /usr/bin/rlogin -r-sr-xr-x 1 root wheel 212992 Apr 6 1999 /usr/bin/rlogin* bigip1:~# catagory should be stripped down, to only core tools. I say this in closing -r-sr-xr-x 1 root wheel 212992 Apr 6 1999 /usr/bin/rlogin* support:_J9..1fnHY9nqgjRyOV2 support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User Support:/root:/bin/bash w00giving: w00w00 pronounced wu-wu : ADM joewee. PS: BigIP is by far the best load balancer in the industry. I love it.
Guy is discussing an issue that affects older versions of BIG/ip. As he points out, the risk is from internal users. In older versions of BIG/ip, there is effectively only one user and that user has root privileges. That user could execute commands as root through a shell escape in our web-based user interface. As of Version 2.1, this is no longer possible. The current version of BIG/ip is 2.1.2. The software update is available for free over the net to all customers with support contracts. In Version 2.1, in response to customer feedback, we removed the shell escape capability and also changed to multiple user levels in the web-based user interface. BIG/ip is a default-deny device, both for administrative traffic to it, and for traffic passing through it. The product uses SSH for command line access and SSL for web access. We welcome any feedback on how we can make the product more secure. Thanks! Rob Gilde Product Development Manager voice: 206-505-0857 email: rob () f5 com F5 Networks, Inc. 200 First Avenue West, Suite 500 Seattle, WA 98119 http://www.f5.com 1-888-88BIGIP
---------------------------- Ejovi Nuwere [www.ejovi.net] In God we trust. The rest we monitor. ----------------------------
Current thread:
- Re: Insecure handling of NetSol maintainer passwords, (continued)
- Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
- networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
- [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)
- Remote DoS Attack in TransSoft's Broker Ftp Server v3.5 Vulnerability Ussr Labs (Nov 08)
- FreeBSD 3.3's seyon vulnerability Brock Tellier (Nov 08)
- Re: FreeBSD 3.3's seyon vulnerability Bill Fumerola (Nov 09)
- Re: MS Outlook alert : Cuartango Active Setup Bronek Kozicki (Nov 09)
- IE4/5 "file://" buffer overflow UNYUN (Nov 08)
- Re: IE4/5 "file://" buffer overflow Mikael Olsson (Nov 09)
- (no subject) Ejovi Nuwere (Nov 09)
- Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability Ussr Labs (Nov 09)
- Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability Ussr Labs (Nov 10)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Chuck Phillips (Nov 07)