Mantrap Advisory Vendor Followup - Fate Research Labs

[Loki <loki () f8labs com>]

    -----------------.---------------------------------------------.
  /|                 |                             .               |
 / | :               : :             : :             :             |
/  | ::        ------  ::            : ::          | ::     -      |-----
|  | ::              : ::     .      :      |      | ::            :     |
|  |                 :        .      |------|      |               :     |
|  |           ------^        :      |     /       |                     .
|  ;----------"---------------^------     /  ------'---------------------
| /          /               /      /----'        /                     /
|'----------'---------------'------'     --------'---------------------'
                                www.f8labs.com




ADVISORY FOLLOWUP ! ADVISORY FOLLOWUP ! ADVISORY FOLLOWUP ! ADVISORY
FOLLOWUP

Application ......: Mantrap by Recourse Technologies
Advisory .........: Nasty tricks with ManTrap
Release Date .....: 11-01-00
Application ......: ManTrap by Recourse Technologies
Vendor Web Site ..: www.recourse.com


F8 Research Labs would like to send notification and follow-up regarding our
discussions with Recourse Technologies. Their response to our advisory was
almost immediate. They have addressed all issues in their
version 2.0 of the Mantrap software release, which they released last week.
It is advised for all users of Mantrap to contact Recourse technologies for
an upgrade. However, there is one more catch. Recourse was not able to
repair
the 'crash' utility problem, so it still exists in the newest release. As we
stated in our advisory, it is possible for an attacker to view all processes
outside of the cage, which still allows for fingerprinting and
identification of
the fact that they are in a caged environment or honeypot. This is not the
worst,
as it is still possible to get the PID of those processes to further allow
the
attacker to kill() the running process from within the cage.

Their exists several cage processes (rti_???), which controls logging and
other
Mantrap functions, which are included in this list of processes. The ability
to shut down logging functionality for the cage wipes away all possible
recourse
(no pun intended:), for further action against the intruder.
F8 Labs recommends further immediate action by the administrator after the
cage
has been setup to properly mitigate these sort of further compromises.

Please understand that the F8 team does not reccomend the use of
software-based
emulations of honeypots. Emulating a vulnerable OS on TOP of another
vulnerable
OS is unsafe and the ramifications of a further compromise outside of the
caged
environment are detrimental. As with prior situations surrounding chrooted
environments
and the success of breaking out of them, it is reccomended that if one is
going to
deploy a honeypot, it be done with purely nothing but the vanilla
installation of
an OS, setup with secure remote logging, while properly firewalled off from
the rest
of the LAN. This system should also be closely and heavily watched and
monitored.


Loki // F8


================================================================
Loki
Fate Research Labs
loki () f8labs com
----------------------------------------------------------------
BEGIN PGP SIGNATURE

iQA/AwUBOfZvfGnwBJRV5bxfEQJu7gCfQ/T0O9u75nzRGWVSeurNmnFRVr8Anj0c
M+UXhPDBvsm+ffRpv41zevQN
=3IRx
================================================================