Bugtraq mailing list archives
Mantrap Advisory Vendor Followup - Fate Research Labs
From: Loki <loki () f8labs com>
Date: Sun, 5 Nov 2000 11:35:30 -0800
-----------------.---------------------------------------------. /| | . | / | : : : : : : | / | :: ------ :: : :: | :: - |----- | | :: : :: . : | | :: : | | | : . |------| | : | | | ------^ : | / | . | ;----------"---------------^------ / ------'--------------------- | / / / /----' / / |'----------'---------------'------' --------'---------------------' www.f8labs.com ADVISORY FOLLOWUP ! ADVISORY FOLLOWUP ! ADVISORY FOLLOWUP ! ADVISORY FOLLOWUP Application ......: Mantrap by Recourse Technologies Advisory .........: Nasty tricks with ManTrap Release Date .....: 11-01-00 Application ......: ManTrap by Recourse Technologies Vendor Web Site ..: www.recourse.com F8 Research Labs would like to send notification and follow-up regarding our discussions with Recourse Technologies. Their response to our advisory was almost immediate. They have addressed all issues in their version 2.0 of the Mantrap software release, which they released last week. It is advised for all users of Mantrap to contact Recourse technologies for an upgrade. However, there is one more catch. Recourse was not able to repair the 'crash' utility problem, so it still exists in the newest release. As we stated in our advisory, it is possible for an attacker to view all processes outside of the cage, which still allows for fingerprinting and identification of the fact that they are in a caged environment or honeypot. This is not the worst, as it is still possible to get the PID of those processes to further allow the attacker to kill() the running process from within the cage. Their exists several cage processes (rti_???), which controls logging and other Mantrap functions, which are included in this list of processes. The ability to shut down logging functionality for the cage wipes away all possible recourse (no pun intended:), for further action against the intruder. F8 Labs recommends further immediate action by the administrator after the cage has been setup to properly mitigate these sort of further compromises. Please understand that the F8 team does not reccomend the use of software-based emulations of honeypots. Emulating a vulnerable OS on TOP of another vulnerable OS is unsafe and the ramifications of a further compromise outside of the caged environment are detrimental. As with prior situations surrounding chrooted environments and the success of breaking out of them, it is reccomended that if one is going to deploy a honeypot, it be done with purely nothing but the vanilla installation of an OS, setup with secure remote logging, while properly firewalled off from the rest of the LAN. This system should also be closely and heavily watched and monitored. Loki // F8 ================================================================ Loki Fate Research Labs loki () f8labs com ---------------------------------------------------------------- BEGIN PGP SIGNATURE iQA/AwUBOfZvfGnwBJRV5bxfEQJu7gCfQ/T0O9u75nzRGWVSeurNmnFRVr8Anj0c M+UXhPDBvsm+ffRpv41zevQN =3IRx ================================================================
Current thread:
- Mantrap Advisory Vendor Followup - Fate Research Labs Loki (Nov 06)