Bugtraq mailing list archives

Re: Breeze Network Server remote reboot and other bogosity.

From: owner-bugtraq () netspace org (Philip Stoev)
Date: Thu, 31 Dec 1998 22:32:56 -0500


On Thu, 31 Dec 1998, Mike Pelley wrote:

Hello Bugtraq.

I work for WindDance Networks Corporation.  While developing our Breeze
Network server mentioned in a previous message, we were interested in having
some 'friendlies' try out the Breeze and offer suggestions regarding
additional potential functionality requirements for their clients and
others.  As our current president, Rainer Paduch, was previously the
president and vice-chairman of iStar before it was acquired by PSINet, he
asked if they would take a look at our prototype.  They accepted, so I made
an image of one of our development machines for them to check out and
recommend features/changes.


I did my recommendations.

A few weeks later Mr. Vardomskiy (Stany) called me and mentioned some
security concerns, which he has outlined in his previous message.  I
explained that the version of the Breeze he received was not intended for
customers, and most of the issues he mentioned were well known and the way
they were because this was an image of my development machine and not a
production machine.  I explained that we had some things to work on, and
that we had a security review planned after we had ensured that the machine
was stable and functional.


For starters let me make something clear.  I am not blaming anyone
specifically for the problems with the server.  Such things happen.
However I do express concern that the update that was promised to me as a
representative of PSInet was not received in a timeframe.  If there would
have been a major security hole found in a major product of any other
companies with which WindDance attempts to compete,  everything possible
would have done to fix the problem ASAP.  Even Microsoft releases
hot-fixes.

I am hoping not to begin a flame war or anything, but here are my
concerns:  After doing software developement for a rather long time, I
have noticed that very often the security of the software package or
system is implemented in exactly the same way as you describe - as an
afterthought.   This results in a number of security holes that are very
hard to plug during the security review, and usually most of the holes are
overlooked.  The product is rushed to the market, the management is
concerned about the due dates or contracts that were already signed, and
as a result the final security review either doesn't happen at all, or
happens in a rushed manner.

I am concerned that the web server in WindDance's package runs as root and
doesn't drop it's privileges - If you have written all your scripts to
assume that the server is root, then you will have to rewrite them all
during your security audit, which will result in delays to shipping the
product to the market, as essentially you will be re-implementing the
product anew (with corresponding time requirements).  I am concerned that
you have daemons running that do not do error checking and just assume
that the data fed to them is correct - in your current implementation they
seem to be a cornerstone of your set-up, and inspite of the problems with
them, are you willing to go and re-write them all during the security
audit, and while having your managers standing and looking over your
shoulder, attempting to speed things up (but in fact just slowing things
down).

I am distressed that Mr. Vardomskiy has misrepresented the status of the
machine he received and I do not understand why he was confused after our
conversation on the phone.  We have since created a beta release image of
the Breeze.  I did not promise to contact Mr. Vardomskiy, but I did mention
that we would soon have a newer load available and would be happy to send it
over if PSINet had time to evaluate it.


I am not going to argue, but I have to say for myself that I am happy that
the problems with the current set-up have been made public.  It happens
too often that only under the pressure of the public knoweledge many
security holes and design flaws eventually get fixed.   The server as
marketed is a sealed box - intended users probably do not have the
technical expertise to get into the system to find out what drives it from
inside.   As a result there is no guarantee that the system as shipped
will be fixed at all - the end users are not supposed to find out after
all, should they?

If WindDance is interested in continued evaluation of Breeze product,
then the best person to ship the updates for the system would most
likely be Gert-Jan Hagenaars (gj () istar ca), Senior System Administrator,
PSInet Canada, as I am leaving the company.

If anyone has any specific questions about the Breeze or the issues
mentioned before please contact me anytime.

Mike Pelley
System Designer
WindDance Networks
(613) 728-1700 x 15
mikep () winddance net


Happy New Year.
//Stany, stany () notbsd org

Current thread:

Re: Dosemu/S-Lang Overflow + sploit, (continued)
- - - Re: Dosemu/S-Lang Overflow + sploit Erik Mouw (Jan 12)
    - Re: Anonymous Qmail Denial of Service Trev (Jan 04)
    - Vulnerability database workshop Gene Spafford (Jan 04)
    - Re: Anonymous Qmail Denial of Service Nick Andrew (Jan 04)
    - Improved icmp time/mask querying program David G. Andersen (Jan 04)
    - Re: Anonymous Qmail Denial of Service Illuminatus Primus (Jan 04)
    - Re: Anonymous Qmail Denial of Service Nick Maclaren (Jan 04)
    - Sendmail 8.9.2 released Patrick Oonk (Jan 04)
    - SUN almost has a clue! (automountd) (fwd) Robert Borrell (Jan 04)
    - Re: SUN almost has a clue! (automountd) (fwd) Bojan Zdrnja (Jan 05)
- Re: Breeze Network Server remote reboot and other bogosity. Philip Stoev (Dec 31)
- Re: Breeze Network Server remote reboot and other bogosity. Dr. Mudge (Jan 01)
- Re: Breeze Network Server remote reboot and other bogosity. Kev (Jan 01)
- ValueClick CGI Vulnerability FIXED Philip Stoev (Jan 01)
- SRP summary + opinions Pete Gonzalez (Jan 01)
- Re: Breeze Network Server remote reboot and other bogosity. der Mouse (Dec 31)