Bugtraq mailing list archives
Gauntlet 5.0 BSDI warning
From: kyoung () V-ONE COM (Keith Young)
Date: Mon, 18 Oct 1999 12:16:20 -0400
Security issue in Gauntlet 5.0 BSDI when
BSDI patches are installed in a specific order
by Keith Young
(kyoung () v-one com)
-=0=--=0=--=0=--=0=--=0=--=0=--=0=--=0=--=0=-
SYSTEM AFFECTED -
Gauntlet 5.0 BSDI with latest Gauntlet patches
Other Gauntlet 5.0 patched systems are not affected
Unpatched Gauntlet 5.0 BSDI is not affected
SYNOPSIS -
Local trusted and remote non-trusted users with routes through firewall
may
bypass all Gauntlet security rules.
No activity will appear in the /var/log/messages log file.
Internal network scheme is exposed.
This issue will appear if you do the following in sequence:
1) Install BSDI 3.1
2) Install Gauntlet 5.0
3) Install BSDI patch M310-049
4) Install Gauntlet 5.0 kernel patch level 2
VENDOR CONTACT -
Vendor has been contacted and trouble ticket assigned.
Patch will be released soon.
OTHER NOTES -
A) Behavior occurs if connection is through any adaptive proxy
(http-pdk), "old"
proxy (http-gw) or no proxy at all (any TCP connection).
B) Packets will not be NATed by firewall, so to be 100% successful, a
route will need
to be published to get to your internal network through your firewall.
C) As mentioned, nothing is ever logged in /var/log/messages
D) Adding NATs to Gauntlet does not change the packets.
SOLUTIONS -
A) Install M310-049 *before* installing Gauntlet 5.0.
B) A vendor patch/fix/suggestion is coming.
C) Workaround - **Neither myself, V-ONE, nor NAI is responsible for the
correct/incorrect use of this.**
**Doing this may adversely affect your system and may void tech
support.**
(as root)
1) # cp /usr/local/sys.gauntlet/i386/OBJ/ip_input.o
/usr/src/sys/i386/OBJ
2) # sh /usr/local/sys.gauntlet/build_kernel/build_kernel 50.1
3) # reboot
HOW TO REPRODUCE -
Network configuration:
[client]====[firewall]====[WWW/FTP-server]
(internal) (external)
Client/Server: either Win98 or RedHat Linux 6.0, P2-350, 128MB RAM
Firewall: P2-350, 256MB RAM, 10GB hard drive, any BSDI-compatible NIC
All network connections done via 10baseT crossover cables, however
users can be
across hubs or routers.
Listed here are the exact steps needed to reproduce this problem.
1) Install BSDI 3.1, March 1998. Use automatic install, however you may
install
minimal packages if you wish.
2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall
3) Install Gauntlet 5.0.
4) Reboot after installation.
5) Login as root.
6) Enter "Fast GUI Setup". Fill in appropriate Interface settings for
external and internal
interfaces. If necessary, configure ESPM hosts, DNS settings, and admin
users.
7) Quit gauntlet-admin, save changes, and rebuild.
8) After proxies have reconfigured, reboot machine.
9) Since M310-049 is required for Gauntlet kernel patch install, and
M310-046 is required
for M310-049 installation, download both from
ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/
File info:
M310-046 1194 Kb Wed Oct 14 00:00:00 1998
M310-049 116 Kb Wed Dec 16 00:00:00 1998
Both patches are considered "OK" by the Gauntlet support site:
http://www.tis.com/support/bsd31.html
10) Bring machine to single-user mode by executing "kill -term 1".
11) Execute "perl5 M310-046 apply" to install BSDI libc patch.
12) Execute "perl5 M310-049 apply" to install IP DoS fix.
13) Execute "cd /sys/compile/GAUNTLET-V50/".
14) Build new kernel as required by M310-049 IP DoS kernel fix.
# make clean
# make depend
# make
15) After kernel is rebuilt, reboot machine.
16) Download Gauntlet 5.0 kernel and cluster patch:
File info:
cluster.BSDI.patch 12623 Kb Wed Sep 01 19:33:00 1999
kernel.BSDI.patch 414 Kb Wed Aug 04 17:54:00 1999
17) As noted in patch install directions, execute the following:
# sh ./cluster.BSDI.patch
# sh ./kernel.BSDI.patch
# cd kernel.BSDI.patch
# sh ./apply
# cd ../cluster.BSDI.patch
# sh ./apply
18) After patches are installed, reboot machine.
19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add client
machine to
trusted network group. Apply changes.
20) Start web browser on client machine. Set web proxy setting to
internal interface
of firewall. Attempt to connect to external web server. Access is
allowed. *This is
correct.*
20) Remove http-gw from trusted network services. Apply changes. Attempt
to
connect to external web server. Access is denied. *This is correct.*
==Problem starts here==
21) Remove proxy setting in web browser on client machine. Set
gateway/default route
on client machine to internal interface of firewall. Set gateway/default
route on
server machine to external interface of firewall.
22) Clear web browser cache. Attempt to connect to external web server.
Web page
is downloaded with no logs in Gauntlet.
23) Start ESPM-GUI. Remove all services from trusted networks services.
Remove client
machine from ESPM network group. Apply changes.
24) FTP from client machine to server. FTP connection is made though no
rule exists.
25) Start telnet server on client machine. Telnet from server to client.
Telnet
connection is made.
Current thread:
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow, (continued)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Bela Lubkin (Oct 12)
- Xerox DocuColor 4 LP D.O.S Jason Lutz (Oct 13)
- Security of "Virtual Network Computer" Mikael Olsson (Oct 12)
- Re: Security of "Virtual Network Computer" Cameron Simpson (Oct 12)
- Re: Security of "Virtual Network Computer" Dan Foster (Oct 12)
- Re: Security of "Virtual Network Computer" Luca Berra (Oct 13)
- Finjan Alert: WinNT.Infis Trojan by way of Tim Wieneke (Oct 13)
- The old "." problem nblasgen () NICK REFRACT COM (Oct 13)
- Re: The old "." problem David Zverina (Oct 14)
- Re: The old "." problem S.Faust (Oct 16)
- Gauntlet 5.0 BSDI warning Keith Young (Oct 18)
- Re: Gauntlet 5.0 BSDI warning Strange (Oct 18)
- Re: Gauntlet 5.0 BSDI warning Keith Young (Oct 18)
- Email virus on the prowel Albert Hopkins (Oct 19)
- Another Microsoft Java Flaw Disovered Gary McGraw (Oct 14)
- Administrivia Elias Levy (Oct 14)