Re: Kill the DOG and win 100 000 DM

["Jeffrey W. Thompson" <thompson () ARGUS-SYSTEMS COM>]

Link,

To answer your question in regards to labels travelling across the network.
On the hacking system the label does in fact travel over internal connections (we
disabled this feature for external connections).  This label is taken by inetd and
used to set a level up before in.telnetd is launched.  It is possible
for in.telnetd to find out what this label is, but in.telnetd has nothing to do
with setting it up.

If we did allow for external labels on packets, then it is possible for an
external host to spoof its network label.  However, this label must fall into the
ranger as specified by the network rules.  So if the network rules only allowed
one label into port 23, then spoofing a label would buy you nothing.  Otherwise,
it can be useful.  This is why we disabled labels over the wire.  We also
recommend to our customers that they do not use this feature unless they trust
their network (either implicitly or via some VPNish type things).

Did that make sense?

Cheers,

Jeff

Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.

Lincoln Yeoh wrote:

> At 10:19 AM 11/10/00 -0600, Jeffrey W. Thompson wrote:
> > Link,
> >
> > First off, cool nickname! :) I had a friend in college who went by Linky.
>
> Thanks. Some friends actually do call me Linky sometimes.
>
> > I just looked at the rules page, and it looks like they were just going to
> > give out one account.  I can't say too much about this as I wasn't
> involved in
> > the formation of this contest.
>
> That's ok. I think the rules were changed a bit, not sure when, could have
> been before the contest was actually launched. But anyway I just poked
> around a bit.
>
> > In regards to your question about telnet'ing in from localhost, this will not
> > work.  The reason for this is that you MAC label (ie. TS ALL) is not TS ALL
> > from your remote login.  Thus when you telnet locally you will have your
> label
> > travel with you through STREAMS and you will pick this up from the new
> > in.telnetd that will be spawned.  If you try and do a -e "TS ALL" you will
> > simply be booted because the level you are coming in over the network at will
> > not be TS ALL and thus you will fail.  Ok, that was a twisted little piece of
> > logic that requires some knowledge to understand.
>
> I think I get it - I've installed and done stuff with a few Cyberguard
> firewalls before. The reason I ask is, implementations are different and
> there could be a few interesting nuggets.
>
> But the part of your explanation I'd like more info is: the implication
> that the label will actually travel across the network and to the telnetd.
> I'd have figured the in.telnetd will just assume the default NETWORK label.
> If the label can actually pass across the network, that would be interesting.
>
> > others are familiar with it), receives all security information from the
> > process that sent it.  Also, all data coming in from the network is marked at
> > the network stack layer (specifically in IP) based on a set of preconfigured
> > rules.
>
> Yep. That's why I asked specifically about localhost.
>
> > 4) If your process tries to telnet to the local machine its label will be on
> > the stream and will be used in setting up that network connection.  This will
> > cause your connection to be at exactly the same level you are at.
>
> This part is where it gets interesting. Does that mean if you telnet to
> localhost, the labels can actually be specified to the telnetd? So if you
> can alter the packets somehow, the telnetd will believe you?
>
> e.g.
> What you seem to be saying is that:
>
> user (LEVELA)--telnet---network(LEVELA)--- telnetd (LEVELA).
>
> I was thinking it should be
> user(LEVELA)-telnet-network(no label/doesn't matter)-telnetd(NETWORK)
> and there would be a chance that in the contest setup the label would be
> different when connections are from 127.0.0.1 or some other IP.
>
> Also, there could be a chance that the telnetd could have a bug and set the
> wrong labels/limits, or be made to do that.
>
> Thanks,
> Link.