>At 11:07 PM 7/8/98 -0400, Stephen Zedalis wrote:
>
>>So what you are saying is that ALL your release (non-beta) versions of
>>ComOS have this bug and there is no resolution.
>
>Exactly what bug are you referring to?
The one that STARTED this thread. The inability of the portmaster to
properly reset debugging when a telnet session is closed allowing
debugging information (including unencrypted passwords) to stream to one
of only 4 telnet sessions EVEN IF you haven't logged on as an admin user
or provided any valid username or password!
Is this a serious security problem? Yep, I think so.
Pretend I am Joe Hacker and I want to get a few passwords off of your
portmaster and I know you usually use telnet and debug to assist in
providing tech support to your customers.
1. I call up either pretending to be (or actually being) one of your
customers and report problems in connecting.
2. I talk the poor slob on the other end of the line into the fact that
I've got a hard to fix problem and he fires up telnet to the portmaster
and sets debug on and starts monitoring LCP, IPCP, etc.
3. I launch a denial of service attack on his machine if I know the IP of
his admin machine (hell he might give it to me if I asked)
4. Then all I have to do is to fire up 4 telnet sessions to the portmaster
and wait for the passwords to stream in, when I time out on one login fire
up another, keeping the guy out of telnet until he realizes what is going
on or figures his portmaster locked up and reboots the machine.
5. Hey! I now have alot of passwords to accounts I don't own, k00l.
This is only hypothetical, but it could happen tomorrow to some
unsuspecting ISP. And apparently it has been a possibility for ages.
It apparently happens with at least several versions of ComOS, not just
ComOS 3.8.
The suggestion to use PPPDecoder was ludicrous for several reasons.
First, it is a beta product itself with no guarantees of reliability or
security. Second, to use it, you have to be using a beta ComOS 3.8 with
their own set of problems. Third, it uses an entirely undocumented
PMConsole interface which we don't know whether or not suffers from the
same bug. (Ie. If someone like PPPDecoder is knocked off of the PMConsole
1643 port, could someone else attach to port 1643 and get the same
streaming debug behaviour without authentication?) As you pointed out,
using the much more obscure 1643 port for debugging vice the telnet port
is not even an option if you are running officially released versions of
ComOS.
This is NOT adding a new feature to ComOS as you suggest but a request to
fix a SERIOUS security bug. I'm surprised it isn't splashed all over
BugTraq by now.
And even if Lucent feels that this bug is unfixable or unlikely to cause
serious damage if you have trained sysadmins (which it probably is), then
you have to TRAIN the sysadmins by at least putting a big warning about
this security "feature" in your discussions of using telnet to debug in
your documentation. Thats all I was suggesting.
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>