[19696] in bugtraq
Re: TCP Timestamping and Remotely gathering uptime information
daemon@ATHENA.MIT.EDU (Chris Tobkin)
Mon Mar 19 14:46:23 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <F04118150BBED211819500104B6FC175602821@postino.intersec.com>
Date: Fri, 16 Mar 2001 14:47:51 -0600
Reply-To: Chris Tobkin <tobkin@INTERSEC.COM>
From: Chris Tobkin <tobkin@INTERSEC.COM>
X-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
The problem with releasing this information is that an attacker can see how
long the system has been online and possibly correlate that with what
patches are installed on the system telling whether it is likely to be
vulnerable to certain exploit(s).
'uname' is a little different in that it only gives away the information to
local users, once you're a local user, there are a lot of things you can do
to find out how long the system has been online and such. Local vs. remote
would be my argument here.
Local users are more trusted and are therefore trused with "friendly"
information, such as uptime. If the local users aren't trusted, then you've
got a heck of a lot of work ahead of you to keep them in the dark. Like I
always say, once they're on the system, most times it's not hard to get the
entire box -- "Game Over, Man! Game Over!".
Regarding linux and 500 days, it's more likely that a script kiddie would
look for systems with 300+ days uptime, certain OS and version, and certain
ports open which would be most likely to be systems that are "hands off" and
good ones to attack. For example, if I found a system I nmap'd as and old
version of linux, with port 53 open, I'd suspect it's probably unpatched.
The trials and tribulations of "friendly" information...
// Chris
tobkin@intersec.com
-----Original Message-----
From: Darren Reed [mailto:avalon@COOMBS.ANU.EDU.AU]
Sent: Thursday, March 15, 2001 11:53 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: TCP Timestamping and Remotely gathering uptime information
So when do we change things like "uname" such that they no longer report
the system "identity" (OS, OS rev) to anyone but root ?
Why do you think all timestamps should not reveal uptime information ?
What do you think is at risk here ?
Are script kiddies going to say "ooh, he's been up for 500 days and he's
not linux, lets flood him to death" ?
Or is there something more fundamental ?
One potential use of uptime information to an attackers advantage is in
attacking things which use the current time (seconds, microseconds,
whatever) as a seed for some sort of thing when the start up at boot
time. An server which has a week PRNG or similar might be at risk,
where it otherwise would not, do you think ?
Darren
