[19963] in bugtraq
Re: Serious Pitbull LX Vulnerability
daemon@ATHENA.MIT.EDU (Jeff Thompson)
Sat Mar 31 19:27:28 2001
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-851401618-986011425=:10968"
Message-ID: <Pine.GSO.4.21.0103302201240.10968-300000@ranger.argus-systems.com>
Date: Fri, 30 Mar 2001 22:03:45 -0600
Reply-To: Jeff Thompson <thompson@ARGUS-SYSTEMS.COM>
From: Jeff Thompson <thompson@ARGUS-SYSTEMS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NEBBJHNKALOLCEPONIBNOEHLCFAA.pivetta@argus-systems.com>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---559023410-851401618-986011425=:10968
Content-Type: TEXT/PLAIN; charset=US-ASCII
This morning a message was posted on bugtraq by Blazde/Roland about the
recent Argus hacking contest at CeBit in Germany and an exploit he
discovered on one of the systems being protected by one of the products
in the Argus PitBull product line. I wanted to give an unofficial
response to a few of the issues mentioned by Roland. I'm an employee of
Argus (very technical, not marketing or sales, even though my title may
not give you that impression) and am very familiar with the PitBull LX
product that Roland was referring to.
As Roland mentioned, he located a misconfiguration in our integration of
the PitBull LX technology into the 'sysctl' system call. This system call
makes a permission to see if a user can access its functionality. 'sysctl'
allows a 'root' user to modify the modprobe kernel parameters. Therefore, a
user must first become root in order to exploit this. In order to fix this
problem, a simple security flag access check needs to be added to this system
call. Once in place, this ability will no longer be available to attackers
who are being restricted by the PitBull LX technology.
Unfortunately for Roland, he never actually managed break the system in the
way required for the contest. The systems in the contest stayed up almost
half a day past the end of the contest, and much of Roland's work was done
during that time. Roland did a great job of analyzing the system and
showed a lot of persistence in tracking down potential exploits. I can
understand his frustration for coming so close but missing the deadline.
Apparently Roland's frustration was showing when he commented about the
web sites "disappearing" and Argus not wanting to release an official
press release. After each hacking contest, Argus disconnects the systems
associated with hacking contest -- the CeBit contest was no different.
The systems weren't even shut down immediately, they were left running
for many hours. There was nothing diabolical about the fact that the
systems were eventually shut down. This was definitely not an attempt
to squeek by without noticing that something had happened.
In fact, it was when the administrators of this contest logged in via
sshd in order to shut down the systems that they tripped the "trojan"
that Roland had put into place. Unfortunately, the code that was run
by Roland did not modify the system in the proscribed way by the rules,
and in fact was run after the contest had ended.
There also seems to be a misunderstanding here about Argus not wanting
the fact that this occurred to be made public. While we of course wish
that we would have put the check into the 'sysctl' system call for
security flags so that Roland would not have found a way to use it to
his advantage, the fact is that Roland did in fact find a way to do it.
The fact is that we received specific information on the exploit
Wednesday in the late afternoon (Central Standard Time). The post to
BugTraq was made available Friday morning. I believe that it is extremely
unfortunate that we were not given much more than 24 hours to produce
a patch for the problem, run it through our quality assurance group,
and notify our customers and members of this forum of the problem. Let
alone to release a press release that discusses the events.
I am also sorry that Roland feels that we were unresponsive in regards
to this problem. This is particularly troubling, as we are a company
that prides itself on our responsiveness and support of our products.
I believe this is very significant in an industry where the standard
is to either blame any problems a companies software has on another
vendor (it must be the OS's fault, or 'oh! your using X's product,
well you should call them'), or to simply not return queries in
anything close to a timely manner.
With that said, a source code patch for the kernel is being attached to
this message, and will be made available on the main Argus corporate web
site as well as the Argus Revolution server. We are also notifying our
customers of the problem.
For Argus, PitBull LX is an extremely new product (our other mainstay
product PitBull Foundation has been around for years). PitBull LX is
the next generation of Trusted Operating System technology, and was
designed from the ground up to provide the most important pieces of
functionality that are found in traditional Trusted Operating Systems,
but in a way that more closely matches the standard Unix environment
and the security models that are being used in the real world to protect
these systems. We are understandably very proud of the product, and had
the confidence in the technology to make it a part of these contests in
order to expose the technology to the world, and to put it in the ring
(so to speak). It is gratifying to know that after spending a lot of
time involving himself with the technology, and finding a problem in our
security flag checks, that Roland still thinks highly of the technology.
While we are hard at work making sure that our PitBull LX technology and
product is properly integrated into the Linux environment, it is my hope
that if additional problems are found in the product as it grows, we will
be given the opportunity to demonstrate our responsiveness and dedication
to providing a real security solution, rather than just snake oil.
Sincerely,
Jeff Thompson (aka Mythrandir)
Software Evangelist and Visionary
Argus Systems Group, Inc.
http://www.argus-systems.com/
http://www.argusrevolution.com/
---559023410-851401618-986011425=:10968
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ASGLX20010301.README"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.4.21.0103302203450.10968@ranger.argus-systems.com>
Content-Description:
Content-Disposition: attachment; filename="ASGLX20010301.README"
UGF0Y2ggSUQ6IEFTR0xYMjAwMTAzMDENCg0KDQpWdWxuZXJhYmlsaXR5Og0K
DQpBIHJvb3QgcHJvY2VzcyBtYXkgdXNlIHN5c2N0bCgyKSB0byBtb2RpZnkg
a2VybmVsIHZhcmlhYmxlcyByZWdhcmRsZXNzIG9mDQpQaXRCdWxsIExYIGF0
dHJpYnV0ZXMuDQoNCkZpeDoNCg0KQSBwcm9jZXNzIHVzaW5nIHN5c2N0bCgy
KSB0byBtb2RpZnkgYSBrZXJuZWwgdmFyaWFibGUgd2lsbCBiZSBzdWJqZWN0
IHRvDQphIFBpdEJ1bGwgYXR0cmlidXRlIGNoZWNrLiAgSWYgdGhlIHByb2Nl
c3MgaGFzIHRoZSBBU0dfUkVTX1NZUyBmbGFnIHNldCwgdGhlDQpwcm9jZXNz
IHdpbGwgYmUgdW5hYmxlIHRvIHdyaXRlIG5ldyB2YWx1ZXMgdG8gdmFyaWFi
bGVzLiAgSWYgdGhlIHByb2Nlc3MNCmRvZXMgbm90IGhhdmUgdGhlIEFTR19S
RVNfU1lTIGZsYWcgc2V0LCB0aGUgcHJvY2VzcyBpcyBvbmx5IHN1YmplY3Qg
dG8gdGhlDQpzdGFuZGFyZCBsaW51eCBhdHRyaWJ1dGUgY2hlY2tzLg0KDQpD
YXZlYXQ6DQoNClRoaXMgUGl0QnVsbCBMWCBhdHRyaWJ1dGUgY2hlY2sgd2ls
bCBhbHNvIGFwcGx5IHRvIHByb2Nlc3MgYXR0ZW1wdGluZyB0bw0KbW9kaWZ5
IHRoZSB2YXJpYWJsZSBieSB3cml0aW5nIHRvIGl0cyBjb3JyZXNwb25kaW5n
ICIvcHJvYy9zeXMiIGVudHJ5Lg0KDQpQcmVyZXF1aXNpdGVzOg0KDQpUaGlz
IGlzIGEgc291cmNlIHBhdGNoIHRvIHRoZSBsaW51eC0yLjIuMTYtYXJndXMg
c291cmNlIHRyZWUuICBUaGlzIHBhdGNoDQpyZXF1aXJlcyB0aGUgaW5zdGFs
bGF0aW9uIG9mIGFyZ3VzX2tlcm5lbC1zb3VyY2UtMS4wLTIuMi4xNi5pMzg2
LnJwbS4gIFRoaXMNCnBhY2thZ2UgY2FuIGJlIGZvdW5kIGluIHRoZSBwcm9k
dWN0IGRpcmVjdG9yeSBvZiB0aGUgaW5zdGFsbGF0aW9uIENELg0KDQpJbnN0
YWxsYXRpb246DQoNCjEpIENoYW5nZSB5b3VyIHdvcmtpbmcgZGlyZWN0b3J5
IHRvICIvdXNyL3NyYy9saW51eC0yLjIuMTYtYXJndXMiLg0KDQoyKSBDb3B5
IHRoZSBwYXRjaCAiQVNHTFgyMDAxMDMzMCIgdG8gdGhpcyBkaXJlY3Rvcnku
DQoNCjMpIFJ1biB0aGUgY29tbWFuZCAicGF0Y2ggLXAxIDwgLi9BU0dMWDIw
MDEwMzAxLnBhdGNoIi4NCg0KNCkgVGhlIHNvdXJjZSB0cmVlIGlzIG5vdyBw
YXRjaGVkLiAgWW91IHdpbGwgbm93IG5lZWQgdG8gcmVidWlsZCB5b3VyIGtl
cm5lbA0KICAgdXNpbmcgZm9sbG93aW5nIHRoZSBndWlkZWxpbmVzIHByZXNl
bnRlZCBpbiBjaGFwdGVyIDExIChCdWlsZGluZyBhDQogICBDdXN0b21pemVk
IEtlcm5lbCkgb2YgdGhlIFBpdEJ1bGwgTFggQWRtaW5pc3RyYXRpb24gR3Vp
ZGUuDQo=
---559023410-851401618-986011425=:10968
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ASGLX20010301.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.4.21.0103302203451.10968@ranger.argus-systems.com>
Content-Description:
Content-Disposition: attachment; filename="ASGLX20010301.patch"
ZGlmZiAtTnVyIGxpbnV4LTIuMi4xNi9rZXJuZWwvc3lzY3RsLmMgbGludXgt
Mi4yLjE2LWFyZ3VzL2tlcm5lbC9zeXNjdGwuYw0KLS0tIGxpbnV4LTIuMi4x
Ni9rZXJuZWwvc3lzY3RsLmMJRnJpIE1hciAzMCAxNToyMjowMyAyMDAxDQor
KysgbGludXgtMi4yLjE2LWFyZ3VzL2tlcm5lbC9zeXNjdGwuYwlGcmkgTWFy
IDMwIDE4OjQ1OjU4IDIwMDENCkBAIC0xLDQgKzEsMTQgQEANCiAvKg0KKyAq
IFBvcnRpb25zIG9mIHRoaXMgY29kZSBDb3B5cmlnaHQgKGMpIDIwMDAtMjAw
MSBieSBBcmd1cyBTeXN0ZW1zIEdyb3VwLCBJbmMuDQorICoNCisgKiBodHRw
Oi8vd3d3LmFyZ3VzLXN5c3RlbXMuY29tDQorICoNCisgKg0KKyAqDQorICoN
CisgKi8NCisNCisvKg0KICAqIHN5c2N0bC5jOiBHZW5lcmFsIGxpbnV4IHN5
c3RlbSBjb250cm9sIGludGVyZmFjZQ0KICAqDQogICogQmVndW4gMjQgTWFy
Y2ggMTk5NSwgU3RlcGhlbiBUd2VlZGllDQpAQCAtMjksNiArMzksMTAgQEAN
CiAjaW5jbHVkZSA8bGludXgvbmZzX2ZzLmg+DQogI2VuZGlmDQogDQorI2lm
ZGVmIENPTkZJR19BUkdVUw0KKyNpbmNsdWRlIDxsaW51eC9zZWNtb2QuaD4N
CisjZW5kaWYgLyogQ09ORklHX0FSR1VTICovDQorDQogI2lmIGRlZmluZWQo
Q09ORklHX1NZU0NUTCkNCiANCiAvKiBFeHRlcm5hbCB2YXJpYWJsZXMgbm90
IGluIGEgaGVhZGVyIGZpbGUuICovDQpAQCAtMzUzLDYgKzM2NywxNCBAQA0K
IA0KIHN0YXRpYyBpbnQgdGVzdF9wZXJtKGludCBtb2RlLCBpbnQgb3ApDQog
ew0KKw0KKyNpZmRlZiBDT05GSUdfQVJHVVMNCisgICAgICAgIGlmKChvcCA9
PSBTX0lXT1RIKSAmJiAoU0VDRlVOQyhTRUNNT0RfUkVTVFJJQ1RfU1lTKSkp
DQorICAgICAgICB7DQorICAgICAgICAgICAgICAgIHJldHVybigtRUFDQ0VT
KTsNCisgICAgICAgIH0NCisjZW5kaWYgLyogQ09ORklHX0FSR1VTICovDQor
DQogCWlmICghY3VycmVudC0+ZXVpZCkNCiAJCW1vZGUgPj49IDY7DQogCWVs
c2UgaWYgKGluX2Vncm91cF9wKDApKQ0K
---559023410-851401618-986011425=:10968--
