[8538] in bugtraq

home help back first fref pref prev next nref lref last post

Re: SCO World Script Vulnerabilities

daemon@ATHENA.MIT.EDU (Joe)
Fri Nov 13 15:23:48 1998

Date: 	Thu, 12 Nov 1998 13:59:46 -0800
Reply-To: Joe <joe@GONZO.BLARG.NET>
From: Joe <joe@GONZO.BLARG.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <3649D464.89C7FEDF@algroup.co.uk>

And if anyone would like to know what he -really- said, in context, read
the article online at:

http://www.scoworld.com/html/body_aug98net.html

Ben: The set-up described there is fairly secure. (Although I'd used
ssh/scp instead of the r_services). The .rhosts files allow "webserver" to
log in from only 1 machine on the INTRA-net, from one specific IP address,
which is protected (presumably) by a firewall. To top it off, the "webserver"
user has no valid shell or password so anyone that gets into the account
isn't going to be going anywhere with it. I don't see this as being
anything different than having a root window open on your desktop, with
ssh installed on all your machines. (Someone sits down, ssh's to another
machine and *poof*, they're root.) In fact, it's more secure since user
"webserver" was only given enough permission to monitor rudimentary files.
Granted, some of the information in those files may allow an intruder to
gain further access but if they're sitting at the administrators machine
they've already got that.

Since the CGI is being accessed by the system administrator, your remark
about the "user" being able to plug in any host name is plain silly.  If
they've got access to the CGI you're ALREADY compromised. Besides, from
the shell I've got MORE than enough rope to hang myself. If I'm trying to
administer a remote machine over the web I want that same length of rope.

I'll grant you this much: It's not going to be the most secure setup in
the world, and I'd much prefer netconsole/nocol, but as described the
setup in that article is nowhere near as bad as your analysis implied.

--
Joe H.                                  Technical Support
General Support:  support@blarg.net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net


On Wed, 11 Nov 1998, Ben Laurie wrote:

> I don't use SCO any more (well, I can give it up any time, honest), but
> I still get their mags. So, this morning I was leafing through SCO
> World, August '98 and September/October '98. Therein we find "Nuthin'
> but Net", "Administering Your System via the Web" by Jim Mohr. This
> suggests so many really Bad Things it is difficult to know where to
> start, but here goes.
>
> 1. First, set up .rhosts on all your servers, so the webserver can log
> in and do stuff.
>
> 2. Let the user specify the server name as a CGI parameter. Any name
> they like.
>
> 3. Now, using perl, pass that name, unvetted, to rsh like so:
> open(MSG,'rsh '.$server.' other stuff');
>
> Wonderful. I wonder if we can find a SCO server running this stuff?
>
> Oh, BTW, here's a particular gem I shall treasure forever: "Lowering
> security to make Web access easier is less of a problem". Yeah, right!
>
> Cheers,
>
> Ben.
>
> --
> Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
> Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
> and Technical Director|Email: ben@algroup.co.uk |
> A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
> London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/
>

home help back first fref pref prev next nref lref last post