[8862] in bugtraq

home help back first fref pref prev next nref lref last post

Breeze Network Server remote reboot and other bogosity.

daemon@ATHENA.MIT.EDU (//Stany)
Tue Dec 29 13:48:49 1998

Date: 	Sun, 27 Dec 1998 00:32:34 -0500
Reply-To: //Stany <stany@HTTP.NOTBSD.ORG>
From: //Stany <stany@HTTP.NOTBSD.ORG>
To: BUGTRAQ@NETSPACE.ORG

Good day.  I am Ortodox Christian, so my Christmas is on Jan 7th, but in
the spirit of giving, I would like to submit the following rant.  It is
rather lengthy, but IMHO is worth it.  If Aleph1 feels that it is too
lengthy, feel free to snip the parts that are boring ;-)

A Breeze Network Server is a NetBSD 1.3.2 based system produced by
WindDance Networks Corporation
(http://www.winddancenet.com/products/breeze.html).  It is marketed as an
email, fax, printer, internet/intranet web server and a  firewall.
Physically it is an AMD K6/300 AFR system with 64 megs of RAM and 6 Gig
IDE hard drive.  It includes a LS120 disk drive as the primary floppy
drive, and according to the documentation that drive is used for
distributing updates to the system.  The cost seems to be $3300 US.

The system is marketed to be easy in use ("so even the secretary would not
have any problems to set up Breeze in 15 minutes") and upon receiving it
one has to connect up a keyboard and a monitor to it, power it on, answer
a few configuration questions (What is my ip?  What is my gateway?  What
is my subnet?) and then one should be able to access it with a web browser
and be able to modify all sorts of things - add users, back up the system,
set up filesharing etc.  Following that, the keyboard and a screen are no
longer needed.

I have to admit that this was the first time I ever used NetBSD, but
it is close enough to Solaris/SunOS that I manage ;-)  However I might
misinterpret important parts of NetBSD behavior, and if so, please
correct me.  After all, maybe this is the way the system is designed to
behave, and not the bastardization of WindDance Networks (Ugh.  I don't
think so).

After this system have appeared in our office (I worked for PSInet Canada
and we  were asked to evaluate if we would want to sell this to some of
our customers), it have perked my curiosity, and one night I booted it
into single user mode.  It have provided me with a root shell, so I have
remounted / read-write and looked around.   gcc was installed.  This seems
to be a first mistake - one doesn't install a compiler on a production
system, especially on a secure one, as it makes it so much easier to
compile a sniffer and cause more harm.  I have compiled ssh, installed it,
and fixed my UID/GID to be zeros while I was at it ;-)  (BTW I realize
that it seem to be a simple one line change to disallow a system to
provide an unpassworded root shell upon being booted into a single user
mode).

First thing I noticed once the system was running in multiuser mode was
that apache was runing as root. IMHO this is another major problem, as
apache should only need root to bind to socket. I decided to adjust the
apache configuration files to use nobody as the default user, and once I
have done that, I noticed that I could no longer even see the default
starting page ("You have no permissions to access....").

I have decided to take a cursory look at the cgi-bin scripts that the
system was using.  The scripts were not using any range checking nor
sanity checks what so ever.  A particular script have attracted my
attention:
root@wdbreeze:/usr/local/breeze/cgi-bin[24]# tail -3 configbreeze

&rebootnow;
exit 0;
root@wdbreeze:/usr/local/breeze/cgi-bin[25]#

Ugh.  Is that not beautiful?

That's right, *anyone* accessing
http://BreezenetworkserverIP/start/configbreeze
is greeted with "Internal Server Error" message, while the system reboots
itself.

It is interesting how the reboot is done as well: the script
creates a file /tmp/reboot.now, and writes "Rest in Peace\n" into it.  A
daemon /usr/local/breeze/bin/rebootwrapper checks (a cursory strings on
rebootwrapper shows that the daemon is also checking for /tmp/halt.now).
if that file exists, the contents of the file are checked against an
internal lookup table, and then the system reboots itself through calling
/sbin/reboot

I have done a few tests and another beautiful peecularity of the system
came to light as well: if one creates an empty /tmp/reboot.now:
root@wdbreeze:/[1]# cd /tmp
root@wdbreeze:/tmp[2]# touch reboot.now
the system doesn't reboot.  No, it just locks up, and closes all network
ports, which is deadly for a system that should be a primary network
gateway/firewall for a small business.  The behavior is very similar to
halting the system, but the screen doesn't show the typical shutdown
notices, and the last shows that the system was rebooted and not crashed.
Oh, and the hard drive gets fscked on startup ;-)

So if I am a malicious script kiddie, who have managed to obtain any sort
of login on the system, all I have to do is set up a simple cron job to
touch /tmp/reboot.now every five or so minutes, and I am laughing.  It
will take a good long while for someone to think about checking crontab on
a system that all of a sudden started malfunctioning.  With the amount of
ports running on that system some exploit is bound to appear at some point
that will allow me  to get a remote login, or just add another line to
root crontab.

So here is the question for the list:  What is the best way to make secure
web interfaces to system functions like adding and deleting users or
restarting systems?   I realize that the best solution would be to ship
the system with ssh and allow a quilified administrator to log into the
system (As I believe Corel allowes on their NetWinder Webserver or
NetWinder Group Server to log in into a shell and have control over the
system.  <http://www.corelcomputer.com/>) or ship the system with
something like VNC <http://www.orl.co.uk/vnc/> that would allow an
experienced user to connect to the X server and run software similar to
RedHat Control Panel for system management, but once again there is an
expense in training the user to be Unix "savvy".   In fact the question
might well be is there a way to minimize a learning curve for the
users/administrators with Windoze/MacOS experience (It seems to be the
environment that both Corel with their NetWinder product and WindDance
Networks with their Breeze product are aiming at) for maintaining/managing
the UNIX based system without compromizing security?

//Stany, Sun Hardware Specialist, stany@notbsd.org

P.S. I have telephoned Mike Pelley, Software Designer of WindDance
Networks about 2 weeks ago about the problems with their product, and was
promised a swift update, but so far have not been contacted and to the
best of my knoweledge the software update was not shipped to us.  I have
cc:ed Mike to this message as well, and hope that someone at WindDance
will get somehting done about the above.

home help back first fref pref prev next nref lref last post