[8887] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Breeze Network Server remote reboot and other bogosity.

daemon@ATHENA.MIT.EDU (der Mouse)
Fri Jan 1 15:36:46 1999

Date: 	Thu, 31 Dec 1998 19:37:24 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG

> A Breeze Network Server is a NetBSD 1.3.2 based system produced by
> WindDance Networks Corporation [...]

> I have to admit that this was the first time I ever used NetBSD, but
> it is close enough to Solaris/SunOS that I manage ;-)  However I
> might misinterpret important parts of NetBSD behavior, and if so,
> please correct me.  After all, maybe this is the way the system is
> designed to behave, and not the bastardization of WindDance Networks
> (Ugh.  I don't think so).

The problems you list really aren't NetBSD's fault, with the possible
exception of shipping with a compiler installed, and that is more a
mismatch between what the system is designed for and what it's being
used for.

Specifically,

> gcc was installed.  This seems to be a first mistake - one doesn't
> install a compiler on a production system, especially on a secure
> one, as it makes it so much easier to compile a sniffer and cause
> more harm.

Well, yeah, but it's not exactly difficult for a cracker wannabe to
suck over a compiler binary - or compiled binaries, for that matter -
from elsewhere.  Anyway, this *is* out-of-the-box for 1.3.2, though I'm
inclined to agree with you that leaving it there is probably something
WindDance shouldn't have done.

WindDance was probably also in violation of the GPL, unless they
shipped the necessary sources to rebuild gcc, or made the canonical
offer of those sources.

> (BTW I realize that it seem to be a simple one line change to
> disallow [single-user -> free root shell].)

Yes, you are correct.

> First thing I noticed once the system was running in multiuser mode
> was that apache was runing as root.

1.3.3 does not come with apache out of the box.  (There is probably a
package for apache by now, but 1.3.2 didn't even come with the package
tools, as I recall.)

The rest of what you list is predicated on the web stuff - cgi-bin
scripts and the like - and other WindDance stuff related to it, like
the rebootwrapper.  (A stock 1.3.2 system has nothing in /usr/local
except a little directory structure, I think - though I never touch
/usr/local so I don't readily recall what's there.)

                                        der Mouse

                               mouse@rodents.montreal.qc.ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

home help back first fref pref prev next nref lref last post