[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Teenager Finds Web-server hole.
From:       mea culpa <jericho () dimensional ! com>
Date:       1999-02-25 14:59:30
[Download RAW message or body]


Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>

http://www.wired.com/news/print_version/technology/story/18109.html?wnpg=all

(Wired.com) [2.25.99] A 17-year-old Pennsylvania high school student has
discovered a potentially dangerous security flaw in a line of server
hardware manufactured for ISPs.
 
Michael Righi of Pittsburgh said he discovered a flaw in the Cobalt RaQ
servers that lets malicious users enter the system, find the system
administrator's password, and gain access to sensitive information.
 
Righi was able to obtain the root, or administrator, passwords to three
Web sites by searching the sites for the history file through a Web
browser. What's more, Righi easily found which sites run RaQ by using a
simple search engine, thanks to another feature of the RaQ setup process.
 
When RaQ installs itself, it generates a live Web page that reads "Welcome
to Cobalt RaQ." By doing a search for that phrase, Righi found more than
20 sites using the appliance.

Cobalt Networks developed the RaQ as a low-cost, low-maintenance Web
server for the ISP market.

Vivek Mehra, vice president of product development at Cobalt, said the
hole, which could give a hacker access to a history file documenting a
user's activities, wasn't specific to their appliance, but to the Linux
operating system. Righi disagreed and said RaQ's default settings are to
blame.
 
"The Cobalt RaQ's default settings create the personal and Web directories
as one and the same, which allows a system administrator's common mistake
of mistyping a password to be saved in the history file," he said. He was
unable to find similar exposure on sites running the Linux OS that did not
use the Cobalt RaQ.
 
Mehra said one simple remedy for the problem is to disable the history
file in Linux before connecting to the Internet. Mehra said that users
should always disable the history file if sensitive information is housed
on the RaQ appliance. 

Linux administrators enter commands in what's known as a command-line
interface. The OS documents each command in a history file to prevent the
user from having to retype the command if he or she wants to reissue it.

That history file contains a record of every command. In some cases, the
system administrator needs to type in the administrator password to
perform sensitive commands, like backing up the system or adding users. A
record of that password is saved in the history file.

In most cases, the password will be encrypted, but Righi said that running
the encryption through any cracker program will reveal the actual
password. If a system administrator types the password too quickly or at
the wrong time, the password could be saved as text without encryption,
said Righi.

Frezer Jones, a system administrator at Lisco, an ISP in Fairfield, Iowa,
verified Righi's exploit after the student notified him that Lisco's
system was at risk.
 
But, said Jones, Cobalt hasn't told its customers about the security
implications of a history file.

"Users are always susceptible when they get a box, and they think it's
secure, and they don't know much," Jones said. "I think Cobalt should be
more responsive. They should know a little more and be able to advise the
customers accordingly."
 
"It's up to [individual companies] what level of security they want to run
their systems on," Mehra said. "We can disable the feature so it doesn't
allow the history file to be generated. People do not fully understand the
implications of history files."

-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

[prev in list] [next in list] [prev in thread] [next in thread]