exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

004

004
Posted Sep 23, 1999

004

SHA-256 | 7b90fa0bba295c4d4795ac4b804a3416f98e20d75b22b2667b1445417166515a

004

Change Mirror Download
From support@us.external.hp.com Wed Mar 13 01:01:29 1996
Date: Wed, 13 Mar 1996 01:09:25 -0800
From: HPSL Mail Service <support@us.external.hp.com>
Reply to: support-feedback@us.external.hp.com
To: Damien Sorder <jericho@netcom.com>
Subject: RE: send doc HPSBUX9402-004

--------
## Regarding your request:
Send Doc HPSBUX9402-004

The following are the results of your request from the HP SupportLine mail
service.

===============================================================================
Document Id: [HPSBUX9402-004]
Date Loaded: [02-11-94]

Description: Promiscuous mode network interfaces
===============================================================================

-----------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: #00004, 10 February 94
-----------------------------------------------------------------------

_______________________________________________________________________
PROBLEM: /dev/nit allows superuser (root) access to network traffic
PLATFORM: HP 9000 Series 300, 400, 700, 800 running HP-UX
Apollo Token Ring (HP-UX 8.X, 9.X; s700 only)
STREAMS-DLPI (HP-UX 9.X)
DAMAGE: A superuser (root) on one system can gain account
information on other systems.
SOLUTION: Prevent users from gaining root access.
_______________________________________________________________________


I. /dev/nit

A. CERT Advisory

A recent CERT advisory (CA-94:01) warned of attacks which
"involve a network monitoring tool that uses the promiscuous
mode of a specific network interface, /dev/nit, to capture host
and user authentication information on all newly opened FTP,
telnet, and rlogin sessions."

"The intruders first penetrate a system and gain root access"
through some vulnerability. Then the intruders exploit the
promiscuous mode of the network interface to watch network
traffic.

Note that the problem is with the intruder gaining access to
other systems by exploiting the network interface. CERT
suggests that the system protect itself by disabling the
network interface or preventing unauthorized superuse access.


B. Nature of the Problem

HP supports the promiscuous mode on two products: Apollo
Token Ring and STREAMS-DLPI (which currently supports only the
Ethernet network). While neither have /dev/nit, both allow
superuser programs to gain complete access to the network.

Essentially, the security vulnerability lies in ANY HP SYSTEM
THAT MAKES NETWORK CONNECTIONS across networks where hosts
exist that have an intruder who has gained root access and
is using a network monitoring tool on a promiscuous mode of
a lan interface. The intruder can then gain information about
the HP systems which are using the network for a connection.

The two HP products mentioned above allow a root user to
access the promiscuous mode and can therefore be used by
an INTRUDER WHO HAS ALREADY GAINED ROOT ACCESS on the HP system,
to learn about OTHER systems which are using the network.

So systems with the Apollo Token Ring and STREAMS-DLPI are
NO MORE VULNERABLE than any other systems: they just allow
intruders that have already cracked the system, by some other
means, to EXTEND the intrusion to other systems using the
attached network.


C. Fixing the problem

Hewlett-Packard recommends that all customers concerned with the
security of their HP-UX systems PREVENT unauthorized root access.

1. Disabling the interface is not complete protection

There are many approaches that an intruder could use even
if the network interface were disabled, IF that intruder
has already gained root access on the system:

a. Regenerate/install a new kernel with promiscuous support

The intruder could always create a new kernel that provided
promiscuous mode network interfaces, and reboot the system
with the new kernel.

b. Promiscuous mode is a hardware capability

Regardless of software efforts, users must be cognizant that
the promiscuous mode is fundamentally a hardware capability
of network interfaces. It might take a new driver, kernel
pokes, or a complete rewrite of HP-UX: if an intruder has root
access and time, the intruder will be able to modify the system
to watch network traffic. The best protection is prevention
of unauthorized root access.


2. Network security

The security of a system is highly dependent on the security
of the systems over which network connections are made.

a. Physical vulnerability

The security of a system can be vulnerable to physical
interception of network connections. For example, if machine
A telnets to machine B via gateway G, the user who owns
gateway G can easily attach a protocol analyzer to the
network and watch the network traffic. The intruder must
have physical access to the network to use this attack.

The SECURITY OF ANY HOST ON INTERMEDIATE NETWORKS can
affect the security of the connection, and thus the security
of the client and server systems.

b. Software vulnerability

Instead of a protocol analyzer, a user can modify the system
to create a virtual software protocol analyzer. In the
above example, the superuser on gateway G could do this to
monitor network traffic across the gateway. This is the
threat addressed by the CERT advisory: an unauthorized user
gains superuser access to the gateway and creates a network
monitoring daemon.

c. Connection security

The appropriate way to deal with network vulnerability is
to be cognizant of the security of intermediate gateways
when making network connections.

When making connections over gateways with unknown security
precautions against unauthorized root access, passwords
should be changed frequently: perhaps after each use.
( While trojan programs can watch the entire sessions, most
only record the first few hundred bytes, allowing a password
change later in the session to go undetected. Of course,
the attacks can change to examine larger amounts of traffic,
meaning this approach is not complete protection.)

CERT suggests that the long-term solution "is to reduce or
eliminate the transmission of ... passwords in clear-text
over the network."

d. Firewall machines

Routers exists that can screen network traffic and allow
only certain packets to cross between networks. Using such
routers, companies can isolate their networks from the Internet
"backbone" with systems called firewall machines. Such
systems prevent direct "outside"<->"inside" communications,
forcing users to go through the firewall machines. These
machines are then used as the focal point of preventing
intrusion: they can implement harsh security procedures
and monitor incoming traffic.

In addition, a company's internal network structure should
be partitioned with a similar firewall structure. Network
traffic from any particular host should NOT travel across
every system in the company. The networks should be partitioned
into logical "traffic" units which isolate groups of hosts
that communicate mainly with each other. This limits the
exposure of network traffic and minimizes the potential
"snooping" hazard. These could also be isolated from the
rest of the company with a firewall machine, if required.


3. Disabling Promiscuous Mode

A user could disable promiscuous mode by:

1. Removing STREAMS-DLPI from system and use LLA instead.
2. Removing the Apollo Token Ring card/driver from system.

As noted above, this approach is NOT RECOMMENDED because the
root intruder can modify the system to re-enable the mode, and
because of the resulting loss of functionality of this solution.

While CERT suggests that users could disable promiscuous mode
to prevent intruder abuse, any intruder with root access could
re-enable the promiscuous mode. The intruder could just
re-install STREAMS-DLPI and reboot. Watch for reboots and the
re-installation of STREAMS-DLPI.


4. Prevent Root Intrusions

For details on maintain security on your HP-UX system, HP offers
the following:

HP-UX System Security (HP p/n B2355-90045)
The standard security manual for HP-UX.

HP Remote Watch User's Guide (HP p/n H2534-90022)
Manual for HP's security monitoring program.

In addition to the security suggestions presented in all of the
HP-UX documentation ("Administering ARPA Services", etc), many
third-party books exist which discuss UNIX security precautions.

HP does offer B1-level-secure (BLS) versions of HP-UX, releases
9.08 for the series 800 and 9.09 for the series 700. A manual
on network security for the BLS system is "Network Security
Administrator's Guide" (HP p/n 5960-1661).


D. Recommended Solution

To reiterate, the security vulnerability exists with intruder
snooping of network connections that run through systems that have
been root-violated and are, as a result, running network monitoring
daemons. The recommended solution is to be cognizant of the
security of intermediate networks in network connections, and make
sure hosts on those networks prevent root violation; or change
passwords frequently when using unsecure intermediate networks.



-----------------------------------------------------------------------
To subscribe to automatically receive NEW future HP Security Bulletins
from the HP SupportLine mail service via electronic mail, send the
following in the TEXT PORTION OF THE MESSAGE to
support@support.mayfield.hp.com (no Subject is required):

subscribe security_info

To retrieve the index of all HP Security Bulletins, send the following:

send security_info_list

To obtain a copy of the HP SupportLine mail service user's guide,
send the following:

send guide.txt


For security concerns, write to:

security-alert@hp.com

-----------------------------------------------------------------------
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close