-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Rene Ritzen & Don Stikvoort Index : S-95-12 Distribution : World Page : 1 Classification: External Version: 1 Subject : SATAN / SANTA Version 1.1.1 (new release) Date : 13-Apr-95 =============================================================================== Known vulnerabilities associated with X Windows and WWW browsers may be exploited when you run SATAN/SANTA from within a not properly secured environment. In SATAN/SANTA 1.0 (released April 5) this problem was not taken into account. SATAN/SANTA 1.1.1 (available now) covers this problem in a tutorial inserted in the program and reproduced below. Also some very useful safeguards against the problem have been inserted into 1.1.1 . CERT-NL strongly recommends NOT to run 1.0 anymore and to upgrade to version 1.1.1 now, available from the usual SATAN mirror sites. Within .nl the mirror sites are: ftp://ftp.win.tue.nl/pub/security/satan-1.1.1* ftp://ftp.wi.leidenuniv.nl/pub/satan-1.1.1* ftp://ftp.cs.ruu.nl/pub/SECURITY/satan-1.1.1* CERT-NL also recommends NOT to use any wild SATAN versions lurking around. It has e.g. been reported that a wild SATAN version for Linux contains a Trojan Horse. We thank Wietse Venema for his extensive and fast reactions in this matter. =============================================================================== The 13th satan-1.1 vulnerability tutorial: SATAN Password Disclosure SUMMARY SATAN password disclosure via flawed HTML clients or environmental problems IMPACT Unauthorized users may execute commands through SATAN BACKGROUND By default, SATAN runs as a custom HTML (hypertext markup language) server, executing requests from a user-provided HTML browser, or client program. Examples of common HTML clients are Netscape, NCSA Mosaic and Lynx. An HTML client request is nothing but a network message, and network messages may be sent by any user on the network. To defend itself against requests from unauthorized users, SATAN takes the following precautions: * SATAN generates a session key, to be used as a secret password, each time it starts up an HTML client. The session key is in the form of a 32-byte quasi-random number. The number is called quasi-random because it is impossible to generate real random numbers using only software. * SATAN creates HTML files with the secret password embedded in URL (uniform resource locator) links. The HTML file access permissions are restricted to the owner of the SATAN process (and the superuser). * SATAN rejects HTML requests whose URL does not contain the current SATAN password. This requirement prevents access by unauthorized clients, provided that the current SATAN password is kept secret. The protection scheme used by SATAN is in essence the same as the scheme used by many implementations of the X Window system: MIT magic cookies. These secrets are normally kept in the user's home directory, in a file called .Xauthority. Before it is granted access to the screen, keyboard and mouse, an X client program needs to prove that it is authorized, by handing over the correct magic cookie. This requirement prevents unauthorized access, provided that the magic cookie information is kept secret. THE PROBLEM It is important that the current SATAN password is kept secret. When the password leaks out, unauthorized users can send commands to the SATAN HTML server where the commands will be executed with the privileges of the SATAN process. Note that SATAN generates a new password everytime you start it up under an HTML client, so if you are suspicious, simply restart the program. SATAN never sends its current password over the network. However, the password, or parts of it, may be disclosed due to flaws in HTML clients or due to weak protection of the environment that SATAN is running in. One possible scenario for disclosure is: * When the user selects other HTML servers from within a SATAN session, some HTML client programs (Netscape and Lynx) disclose the current SATAN URL, including SATAN password information. The intention of this feature is to help service providers find out the structure of the world-wide web. However, the feature can also reveal confidential information. With version 1.1 and later, SATAN displays a warning when the HTML client program exhibits this questionable feature. Other scenarios for SATAN password disclosure are discussed in the following section, as part of a list of counter measures. PREVENTING SATAN PASSWORD DISCLOSURE The security of SATAN is highly dependent on the security of environment that it runs in. In the case of an X Window environment: * Avoid using the xhost mechanism, but use xauth and MIT magic cookies or better. Otherwise, unauthorized users can see and manipulate everything that happens with the screen, keyboard and mouse. Of course, this can also be a problem when you are not running the SATAN program at all. Steps that can help to keep the X magic cookie information secret: * Avoid sharing your home directory, including .Xauthority file, with other hosts. Otherwise, X magic cookie information may be captured from the network while the X software accesses that file, so that unauthorized users can take over the screen, keyboard and mouse. * Avoid running X applications with output to a remote display. Otherwise, X magic cookie information can be captured from the network while X clients connect to the remote display, so that unauthorized users can take over the screen, keyboard and mouse. Finally, steps that can help to keep the current SATAN password secret: * Avoid sharing the SATAN directories with other hosts. Otherwise, SATAN password information may be captured from the network while the HTML software accesses passworded files, so that unauthorized users can take over the SATAN HTML server. * Avoid running SATAN with output to a remote display. Otherwise, SATAN password information can be captured from the network while URL information is shown on the remote display, so that unauthorized users can take over the SATAN HTML server. ADDITIONAL SATAN DEFENSES The SATAN software spends a lot of effort to protect your computer and data against password disclosure. With version 1.1 and later, SATAN even attempts to protect you after the password has fallen into the hands of unauthorized users: * SATAN displays a warning and advises the user to not contact other HTML servers from within a SATAN session, when it finds that the HTML client program reveals SATAN password information as part of parent URL information. * SATAN rejects requests that appear to come from hosts other than the one it is running on, that refer to resources outside its own HTML tree, or that contain unexpected data. * SATAN terminates with a warning when it finds a valid SATAN password in an illegal request: SATAN assumes the password has fallen into the hands of unauthorized users and assumes the worst. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6IFTSYjBqwfc9jEQL3BgCgt/Lycpdwix1rIUDDfc22+94xUewAoIlt 118diAqpXNE1nRnwo8Cw3w3w =IK95 -----END PGP SIGNATURE-----