D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Lovesan



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Neil Williams wrote:
> On Friday 15 Aug 2003 2:02 am, Simon Waters wrote:
>
> Loevsan isn't causing trouble on Linux, but what do you think of this
comment
> on The Register?
>
> http://www.theregister.co.uk/content/55/31799.html

They don't distinguish ONC RPC from DCE RPC.

ONC - was basically established by SUN for running NFS and related
services, although I don' recall off hand who came up with the standard
I think it was SUN, they certainy sold their source code for it to most
other *nix vendors.

DCE - is a later standard. They do similar tasks, which is about where
the similarity ends.

I suppose a worm that exploited vulnerabilities in both RPC mechanisms
would be possible, but it would have no more commonality than a worm
that runs against IIS and sendmail.

*nix systems have diverse implementations of ONC-RPC (basically SUN's
and Linux's implementations), and diverse compilers and CPU
architectures, this later is what usually keeps the worms small on *nix
systems. i.e. it is hard to write an exploit to run against multiple
ports of the same vulnerability, not least you probably need one of each
machine in your lab, and most worm authors are probably not that well
equipped. Hell most free software authors aren't but it is easier to say
"help me port application X" than "help me port Worm Y", without being
arrested.

> RPC has been buggy since the day it was born on UNIX and ought to be
disabled
> on any non-Windows machine that doesn't need it.

I think all services that aren't in use should usually be disabled,
especially on Windows.

Probably quite a lot that are in use ought to be shutdown as well ;-)
i.e. Most sendmail and IIS implementations, most things running BIND 8
or earlier, any PC routinely using the Microsoft HTML object
libraries..... athough this would probably shut down most of the Internet.

> I'm not clear from that comment if RPC is actually needed for NFS - it
seems
> to only indicate portmapper as necessary.

Portmapper is a key part of of how ONC RPC works, it bypasses the need
to use well known ports for services in a logical and well thought out
manner.

The ONC RPC software is a model of good design, except it wasn't
designed for hostile computing enviroments (like the Internet), or most
big corporate networks.

Unfortunately the original implementation was in C, leading to the usual
problems with big C programs which are exposed to hosile computing
environments without being hardened or written for hostile environments.
Worse since it used a well known port (111), which Unix requires to be
owned by root <doh>, it lead to remote root exploits.

NFS uses ONC RPC in most environments. ONC-RPC security issues were
addressed in later standards including ONC-RPC+, but I think fair to say
 none of these later revisions made it big. Partly I suspect because
they were just too complicated to administer, and people don't care
about security when it involves relearning lots of stuff.

You typically don't want to expose portmapper or NFS processes to the
Internet at large. The code just isn't solid enough. I have only ever
used NFS in properly firewalled networks, and even then you suffer with
some well known security issues you accept for the utility offered by
the software. When we used NFS, we utilised the inbuilt restrictions to
try and mitigate the disaster that is it's security mechanisms.

> Simon, can you remind me how to test the firewall on this connection?
I can
> connect the laptop via a different ISP using the modem, but what do I
need
> and what should I look for, once I've found the IP of the active ISDN
> connection from inside the LAN?

Depends what you are trying to establish about the firewall. Start with
"nmap" http://www.insecure.org/ - Fyodor is a genius.

>>state of your port 135, I just have ipchains set to DENY.
>
>
> This is just to save effort, right? Linux RPC is on 111 (also listed
for 369
> and 530) and I've got nothing for 135 in /etc/services.

No I have DENY and LOG set on most ports not in use, most of the
exceptions are running various types of anti-abuse software.

>>One time the payload will be malicious and a lot of people will be
>>restoring data from tapes or wishing they could.
>
>
> Maybe then people will listen?

Maybe - even then I'm not totally convinced.

CERT are recommending a reinstall for all boxes infected with LoveSan or
variants, because you can't be sure something hasn't used the trojan
payload, but then again they nearly always recommend a reinstall. They
probably know what they are talking about.

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/PjzUGFXfHI9FVgYRAsWoAKC7+pN85/iJ3O27pIkiRLIduEp2twCgk5HX
NYZElbhuW568dSP9o+wv9uE=
=BRF2
-----END PGP SIGNATURE-----

--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly