[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil Williams wrote: > On Friday 15 Aug 2003 2:02 am, Simon Waters wrote: > > Loevsan isn't causing trouble on Linux, but what do you think of this comment > on The Register? > > http://www.theregister.co.uk/content/55/31799.html They don't distinguish ONC RPC from DCE RPC. ONC - was basically established by SUN for running NFS and related services, although I don' recall off hand who came up with the standard I think it was SUN, they certainy sold their source code for it to most other *nix vendors. DCE - is a later standard. They do similar tasks, which is about where the similarity ends. I suppose a worm that exploited vulnerabilities in both RPC mechanisms would be possible, but it would have no more commonality than a worm that runs against IIS and sendmail. *nix systems have diverse implementations of ONC-RPC (basically SUN's and Linux's implementations), and diverse compilers and CPU architectures, this later is what usually keeps the worms small on *nix systems. i.e. it is hard to write an exploit to run against multiple ports of the same vulnerability, not least you probably need one of each machine in your lab, and most worm authors are probably not that well equipped. Hell most free software authors aren't but it is easier to say "help me port application X" than "help me port Worm Y", without being arrested. > RPC has been buggy since the day it was born on UNIX and ought to be disabled > on any non-Windows machine that doesn't need it. I think all services that aren't in use should usually be disabled, especially on Windows. Probably quite a lot that are in use ought to be shutdown as well ;-) i.e. Most sendmail and IIS implementations, most things running BIND 8 or earlier, any PC routinely using the Microsoft HTML object libraries..... athough this would probably shut down most of the Internet. > I'm not clear from that comment if RPC is actually needed for NFS - it seems > to only indicate portmapper as necessary. Portmapper is a key part of of how ONC RPC works, it bypasses the need to use well known ports for services in a logical and well thought out manner. The ONC RPC software is a model of good design, except it wasn't designed for hostile computing enviroments (like the Internet), or most big corporate networks. Unfortunately the original implementation was in C, leading to the usual problems with big C programs which are exposed to hosile computing environments without being hardened or written for hostile environments. Worse since it used a well known port (111), which Unix requires to be owned by root <doh>, it lead to remote root exploits. NFS uses ONC RPC in most environments. ONC-RPC security issues were addressed in later standards including ONC-RPC+, but I think fair to say none of these later revisions made it big. Partly I suspect because they were just too complicated to administer, and people don't care about security when it involves relearning lots of stuff. You typically don't want to expose portmapper or NFS processes to the Internet at large. The code just isn't solid enough. I have only ever used NFS in properly firewalled networks, and even then you suffer with some well known security issues you accept for the utility offered by the software. When we used NFS, we utilised the inbuilt restrictions to try and mitigate the disaster that is it's security mechanisms. > Simon, can you remind me how to test the firewall on this connection? I can > connect the laptop via a different ISP using the modem, but what do I need > and what should I look for, once I've found the IP of the active ISDN > connection from inside the LAN? Depends what you are trying to establish about the firewall. Start with "nmap" http://www.insecure.org/ - Fyodor is a genius. >>state of your port 135, I just have ipchains set to DENY. > > > This is just to save effort, right? Linux RPC is on 111 (also listed for 369 > and 530) and I've got nothing for 135 in /etc/services. No I have DENY and LOG set on most ports not in use, most of the exceptions are running various types of anti-abuse software. >>One time the payload will be malicious and a lot of people will be >>restoring data from tapes or wishing they could. > > > Maybe then people will listen? Maybe - even then I'm not totally convinced. CERT are recommending a reinstall for all boxes infected with LoveSan or variants, because you can't be sure something hasn't used the trojan payload, but then again they nearly always recommend a reinstall. They probably know what they are talking about. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/PjzUGFXfHI9FVgYRAsWoAKC7+pN85/iJ3O27pIkiRLIduEp2twCgk5HX NYZElbhuW568dSP9o+wv9uE= =BRF2 -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.