[ISN] Teenager Finds Web-server hole.

From: mea culpa (jerichoat_private)
Date: Thu Feb 25 1999 - 06:59:30 PST

  • Next message: mea culpa: "[ISN] Injunction Issued for Hacking Away Competitor's Customer Base"

    Forwarded From: William Knowles <erehwonat_private>
    (Wired.com) [2.25.99] A 17-year-old Pennsylvania high school student has
    discovered a potentially dangerous security flaw in a line of server
    hardware manufactured for ISPs.
    Michael Righi of Pittsburgh said he discovered a flaw in the Cobalt RaQ
    servers that lets malicious users enter the system, find the system
    administrator's password, and gain access to sensitive information.
    Righi was able to obtain the root, or administrator, passwords to three
    Web sites by searching the sites for the history file through a Web
    browser. What's more, Righi easily found which sites run RaQ by using a
    simple search engine, thanks to another feature of the RaQ setup process.
    When RaQ installs itself, it generates a live Web page that reads "Welcome
    to Cobalt RaQ." By doing a search for that phrase, Righi found more than
    20 sites using the appliance.
    Cobalt Networks developed the RaQ as a low-cost, low-maintenance Web
    server for the ISP market.
    Vivek Mehra, vice president of product development at Cobalt, said the
    hole, which could give a hacker access to a history file documenting a
    user's activities, wasn't specific to their appliance, but to the Linux
    operating system. Righi disagreed and said RaQ's default settings are to
    "The Cobalt RaQ's default settings create the personal and Web directories
    as one and the same, which allows a system administrator's common mistake
    of mistyping a password to be saved in the history file," he said. He was
    unable to find similar exposure on sites running the Linux OS that did not
    use the Cobalt RaQ.
    Mehra said one simple remedy for the problem is to disable the history
    file in Linux before connecting to the Internet. Mehra said that users
    should always disable the history file if sensitive information is housed
    on the RaQ appliance. 
    Linux administrators enter commands in what's known as a command-line
    interface. The OS documents each command in a history file to prevent the
    user from having to retype the command if he or she wants to reissue it.
    That history file contains a record of every command. In some cases, the
    system administrator needs to type in the administrator password to
    perform sensitive commands, like backing up the system or adding users. A
    record of that password is saved in the history file.
    In most cases, the password will be encrypted, but Righi said that running
    the encryption through any cracker program will reveal the actual
    password. If a system administrator types the password too quickly or at
    the wrong time, the password could be saved as text without encryption,
    said Righi.
    Frezer Jones, a system administrator at Lisco, an ISP in Fairfield, Iowa,
    verified Righi's exploit after the student notified him that Lisco's
    system was at risk.
    But, said Jones, Cobalt hasn't told its customers about the security
    implications of a history file.
    "Users are always susceptible when they get a box, and they think it's
    secure, and they don't know much," Jones said. "I think Cobalt should be
    more responsive. They should know a little more and be able to advise the
    customers accordingly."
    "It's up to [individual companies] what level of security they want to run
    their systems on," Mehra said. "We can disable the feature so it doesn't
    allow the history file to be generated. People do not fully understand the
    implications of history files."
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:55 PDT