Forwarded From: William Knowles <erehwonat_private> http://www.wired.com/news/print_version/technology/story/18109.html?wnpg=all (Wired.com) [2.25.99] A 17-year-old Pennsylvania high school student has discovered a potentially dangerous security flaw in a line of server hardware manufactured for ISPs. Michael Righi of Pittsburgh said he discovered a flaw in the Cobalt RaQ servers that lets malicious users enter the system, find the system administrator's password, and gain access to sensitive information. Righi was able to obtain the root, or administrator, passwords to three Web sites by searching the sites for the history file through a Web browser. What's more, Righi easily found which sites run RaQ by using a simple search engine, thanks to another feature of the RaQ setup process. When RaQ installs itself, it generates a live Web page that reads "Welcome to Cobalt RaQ." By doing a search for that phrase, Righi found more than 20 sites using the appliance. Cobalt Networks developed the RaQ as a low-cost, low-maintenance Web server for the ISP market. Vivek Mehra, vice president of product development at Cobalt, said the hole, which could give a hacker access to a history file documenting a user's activities, wasn't specific to their appliance, but to the Linux operating system. Righi disagreed and said RaQ's default settings are to blame. "The Cobalt RaQ's default settings create the personal and Web directories as one and the same, which allows a system administrator's common mistake of mistyping a password to be saved in the history file," he said. He was unable to find similar exposure on sites running the Linux OS that did not use the Cobalt RaQ. Mehra said one simple remedy for the problem is to disable the history file in Linux before connecting to the Internet. Mehra said that users should always disable the history file if sensitive information is housed on the RaQ appliance. Linux administrators enter commands in what's known as a command-line interface. The OS documents each command in a history file to prevent the user from having to retype the command if he or she wants to reissue it. That history file contains a record of every command. In some cases, the system administrator needs to type in the administrator password to perform sensitive commands, like backing up the system or adding users. A record of that password is saved in the history file. In most cases, the password will be encrypted, but Righi said that running the encryption through any cracker program will reveal the actual password. If a system administrator types the password too quickly or at the wrong time, the password could be saved as text without encryption, said Righi. Frezer Jones, a system administrator at Lisco, an ISP in Fairfield, Iowa, verified Righi's exploit after the student notified him that Lisco's system was at risk. But, said Jones, Cobalt hasn't told its customers about the security implications of a history file. "Users are always susceptible when they get a box, and they think it's secure, and they don't know much," Jones said. "I think Cobalt should be more responsive. They should know a little more and be able to advise the customers accordingly." "It's up to [individual companies] what level of security they want to run their systems on," Mehra said. "We can disable the feature so it doesn't allow the history file to be generated. People do not fully understand the implications of history files." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:55 PDT