Application: Dragon Fire 3.1 IDS for Unices Developer: Network Security Wizards Urgency: VERY HIGH Symptoms: Web users can run arbitrary commands *remotely*. Storyline: ---------- In the middle of developement of a Linux IDS , I wanted to take a short glimpse at some similar products on the net. Seems like the most impressive (and commercial, yuck) is NSW's (Network Security Wizard's) Dragon Fire 3.1, just released. I've followed the nice link there (Live demo) and I've chosen there Database telnet1, Forensic tool mkchart, sensor ALL and as 'IP one' | ls -lsa / . I was unpleasantly surprised when I've seen my command executed very well, with a nice output. Too bad it doesn't run as root (maybe other tools in that package do). Anyhow, they don't run that system on a Linux station ( try as 'IP one' | echo `uname -a` and vote for SunOS!?). I guess many customers run it on oher buggy Unices (Irix etc) so watch your asses and claim your support, or switch to a local tool implemented by your system administrator (wow, my company is lucky, don't you think so? :)) Go there if you don't believe me, and try as many commands as possible, maybe that IDS is smart enough to log them too ! :) Fix: ---- The sources are not public (and they are buggy too) so I reccomend IMMEDIATE protection of the web pages (.htaccess if you use Apache). You may also keep your mouth shut unless NSW releases a *elementary* secure wrapper and don't make your DragonFire URLs public. There is an enterprise version too :> Funstuff: -------- Well, if you read http://www.securitywizards.com/wsj1.html, I guess Mr Gula wil not forget to invite me at his next DefCon, near all the feds and US crackers (= kiddies,for me) there to penetrate newer versions of 'DragonFire'. I guess the feds will have to focus their attention on some other IDSes. -- Stefan Laudat Data Networks Analyst ASIT SA ------------- !07/11 PDP a ni deppart m'I !pleH
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:56 PDT