(no subject)

From: Ejovi Nuwere (joeweeat_private)
Date: Tue Nov 09 1999 - 12:59:02 PST

Next message: Ussr Labs: "Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability"

Previous message: Mikael Olsson: "Re: IE4/5 "file://" buffer overflow"
Next in thread: Anonymous: "(no subject)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rob,

w00w00 was planning on addressing this issue, but I just can't control the
urge to speak...

So if I understand correctly, F5 has made many improvements to the
security of BigIP. Now was adding a second account with uid 0 without the
knowlede of the user part of that plan?

support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User
Support:/root:/bin/bash

This is blatently bad security practice, every BigIP box I have come
across has this account. Not only did you add a shell account, but you did
the same for the browser configuration tool:

bigip1:~# cat /var/f5/httpd/basicauth/users
admin:MdA00w00w
support:_J9..1fnHY9nqgjRyOV2
bigip1:~#

Now, I know what your going to say. "It doesn't matter because of
restrictions in sshd_config" BUT! Remember this is a unix machine with a
unix user, I have a few people in the office who would rather allow ANY
location to connect to every box on the network, do you see where I'm
going with this? It isn't that far fetched.

I place load balancers in the router catagory, and anything in that

bigip1:~# ls -la /usr/bin/rlogin
-r-sr-xr-x  1 root  wheel  212992 Apr  6  1999 /usr/bin/rlogin*
bigip1:~#

catagory should be stripped down, to only core tools.

I say this in closing
-r-sr-xr-x  1 root  wheel  212992 Apr  6  1999 /usr/bin/rlogin*
support:_J9..1fnHY9nqgjRyOV2
support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User
Support:/root:/bin/bash

w00giving : w00w00 pronounced wu-wu : ADM

joewee.

PS: BigIP is by far the best load balancer in the industry. I love it.


> Guy is discussing an issue that affects older versions of BIG/ip.
> As he points out, the risk is from internal users.  In older versions
> of BIG/ip, there is effectively only one user and that user has root
> privileges.  That user could execute commands as root through a shell
> escape in our web-based user interface.
>
> As of Version 2.1, this is no longer possible.  The current version
> of BIG/ip is 2.1.2.  The software update is available for free over
> the net to all customers with support contracts.
>
> In Version 2.1, in response to customer feedback, we removed the shell
>
> escape capability and also changed to multiple user levels in the
> web-based user interface.
>
> BIG/ip is a default-deny device, both for administrative traffic to
> it,
> and for traffic passing through it.  The product uses SSH for command
> line access and SSL for web access.  We welcome any feedback on how we
>
> can make the product more secure.
>
> Thanks!
>
> Rob Gilde
> Product Development Manager
> voice: 206-505-0857
> email: robat_private
>
> F5 Networks, Inc.
> 200 First Avenue West, Suite 500
> Seattle, WA 98119
> http://www.f5.com
> 1-888-88BIGIP





----------------------------
Ejovi Nuwere [www.ejovi.net]
In God we trust.
The rest we monitor.
----------------------------

Next message: Ussr Labs: "Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability"
Previous message: Mikael Olsson: "Re: IE4/5 "file://" buffer overflow"
Next in thread: Anonymous: "(no subject)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:58 PDT