Standard & Poor's ComStock (http://www.spcomstock.com/) provides stock quotes and news as a real-time data feed on dedicated circuits. ComStock offers a 'Client Site Processor' as a means of receiving their data feed, the MultiCSP I tested against is shipped as a PC running Red Hat Linux 5.1, with version 4.2.x.x of 'mcsp', the MultiCSP application software. On January 12th, Standard & Poor, Mcgraw-Hill and ComStock were contacted about the issues detailed below. We have yet to receive any response. The MultiCSP system I examined was a textbook example of how NOT to ship a Linux-based 'appliance', with numerous extraneous services enabled, several UN-passworded accounts (including a root-equivalent account), world-writable files, and multiple root holes. It does not appear that there is any effort to update the OS after the machine is deployed at a client site, or to train clients (Most of whom are only familiar with MS-Windows) to update the system. The network connection for the stock quote service is a leased line or other dedicated data feed. The Linux client at customer sites use reserved (private) address space, however clients are connected to Bay routers on the Concentric network which are Internet accessible. I see no evidence of IP filters anywhere within the network, there is nothing on the Concentric network to prevent leaking of 172.23.*.* traffic to the public Internet, or to prevent clients from within the ComStock network forging source IPs on outbound packets. The most obvious root hole on the MultiCSP host is the 'netconfig' account, an unpassworded UID 0 login that runs a menu program. This account displays a menu allowing for changing the IP addresses, and the ability to edit the MCSP startup script, using the 'vi' editor. The implications are obvious. The system ships with very weak default passwords for the root account as well as 'support' and 'isdnconfig'. Root can be logged into via telnet. If you have the misfortune of having a MultiCSP on your network, you have my sympathy. If you can't live without their stock information, It is possible to use the root holes to lock down the box as best you can, then put it behind a firewall with just the CSP TCP port open _inbound_ to the MCSP system from your hosts, or at least a router with equivalent traffic filters. Then pray for the best. Kevin Kadow MSG.Net, Inc. bugtraqat_private Copyright 2000 by MSG.Net, Inc, No restriction on redistribution in complete and unmodified form.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:50 PDT