Security issues with S&P ComStock multiCSP (Linux)

From: Kevin Kadow (kadokev-bugtraqat_private)
Date: Tue Feb 01 2000 - 07:27:30 PST

Next message: Bjørnar B. Larsen: "Re: "Strip Script Tags" in FW-1 can be circumvented"

Previous message: Niall R. Murphy: "Re: Tempfile vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Standard & Poor's ComStock (http://www.spcomstock.com/) provides stock quotes
and news as a real-time data feed on dedicated circuits. ComStock offers a
'Client Site Processor' as a means of receiving their data feed, the MultiCSP
I tested against is shipped as a PC running Red Hat Linux 5.1, with version
4.2.x.x of 'mcsp', the MultiCSP application software.

On January 12th, Standard & Poor, Mcgraw-Hill and ComStock were contacted
about the issues detailed below. We have yet to receive any response.


The MultiCSP system I examined was a textbook example of how NOT to ship a
Linux-based 'appliance', with numerous extraneous services enabled, several
UN-passworded accounts (including a root-equivalent account), world-writable
files, and multiple root holes. It does not appear that there is any effort
to update the OS after the machine is deployed at a client site, or to train
clients (Most of whom are only familiar with MS-Windows) to update the system.

The network connection for the stock quote service is a leased line or other
dedicated data feed. The Linux client at customer sites use reserved
(private) address space, however clients are  connected to Bay routers on
the Concentric network which are Internet accessible.

I see no evidence of IP filters anywhere within the network, there is nothing
on the Concentric network to prevent leaking of 172.23.*.* traffic to the
public Internet, or to prevent clients from within the ComStock network forging
source IPs on outbound packets.

The most obvious root hole on the MultiCSP host is the 'netconfig' account,
an unpassworded UID 0 login that runs a menu program. This account displays a
menu allowing for changing the IP addresses, and the ability to edit the MCSP
startup script, using the 'vi' editor. The implications are obvious.

The system ships with very weak default passwords for the root account as well
as 'support' and 'isdnconfig'. Root can be logged into via telnet.


If you have the misfortune of having a MultiCSP on your network, you have
my sympathy.  If you can't live without their stock information, It is
possible to use the root holes to lock down the box as best you can, then
put it behind a firewall with just the CSP TCP port open _inbound_ to the MCSP
system from your hosts, or at least a router with equivalent traffic filters.

Then pray for the best.


Kevin Kadow
MSG.Net, Inc.
bugtraqat_private

Copyright 2000 by MSG.Net, Inc,
No restriction on redistribution in complete and unmodified form.

Next message: Bjørnar B. Larsen: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Previous message: Niall R. Murphy: "Re: Tempfile vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:50 PDT