Sorry for the duplicates....
Here's one that Firewall Administrators (or anyone interested in a secure
system) need to be aware of.
Normally, to remotely manage a Windows NT machine you have to open up ports
u137, u138, t139, right? Not any more!! With the wonderful product outlined
in the promo below, you can now allow System Account access to services and
drivers remotely, and all through a single port.
Yup, this brilliant programmer decided it was too difficult to get
connected securely to Windows NT from the Internet, so he thought he would
write a program that would allow you to do it easily, through a single
port, and all through a normal web browser (duh, yup, not even using SHTTP
or SSL).
Most important to firewall administrators is the fact that this "service"
can sit and listen to the same port as an existing HTTP server. It can
distinguish itself from the HTTP server using NT's support for multiple
names and IP addresses. So, if you're webserver is normally known as
www.foo.com listening to port 80, you can set up admin.foo.com with a
different IP address, also on port 80, and this thing will know its being
called when you try and connect to admin.foo.com!!!
Since it can only be installed to run as the System Account, and since they
only do their own password validation (no challenge/response here folks),
and since none of it is encrypted, wheee, you've just opened your NT
machine up to every kind of Denial of Service (DoS) attack you can imagine,
and all harmlessly through your firewall. A little pounding on the front
door of this thing and your into the NT box happily starting up the NetBIOS
stuff that was previously turned off, shutting down the SQL server, turning
off the Alerter service, and, if you want, rebooting the machine.
Sure sounds like the kinda thing I would like to have on my machine!
(not!).
The point is, none of this would be apparent to the Gatemaster since it
would all just seem to be HTTP traffic.
- Username/Password are sent in the clear, across the Internet. This
information could easily be sniffed and then used to gain access to the
program.
- Username/Password are kept in flat ASCII file on the NT machine,
accessible by anything with System access (i.e. a stuffed Perl script).
- Since the Username/Password are not accessing the NT security model,
there is no way to track the attempted logins or shutdown the account in
the event of an attempted hack.
- Someone other than a valid member of the NT Administrators Group could
gain access to services, starting and stopping them as desired.
- No mechanism is provided to prevent access to this process by IP address,
all traffic appears to be coming from a harmless browser using harmless
HTTP.
Their promo lit. says that the listening port is known only to the
Administrator, but a simple port scan shows what port the thing is on. The
funniest thing is that they are trying to sell this thing! Of course, if
you are an independent ISP who doesn't care that his/her competition
repeatedly reboots your machine on you, then this is the product for you.
Cheers,
Russ Cooper
If you are interested in receiving this level of support information
through a Windows NT subscription based mailing list for $20 per month,
please send me an email (Russ .
Cooper @
RC .
Toronto .
on .
ca)
|
|
