Firewalls: Users starting "services" that could cause problems.

Firewalls
(December 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Users starting "services" that could cause problems.
From:	Bob Beck <beck @ obtuse . com>
Date:	Wed, 11 Dec 1996 15:53:25 -0700 (MST)
To:	long-morrow @ CS . YALE . EDU
Cc:	jthain @ cat . bbsr . edu, peter @ baileynm . com, firewalls @ GreatCircle . COM, sfogleman @ cda . com
In-reply-to:	<199612111508 . KAA03571 @ SPARKY . CF . CS . YALE . EDU> from "long-morrow @ CS . YALE . EDU" at Dec 11, 96 10:08:54 am

> 
> 
> peter @
 baileynm .
 com (Peter da Silva)
> >Easy on UNIX. There's only two places where services can be set up on UNIX.
> >	/etc/rc*
> >	/etc/inetd.conf
> 
> How about /var/spool/cron/crontabs ?
> 
> Or, if you let users login or rsh to a Unix system then Joe Random User can
> start up their own services on your host at ports above 1024, ala :
> 
> 	% myserverd -p 8000 &
> 
	
	Sheesh guys I can do better than that. Let's say you block
*all* incoming services, I still bet you let mail get through somehow,
I've seen very few people who wanted a net connection and no
e-mail. If you let arbitrary stuff out it can be scary. I've seen
users (who don't like to use their keycards and crypto to come in from
outside) set themselves up a little mail processer that watches for
incoming e-mail of a particular format. Since their firewall allowed
arbitrary outbound tcp connections, When it saw it, it basically
"mailed them an xterm", by invoking what they've specified in the mail
message to fire off a command (in this case, launching an xterm from
the inside, displaying on an outside machine). Since I've certainly
seen mail processors that can filter mail and invoke commands that
work on a whole lot of platfoms (Unix, Windows, OS/2, Mac) The thought
should probably give a number of people cause for concern. Doesn't
need to be an xterm either, heck I could set it up to have a WinFrame
server "mail me" a whole NT desktop if ICA can come out :-)

	Now take it one step further, I'll use unix and procmail
specifics here for this example (This isn't a slam of either, just an
example that's extendable to other things too) Let's say evil Bob here
decides to "help" your internal procmail users by posting an "example"
procmailrc (nice and full functional, with the evil well obfuscated)
to a few mailing lists, waiting a day, and then posting the commands
to mail himself an xterm to the same lists }:-> (Emacs says: Yow!)

	Even if you blocked *all* outgoing stuff but mail too, It's a
bit harder (but not inconcievable) to even tunnel what you want
through *outgoing* smtp. Slower than heck, but it'll work if you try
hard enough

	This isn't to say you shouldn't worry about stopping connections
to arbitrary services inside, just don't think that your lusers aren't 
clever enouth to still find a way to do something truly awful :-) 
Ya still gotta have user participation, and some understanding on the
users's part. The firewall's only a tool afterall. You have a *people*
problem to deal with in the end.

	-Bob

References:

Re: Unix vs. Windows NT
From: long-morrow @ CS . YALE . EDU

Indexed By Date	Previous:	Cabletron Switching and Vlans was Re: Can You Believe It? From: Robert Evans <pedro @ orca . sitesonthe . net>
Indexed By Date	Next:	Re: Unix vs. Windows NT From: Bill Stout <bill . stout @ hidata . com>
Indexed By Thread	Previous:	Re: Unix vs. Windows NT From: Dave Kinchlea <security @ kinch . ark . com>
Indexed By Thread	Next:	Re: Unix vs. Windows NT From: long-morrow @ CS . YALE . EDU