I am told, is a problem. Sure enough, if I do an NFS mount, on one
system
I see that 893 is used. If I unmount and remount, I see that port 894 is
used.
Next I see that 895 is used.
We are running various models of Dell Pentium class machines. Ethernet
10BaseT. Most are 10 megabit but the 5.0.5 systems, which use an Intel
Pro100b NIC in a Dell 2300 run at 100 megabit. Most sytems - about
forty - are OpenServer 3.0 but about eight systems are SCO 5.0.5. All
of the 5.0.5 systems and only one 3.0 system have the Sequential Port
Allocation problem. Thirty nine
of the 3.0 system did not bring up the flag. All of the 3.0 systems
were cloned
from one machine as were all of the 5.0.5 systems.
I do not have access to one of the computers at this time, but I can say
that we
have all the required major patches and upgrades. We are missing some
of minor security patches.
Can someone tell me how to set the software to do Random Port
Allocation?
Please email to me as well as posting here if you do not mind.
thanks,
Darrell Tschakert
>Can someone tell me how to set the software to do Random Port
>Allocation?
I don't think you can do this without access to the IP source code.
I just searched the CERT advisories for "sequential port allocation"
and could not find any references. If you are properly hidden behind
a firewall, I don't see how predicting the port number that will be
used next constitutes a security issue. Do you have a CERT advisory
number, or Bugtraq reference for this problem?
>Please email to me as well as posting here if you do not mind.
I do mind. If you post questions to news, you can also read them.
Sending email responses tends to generate exercises in personal
consulting, which I don't have time to deal with. Also, I don't learn
anything when others reply via email instead of posting.
--
Jeff Liebermann je...@comix.santa-cruz.ca.us
150 Felker St #D Santa Cruz CA 95060
831-421-6491 pager 831-429-1240 fax
http://www.cruzio.com/~jeffl/sco/ SCO stuff
First of all. Thanks for the reply. I am in a hurry to get to my
daughters
birthday party and do not have time to reply to the main body of it
at this time. With regard to replys via email. I see people
get the feathers up over this all the time. The fact is, I will get
back to the NewsGroup eventually to get the replies.
If people email, though, I know right away. My
email beeps and I know that I have a reply. I don't have time to check
the newsgroups every hour - I sometimes post to two or three
newsgroups. I nearly always get back but sometimes I may wait
for a couple of days before I do so. Even if I do get an email
reply that answers my question, I eventually go check the newsgroups
just to see what the other replies have to say.
Anyway, thanks again.
Darrell Tschakert
Jeff Liebermann wrote:
> On Fri, 16 Jun 2000 14:26:52 -0400, Darrell Tschakert
> <dtsc...@erols.com> wrote:
>
> >Can someone tell me how to set the software to do Random Port
> >Allocation?
>
> I don't think you can do this without access to the IP source code.
>
> I just searched the CERT advisories for "sequential port allocation"
> and could not find any references. If you are properly hidden behind
> a firewall, I don't see how predicting the port number that will be
> used next constitutes a security issue. Do you have a CERT advisory
> number, or Bugtraq reference for this problem?
>
I do not have a CERT advisory number nor do I have a Bugtraq ref.
Nor am do I have more than a basic knowledge of Networking. I
can set up TCP/IP, ftp, NFS, and the necessary basics. I know that
"netstat -na" will give me the ports used plus some other info but
that is about where it ends. If you tell me that I cannot ask a
machine to randomly allocate ports, then I have to believe you.
The company doing the security check (Not Audit) is Booz Allen
Hamilton. They used a program called CyberCop to create a list
of security risks found on our WAN/LAN. I will quote the one
to which I am now referring:
"Observation: Sequential port allocation check
The following hosts contained this vulnerability:
abc.cds.hq.eeoc.gov
xyz.mno.eeoc.gov
... ... ...
blah.blow.eeoc.gov
This check is designed to test if a host will spawn it's listening
ports
in sequential order. If this is the case attackers can implement host
spooling techniques to services which poll other hosts for
authentication.
Examples of such services, would be for instance, any service which
requires authentication from DNS servers."
So how does that sound? Does it make things any more clear? I have
an idea that most of what we got from BAH is boiler plate
material from a program named CyberCop. One of the things that
CyberCop claimed was that we had IP Forwarding turned on in
all of our machines. The file that determines whether or not we
have IP Forwarding definitely said that it was not on. None of our
machines are gateways and would have no place to pass the IP's.
CyberCop said "Turn Off IP-Forwarding". Still, the above quote
seems to be written with a certain amount confidence. Any Ideas?
Thanks,
Darrell T.
>
> >Please email to me as well as posting here if you do not mind.
>
>The company doing the security check (Not Audit) is Booz Allen
>Hamilton. They used a program called CyberCop to create a list
>of security risks found on our WAN/LAN.
CyberCop Scanner 5.50 is a security tool by Network Associates Inc,
the people that also sell McAffee virus scanners.
http://www.pgp.com/asp_set/products/tns/cybercop_intrusion.asp
http://www.pgp.com/asp_set/products/tns/ccscanner_features.asp
$102 per user.
>This check is designed to test if a host will spawn it's listening
>ports in sequential order. If this is the case attackers can
>implement host spooling techniques to services which poll other
>hosts for authentication.
> Examples of such services, would be for instance, any service which
> requires authentication from DNS servers."
The above is a quote from:
http://www.nai.com/media/doc/anti_virus/covert/RPC_Services.doc
Not very clear but a good clue as to what they were alluding to.
Somewhat more specific is:
http://www.nai.com/media/doc/anti_virus/covert/FTP_Vulnerabilities.doc
FTP - ports opened in sequential order
The FTP server on the target host was found to open bound ports,
utilized by the PASV feature, in sequential order. By opening ports in
sequential order, it is easy for an attacker to predict the next port
that the FTP service will use, and then connect to this port,
retrieving another user's file.
The detailed explanation of this exploit is at:
http://www.nai.com/nai_labs/asp_set/advisory/ftp-paper.asp
>So how does that sound? Does it make things any more clear?
Sounds like a real problem. Exploitation is largely dependent upon
the effectiveness and configuration of your firewall. If you're
running anonymous ftp, there's gonna be a problem. Please note that
to be effective, the attacker must have a valid username and password
to open the anticipated connection. Therefore, the exploit is
restricted to authorized users.
There's nothing I can do without source code. Actually, I'm a lousy
programmer, so even source code won't do me any good. I suggest you
send email to the SCO security people:
http://www.sco.com/security/
and imply that you'll defenestrate their product unless they drop
everything and fix this problem immediately.
Hmmm. I just noticed, among the unreadable italic type, that SSE37b
for 3.2v5.0.5 was recently re-released.
ftp://ftp.sco.com/SSE/sse037b.ltr
ftp://ftp.sco.com/SSE/sse037.tar.Z
>I have
>an idea that most of what we got from BAH is boiler plate
>material from a program named CyberCop.
Well, there's only so much NAI can throw into the security scanner.
If it belched prolific prose and technobabble, methinks you might
complain that it was confusing.
>One of the things that
>CyberCop claimed was that we had IP Forwarding turned on in
>all of our machines. The file that determines whether or not we
>have IP Forwarding definitely said that it was not on. None of our
>machines are gateways and would have no place to pass the IP's.
>CyberCop said "Turn Off IP-Forwarding". Still, the above quote
>seems to be written with a certain amount confidence. Any Ideas?
Nope. It takes to ports to do IP forwarding (a NIC and a modem with
PPP will work). Basically, IP forwarding forms the basic function of
a bridge or possibly a router. If you have no internal gateways,
Cybercop probably parked itself on two network segments and looked for
duplaced bridged packets, the smoking gun of IP forwarding. However,
duplicated packets can also be generated by a misconfigured
multi-homed NIC interface (an ethernet interface card with two IP
addresses). An overlapping netmask between the two IP's will do the
trick. Every packet that comes from one IP will also spew from the
other if improperly configured. In extreme cases, every packet on the
entire network will appear twice, once with each of the two IP
addresses as the source. Without knowing what criteria CyberCop is
using for detecting forwarding, the aformentioned is pure guesswork.
Drivel: If you're going to send me "courtesy copies" of your
postings, please indicate somewhere that the message was also posted.