George and Brewster, Please take note of this and act accordingly. (Thanks for the heads-up, Scott! I took the liberty of alerting the CERT with a cc: The community of serving organizations should be notified and the fix provided, when proven. If I'm behind the power curve, and if you have already done this, please excuse my misplaced zeal.) Thanks, Steve G. ------- Forwarded Message From: scottw@nic.ddn.mil (Scott Williamson) Message-Id: <9208312050.AA22641@nic.ddn.mil> Subject: Re: WAIS on DDN To: sgoldste@cise.cise.nsf.gov (Steve Goldstein--Ph +1-202-357-9717) Date: Mon, 31 Aug 92 16:50:13 EDT In-Reply-To: <9208282127.AA06081@cise.cise.nsf.gov>; from "Steve Goldstein--Ph +1-202-357-9717" at Aug 28, 92 5:27 pm X-Mailer: ELM [version 2.3 PL2] Steve, We have the login wais disabled. There is a security whole in the swais interface that you can drive a truck through. We are working on a fix so that we reactivate this feature. Mark Kosters has informed RIPE of the problem with an explanation of how one could get in. He also suggested the fix. Scott
SG> And, folks, what you really want to see is NIC databases accessible SG> with WAIS, so's you don't have to use their search fields, SG>but can SG> use any search string (e.g., telephone number, city, etc.) SG>NIC.DDN.MIL SG> has just brought up a WAIS server, and RIPE NCC has had one SG>up for a while SG> (wais.ripe.net). These are REALLY neat, as in "who does networking SG>in SG> Dresden?" --SG
I've managed to telnet to wais.nic.ddn.mil (192.112.38.103) but don't know the login/password. Can you advise?
Sorry. I did it with a WAIS client. I just tried logging in a telnet session with user=wais, password=<all_sorts_of_things_including_profanity>, but nothing worked. Ought not be passworded!
Scott?
--SG
Ripe works fine.
Regards, Peter Scott
------- End of Forwarded Message
Scott, There seems to be a problem with swais, could you please explain? We have been running it under a chroot for over a year now with no known problems. I am the project leader of WAIS and oversaw its development, so I would like to make sure this problem is understood and extinguished. John Curran of NNSC wrote the original version, Jonathan has been the maintainer of it and extender. Just to take a guess, are you running it for public login without doing a chroot? -brewster Date: Tue, 01 Sep 92 07:20:58 EDT From: Steve Goldstein--Ph +1-202-357-9717 <sgoldste@cise.cise.nsf.gov> George and Brewster, Please take note of this and act accordingly. (Thanks for the heads-up, Scott! I took the liberty of alerting the CERT with a cc: The community of serving organizations should be notified and the fix provided, when proven. If I'm behind the power curve, and if you have already done this, please excuse my misplaced zeal.) Thanks, Steve G. ------- Forwarded Message From: scottw@nic.ddn.mil (Scott Williamson) Message-Id: <9208312050.AA22641@nic.ddn.mil> Subject: Re: WAIS on DDN To: sgoldste@cise.cise.nsf.gov (Steve Goldstein--Ph +1-202-357-9717) Date: Mon, 31 Aug 92 16:50:13 EDT In-Reply-To: <9208282127.AA06081@cise.cise.nsf.gov>; from "Steve Goldstein--Ph +1-202-357-9717" at Aug 28, 92 5:27 pm X-Mailer: ELM [version 2.3 PL2] Steve, We have the login wais disabled. There is a security whole in the swais interface that you can drive a truck through. We are working on a fix so that we reactivate this feature. Mark Kosters has informed RIPE of the problem with an explanation of how one could get in. He also suggested the fix. Scott
SG> And, folks, what you really want to see is NIC databases accessible SG> with WAIS, so's you don't have to use their search fields, SG>but can SG> use any search string (e.g., telephone number, city, etc.) SG>NIC.DDN.MIL SG> has just brought up a WAIS server, and RIPE NCC has had one SG>up for a while SG> (wais.ripe.net). These are REALLY neat, as in "who does networking SG>in SG> Dresden?" --SG
I've managed to telnet to wais.nic.ddn.mil (192.112.38.103) but don't know the login/password. Can you advise?
Sorry. I did it with a WAIS client. I just tried logging in a telnet session with user=wais, password=<all_sorts_of_things_including_profanity>, but nothing worked. Ought not be passworded!
Scott?
--SG
Ripe works fine.
Regards, Peter Scott
------- End of Forwarded Message
Brewster Kahle <brewster@Think.COM> writes: * * Scott, * * There seems to be a problem with swais, could you please explain? * * We have been running it under a chroot for over a year now with no known * problems. I am the project leader of WAIS and oversaw its development, so * I would like to make sure this problem is understood and extinguished. * * John Curran of NNSC wrote the original version, Jonathan has been the * maintainer of it and extender. * * Just to take a guess, are you running it for public login without doing a * chroot? * * -brewster Hi all, Mark Kosters from GSI notified us of the problem. Using swais you can pipe the output of a search into any command. You can do this by typing 'c' or '|' on the output of a search. Since we are running swais as a public service for people without their own wais client this can be quite harmful. Mark demonstrated that he could start a shell, list /etc/passwd and so on. We are running swais under userID nobody, so too much harm cannot be done, but still, we decided to disable the 'c' and '|' keys as commands. We are running the thing without a chroot though. The offending parts can be found in screen_ui.c. This is however with wais-8-b4, don't know about b5. Commenting out: case '|' : ; case 'c' : pipe_command(question); state=UNKNOWN; return(SHOWRESULTS); in screen_ui.c does the trick, as far as we can see. It would be nice if there was a compile time option to switch to swais in "safe" mode, like some pagers have. Also if you are offering this as a public service, make sure that the pipe commands and shell escapes in the pager swais uses are disabled ... Cheers, -Marten ------------------------------------------------------------------------------ Marten Terpstra | RIPE Network Coordination Centre phone: +31 20 592 5065 | PO BOX 41882, fax: +31 20 592 5090 | NL-1098 SJ Amsterdam, Internet: marten@ripe.net | The Netherlands ------------------------------------------------------------------------------
-------- ] From: Marten Terpstra <Marten.Terpstra@ripe.net> ] Subject: Re: security hole in swais, FYI ] Date: Tue, 01 Sep 92 15:46:22 +0200 ] ] ] Hi all, ] ] Mark Kosters from GSI notified us of the problem. Using swais you can pipe ] the output of a search into any command. You can do this by typing 'c' or '|' ] on the output of a search. ] ] Since we are running swais as a public service for people without their own ] wais client this can be quite harmful. Mark demonstrated that he could start ] a shell, list /etc/passwd and so on. ] ] We are running swais under userID nobody, so too much harm cannot be done, ] but still, we decided to disable the 'c' and '|' keys as commands. ] We are running the thing without a chroot though. ] ] The offending parts can be found in screen_ui.c. This is however with ] wais-8-b4, don't know about b5. ] ] Commenting out: ] ] case '|' : ; ] case 'c' : pipe_command(question); ] state=UNKNOWN; ] return(SHOWRESULTS); ] ] in screen_ui.c does the trick, as far as we can see. ] It would be nice if there was a compile time option to switch to swais in ] "safe" mode, like some pagers have. ] ] Also if you are offering this as a public service, make sure that the pipe ] commands and shell escapes in the pager swais uses are disabled ... This is *not* a safe method for offering anonymous "wais" service. Both NNSC.NSF.NET and QUAKE.THINK.COM are running it under a "chroot" file system thereby preventing access to any files not explicitely placed in the wais user directory. SWAIS was never intended to be run as an interactive service (if it were, I would have certainly designed it differently). Instead, it is designed to be run as yet another WAIS client, under a validated user name. Making it available via telnet is something that we did to develop interest in WAIS. Please do not setup a anonymous wais account to run it unless you provide it with a restricted filesystem. Not only do the pipe and pager commands pose a threat, but it is also possible for folks to use the source routines to access files. If you need details on how to setup a seperate filesystem for providing anonymous wais service, send mail to "nnsc@nnsc.nsf.net". John Curran NSF Network Service Center
From: Marten Terpstra <Marten.Terpstra@ripe.net> Date: Tue, 01 Sep 92 15:46:22 +0200 Mark Kosters from GSI notified us of the problem. Using swais you can pipe the output of a search into any command. You can do this by typing 'c' or '|' on the output of a search. We've known about this. The solution is to run swais under a chroot, with a very limited bin directory. This is how swais is run on Quake, and we've had no evidence of any tampering. Since we are running swais as a public service for people without their own wais client this can be quite harmful. Mark demonstrated that he could start a shell, list /etc/passwd and so on. We are running swais under userID nobody, so too much harm cannot be done, but still, we decided to disable the 'c' and '|' keys as commands. We are running the thing without a chroot though. The offending parts can be found in screen_ui.c. This is however with wais-8-b4, don't know about b5. Commenting out: case '|' : ; case 'c' : pipe_command(question); state=UNKNOWN; return(SHOWRESULTS); in screen_ui.c does the trick, as far as we can see. It would be nice if there was a compile time option to switch to swais in "safe" mode, like some pagers have. I believe Jim Fulton's version allows this, but I'll check to make sure. Also if you are offering this as a public service, make sure that the pipe commands and shell escapes in the pager swais uses are disabled ... I've done this by using a special .cshrc, but I just thought of a way that could be defeated. Hmmm, I want users to be able to use a limited set of commands. Perhaps swais needs a "secure" command list. - Jonny G
Jonny Goldman <jonathan@Think.COM> writes: * From: Marten Terpstra <Marten.Terpstra@ripe.net> * Date: Tue, 01 Sep 92 15:46:22 +0200 * * We've known about this.The solution is to run swais under a chroot, with a * very limited bin directory. This is how swais is run on Quake, and we've * had no evidence of any tampering. The version I have (b4) does not have a chroot in it. Currently we are running without the mail and pipe options ... The loss of a pipe option is no problem, the mail option is. * I've done this by using a special .cshrc, but I just thought of a way that * could be defeated. Hmmm, I want users to be able to use a limited set of * commands. Perhaps swais needs a "secure" command list. A secure command list would be very nice, or perhaps like other programs a simple compile time enable/disable flag for each command. Pagers like "less" have something along these lines. Anyway, let us know if something more "safe" comes along. Cheers, -Marten
participants (5)
-
Brewster Kahle
-
jcurran@nnsc.nsf.net
-
Jonny Goldman
-
Marten Terpstra
-
Steve Goldstein--Ph +1-202-357-9717