The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Vulnerabilities in Astaro Security Linux 2.016


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sat, 02 Feb 2002 19:40:08 +0100
From: (=?ISO-8859-1?Q?J=F6rg=20L=FCbbert?=) <[email protected]>
To: [email protected]
Subject: Vulnerabilities in Astaro Security Linux 2.016

Preamble:

Product: Astaro Security Linux

Version: 2.016

Vendor: Astaro AG

Vendor URL: http://www.astaro.com

Vendor status and reply: Vendor has been contacted with posting of this 
message

Description:
Astaro develops and distributes the firewall solution Astaro Security 
Linux. Astaro Security Linux offers extensive protection for local 
networks against hackers, viruses and other risks of connecting to the 
Internet. Astaro Security Linux is distributed by a worldwide network of 
partners who offer local support regarding installation and maintenance.

Introduction:
Dear BugTraq readers. I've taken a short glimpse on Astaro Security 
Linux and found out some points of interest that are mostly design 
flaws. Please note that I am theorising (based on a 1 1/2 hour research 
only) about the impacts and have not proven their concepts on Astaro 
Security Linux yet even though most can be proved easily.

Some of the vulnerabilities might be local and some might argue about 
that Astaro Security Linux is a Firewall and no server... but as it uses 
SSHD it could always be that the "loginuser" account might have been 
compromised and shell access granted.



Vulnerabilities:

Summary:
5 Design flaws
2 Completely theorised design flaws
1 Possible design flaw
1 Licensing violation
1 Software bug



Category 1: Design flaw

Problem 1:
Astaro Security Linux chroots various daemons like snmpd and named in an 
insecure manner. The proc filesystem is mounted within their chroot 
jails. Furthermore the chroot jail entitled chroot-ipsec provides the 
proc file system, a bash, ls, cat and most notably mount.

Impact 1:
Arbitrary users could cause severe damage by breaking the named or snmpd 
remotely and by misusing the proc file system to reconfigure certain 
parts of the system configuration under proc/sys. Furthermore proc/kcore 
could be read to obtain information stored in memory which could lead to 
system administrator privileges. These could for instance be DES 
encrypted passwords which leads to another design flaw

Exploit 1: None provided



Category 2: Design flaw

Problem 2:
Astaro Security Linux uses the DES algorithm as standard hashing scheme. 
DES has turned very old and is known to be easily crackable with modern 
processing power.

Impact 2:
Arbitrary users who obtain encrypted passwords (see 1) could retreive a 
6 letter clear-text password within just some hours using modern 
processing power and use it to compromise the system.

Exploit 2: None provided



Category 3: Design flaw

Problem 3:
Astaro Security Linux runs most of its daemons with UID 0 privileges. 
Affected daemons are: named or snmpd. These daemons run in a chroot jail.

Impact 3:
Arbitrary users could remotely crack one of the affected daemons and use 
UID 0 powers to compromise the whole file system even if these daemons 
run in a chroot jail.

Additional note 3-1:
The main design flaw lies within that these daemons run UID 0 within a 
chroot jail. The daemons itself are not the design flaw (even though 
BIND 8.2.3 can be considered old).

Additional note 3-2:
Other daemons with UID 0 are syslogd, klogd, mdw_daemon.pl, cron, aua 
and sshd. VPN subsystem, SQUID and others haven't been checked by me.

Exploit 3: None provided



Category 4: Possible design flaw

Problem 4:
OpenSSL PRNG Internal State Disclosure Vulnerability

Impact 4:
Please see: http://www.securityfocus.com/bid/3004

Exploit 4: None provided

Additional note 4:
It was NOT tested if the version of OpenSSL (0.9.6) used in Astaro 
Security Linux is a security-patched version of OpenSSL 0.9.6 since no 
sources were provided (5)



Category 5: Licensing violation

Problem 5:
Astaro AG releases software packages without providing their sources and 
modifications to them as required in ╖3 of the GNU GPL and neither seems 
to offer distribution of GPL sources for free within a 3 year period in 
a written form.

Additional note 5:
I have not checked every available documentation for a written form of 
an offer as described in GNU GPL ╖3 b but only their license (which 
should normally contain just that) and CD-ROM contents.



Category 6: Design flaw

Problem 6:
Astaro Security Linux has a default limit for simultaneously processes 
of 8190 soft and 8912 hard and its default cpu-time is "unlimited".

Impact 6:
Arbitrary users with local access (loginuser) can easily launch fork 
bombs to consume 100% CPU power and stop the system from operating.

Exploit 6: None provided



Category 7: Completely theorised design flaw

Problem 7:
Astaro Security Linux uses a very old version of PAM (0.70 dated 
09.10.1999) which maybe contains vulnerabilities.



Category 8: Design flaw

Problem 8:
/proc/version indicates "Linux version 2.4.8-asl-0.010815.0", which 
indicates the 2.4.8 version of the Linux kernel that contains some 
security vulnerabilities. Additional information on possible 
vulnerabilities can be found here:

http://www.securityfocus.com/bid/3570
http://www.securityfocus.com/bid/3418
http://www.securityfocus.com/bid/3444
http://www.securityfocus.com/bid/3505

Impact 8: Various, see above URLs.

Exploit 8: None provided

Additional note 8:
Due to absence of source code it could not be proved if this kernel is 
patched against the security issues mentioned above.



Category 9: Completely theorised design flaw

Problem 9:
Astaro Security Linux seems to rely on an old version of glibc according 
to ls -l /lib/libc*.

Output: -rwxr-xr-x   1 root     root      1080268 Sep 15  2000 libc.so.6

If my assumption is correct and the version used was not patched, it 
could be possible that the system is vulnerable to a "glibc file 
globbing heap corruption vulnerability". For more information please 
see: http://www.securityfocus.com/bid/3707

Impact 9: See URL above

Exploit 9: None provided



Category 10: Software bug (OT for Bugtraq, still included ;)

Problem 10: During installation one can choose to install OpenSource 
software only or OpenSource software and the so called Astaro Security 
Enterprise Toolkit. When only "OpenSource" was chosen, the installer 
locks up after entry of the last password (I think this was for lilo). 
If my assumption is right (that a lilo password is asked for) then no 
lilo password will be set even though the Enterprise Toolkit was 
selected and the installation finished successfully.

Additional note 10:
System tested on was 800MHZ Duron, 128MB RAM, 20GB Maxtor HD, 52X 
CD-ROM, 3X RTL 8139.



Final words:

Conclusion, a final word to the Astaro AG:
So much about a "Security Linux"... You may have done the firewalling and 
the configuration interface of your product real good... but you should 
also read some articles on what could be considered more internal 
security and work on your products some more.

Disclaimer:
None of the information provided are meant to aid any destructive 
purposes. I will furthermore take no responsibility for that anyone will 
use the information provided for his or her own malicious purposes. This 
information is intended to aid in improving the current state of Astaro 
Security Linux, warn companies and individuals who run Astaro Security 
Linux and should help other designers of Linux distributions to avoid 
flaws like the ones elaborated on above. Please also not that I am in no 
way affiliated with Astaro AG or any of their 3rd party affiliates or 
want to harm Astaro AG and/or their customers.



- JЖrg LЭbbert (aka Kaladis)

-- 
Kaladix Linux - The Secure Linux Distribution
URL: http://www.kaladix.org

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру