************************************************************************** Security Bulletin 9519 DISA Defense Communications System April 28, 1995 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9428). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 95-16 Release date: 28 April, 1995 3:30 PM EDT (GMT -4) SUBJECT: SATAN Vulnerability: Password Disclosure. NOTE: ASSIST recommends against the use or possession of SATAN on any DoD interest system. ASSIST sponsors and supports the use of the Security Profile Inspector (SPI), a much more comprehensive security tool for use by commanders and system administrators concerned with the security of hosts within their domain. If after consultation with ASSIST a commander finds compelling reason for use of SATAN within his domain, then the following is VITAL information concerning the security of this application. SUMMARY: This bulletin contains information about inaccuracies in ASSIST 95-12, and provides information about SATAN 1.1.1. BACKGROUND: There was a potential vulnerability introduced into systems running SATAN 1.0 which was corrected in versions 1.1 and later. In SATAN version 1.0, access to the SATAN processes is protected by a session key (also referred to as a "magic cookie" or "password"). SATAN itself never sends this session key over the network. However, depending on the configuration at your site, the supporting HTML browser, and how you use SATAN, your session key may be disclosed through the network. Local or remote users who obtain your session key can run perl scripts that are on the system running SATAN. If you use SATAN only through the command line interface, your system is not vulnerable to the problem because there is no session key. The following two statements from ASSIST 95-12 were not accurate. This statement is incorrect: "Note that SATAN 1.1 is expected to check systems for this SATAN 1.0 vulnerability as part of scanning other systems." This statement is misleading: "This vulnerability affects all systems that support the use of SATAN with the HTML interface." For SATAN 1.0 and earlier, whether a system is vulnerable depends on the system configuration, the net browser supporting SATAN, and how SATAN is used. The problem has been solved in later versions of SATAN. IMPACT: If the session key is disclosed while SATAN 1.0 is running, unauthorized local or remote users can execute perl scripts as the user of the process running SATAN (typically root). RECOMMENDED SOLUTION: SATAN versions later than 1.0 have this problem corrected, however all known and possibly additionally unknown vulnerabilities in SATAN can be avoided by not running the SATAN software in any form. ASSIST recommends DoD sites take the steps detailed in ASSIST 95-11 to eliminate the system security weaknesses scanned for by SATAN. For sites that have made the decision to run SATAN, the following recommendations are provided. A. Obtain and install SATAN version 1.1.1, which addresses the problem. B. There are reports that modified copies of SATAN are being distributed. Ensure that the copy that you obtain is authentic by checking the MD5 checksum or SATAN author Wietse Venema's PGP signature. Wietse Venema's PGP Key follows: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAirDhV8AAAED/i4LrhQ/mwOgam8ZfQpEcxYoE9kru5oRDGtoVeKae/4bUver aGX7qVtskD6vwPwr2FF6JW2c+z2oY4JGPGUArORiigoT82/q6vqT0Wm1jIPsXQSB ZCkBoyvBcmXEi+J7eDBbWLPDxeDimgrORbAIQ4uikRafs8KlpNyA8qbVMny5AAUR tCV3aWV0c2UgdmVuZW1hIDx3aWV0c2VAd3p2Lndpbi50dWUubmw+ =PQUu - -----END PGP PUBLIC KEY BLOCK----- C. Read the complete SATAN documentation carefully before running SATAN. D. Install all relevant security patches for the system on which SATAN is run. E. Execute SATAN only from the console of the system on which it is installed (e.g., do not run SATAN from an X terminal, from a diskless workstation, or from a remote host). F. Ensure that the SATAN directory tree is not NFS-mounted (or AFS, etc.) from a remote system. G. Ensure that the SATAN directory tree cannot be read by users other than root. H. Do not open any URLs outside your own system and site while running the browser started by SATAN. For example, do not use previously stored URLs such as those found in bookmarks and pull-down menus. The SATAN documentation has information about protecting access, see the "SATAN Password Disclosure" tutorial attached as an appendix to this bulletin. ASSIST would like to thank the CERT Coordination Center for information contained in this bulletin. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-756-7993/1154 DSN 289-7993/1154, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. ASSIST Contact Information: PHONE: 800-357-4231 (or 703-756-7974 DSN 289), duty hours are 06:00 to 22:30 EDT (GMT -4) Monday through Friday. During off duty hours, weekends and holidays, ASSIST can be reached via pager at 800-791- 4857. The page will be answered within 30 minutes, however if a quicker response is required, prefix the phone number with "999". ELECTRONIC MAIL: Send to assist@assist.mil. ASSIST BBS: Leave a message for the "sysop". Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. Appendix: Tutorial - SATAN Password Disclosure The following tutorial can be found in satan-1.1.1/html/tutorials/vulnerability/SATAN_password_disclosure.html SATAN Password Disclosure SUMMARY SATAN password disclosure via flawed HTML clients or environmental problems IMPACT Unauthorized users may execute commands through SATAN BACKGROUND By default, SATAN runs as a custom HTML (hypertext markup language) server, executing requests from a user-provided HTML browser, or client program. Examples of common HTML clients are Netscape, NCSA Mosaic and Lynx. An HTML client request is nothing but a network message, and network messages may be sent by any user on the network. To defend itself against requests from unauthorized users, SATAN takes the following precautions: * SATAN generates a session key, to be used as a secret password, each time it starts up an HTML client. The session key is in the form of a 32-byte quasi-random number. The number is called quasi-random because it is impossible to generate real random numbers using only software. * SATAN creates HTML files with the secret password embedded in URL (uniform resource locator) links. The HTML file access permissions are restricted to the owner of the SATAN process (and the superuser). * SATAN rejects HTML requests whose URL does not contain the current SATAN password. This requirement prevents access by unauthorized clients, provided that the current SATAN password is kept secret. The protection scheme used by SATAN is in essence the same as the scheme used by many implementations of the X Window system: MIT magic cookies. These secrets are normally kept in the user's home directory, in a file called .Xauthority. Before it is granted access to the screen, keyboard and mouse, an X client program needs to prove that it is authorized, by handing over the correct magic cookie. This requirement prevents unauthorized access, provided that the magic cookie information is kept secret. THE PROBLEM It is important that the current SATAN password is kept secret. When the password leaks out, unauthorized users can send commands to the SATAN HTML server where the commands will be executed with the privileges of the SATAN process. Note that SATAN generates a new password everytime you start it up under an HTML client, so if you are suspicious, simply restart the program. SATAN never sends its current password over the network. However, the password, or parts of it, may be disclosed due to flaws in HTML clients or due to weak protection of the environment that SATAN is running in. One possible scenario for disclosure is: * When the user selects other HTML servers from within a SATAN session, some HTML client programs (Netscape and Lynx) disclose the current SATAN URL, including SATAN password information. The intention of this feature is to help service providers find out the structure of the world-wide web. However, the feature can also reveal confidential information. With version 1.1 and later, SATAN displays a warning when the HTML client program exhibits this questionable (i.e. stupid) feature. Other scenarios for SATAN password disclosure are discussed in the next section, as part of a list of counter measures. PREVENTING SATAN PASSWORD DISCLOSURE The security of SATAN is highly dependent on the security of environment that it runs in. In the case of an X Window environment: * Avoid using the xhost mechanism, but use xauth and MIT magic cookies or better. Otherwise, unauthorized users can see and manipulate everything that happens with the screen, keyboard and mouse. Of course, this can also be a problem when you are not running the SATAN program at all. Steps that can help to keep the X magic cookie information secret: * Avoid sharing your home directory, including .Xauthority file, with other hosts. Otherwise, X magic cookie information may be captured from the network while the X software accesses that file, so that unauthorized users can take over the screen, keyboard and mouse. * Avoid running X applications with output to a remote display. Otherwise, X magic cookie information can be captured from the network while X clients connect to the remote display, so that unauthorized users can take over the screen, keyboard and mouse. Finally, steps that can help to keep the current SATAN password secret: * Avoid sharing the SATAN directories with other hosts. Otherwise, SATAN password information may be captured from the network while the HTML software accesses passworded files, so that unauthorized users can take over the SATAN HTML server. * Avoid running SATAN with output to a remote display. Otherwise, SATAN password information can be captured from the network while URL information is shown on the remote display, so that unauthorized users can take over the SATAN HTML server. ADDITIONAL SATAN DEFENSES The SATAN software spends a lot of effort to protect your computer and data against password disclosure. With version 1.1 and later, SATAN even attempts to protect you after the password has fallen into the hands of unauthorized users: * SATAN displays a warning and advises the user to not contact other HTML servers from within a SATAN session, when it finds that the HTML client program reveals SATAN password information as part of parent URL information. * SATAN rejects requests that appear to come from hosts other than the one it is running on, that refer to resources outside its own HTML tree, or that contain unexpected data. * SATAN terminates with a warning when it finds a valid SATAN password in an illegal request: SATAN assumes the password has fallen into the hands of unauthorized users and assumes the worst. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DDN Security bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.