Re: rlinetd security

To: "Noah L. Meyerhans" <frodo@morgul.net>
Cc: Debian Security List <debian-security@lists.debian.org>
Subject: Re: rlinetd security
From: Tim Haynes <usenet@stirfried.vegetable.org.uk>
Date: 18 Jun 2001 20:11:19 +0100
Message-id: <[🔎] 867ky97gdk.fsf@potato.vegetable.org.uk>
Reply-to: usenet-reply@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 20010618144829.J1282@morgul.net> ("Noah L. Meyerhans"'s message of "Mon, 18 Jun 2001 14:48:29 -0400")
References: <[🔎] 20010618134850.G1282@morgul.net> <[🔎] 20010618110849.A1200@doorstop.net> <[🔎] 20010618144829.J1282@morgul.net>

"Noah L. Meyerhans" <frodo@morgul.net> writes:

> On Mon, Jun 18, 2001 at 11:08:49AM -0700, Vineet Kumar wrote:
>
> > The argument below is pretty bad. Have you ever heard of anybody
> > actually getting impaled by holding a sword poised at his belly and
> > walking into grand central station at 5:00pm going "'scuse me, pardon
> > me, 'scuse me, pardon *GGUAGHGH!*"? I sure haven't. So why not do it? 
> > Our hypothetical late friend didn't need to be doing it, and he
> > shouldn't have been doing it.
> 
> Huh? You've acknowledged that there may be legitimate uses for the simple
> services that you may be ignorant of. I don't think there is any
> legitimate gain to be had be running around a crowded area with a blade
> against your belly.

The point is that these things can be used for good or evil. If you're not
going to use it for good, whether someone else can or not, a nasty chap can
still use it for evil.

You realise rpc.statd has its uses, as does ftpd? Is that some reason to
enable them `just in case somebody wants to use them for legitimate
reasons'?

> > "the standard inetd services including discard, echo, sysstat, netstat
> > et al all *have* *had* their known vulnerabilities before now. All
> > long-since patched, but that's not to say there won't be another
> > tomorrow."
> 
> Have you looked at their code?  I can assure you that there is no
> potential for remote exploit in 
> void
> discard_stream(int s, struct servtab *sep)
[snip]

> These services are so simple that any moderately knowledgeable coder can
> ensure that there is no risk to leaving the services turned on.

There isn't? What about in your choice of C-library, then, have you audited
that? 
While you're here, what tweaks are going to be made to these functions next
week?

The principle is still the same. It's not enough to ask whether you need it
or not and assume something can be left on if you don't know any better; if
another vulnerability comes out you have to check one more thing to see
whether it's relevant or not, which is a waste of time, at best, and an
omitted necessary update to an unused service (unused, until someone scans
you for it, that is) at worst.

Incidentally, in your dismissal of exploits for these things, you're
neglecting another scenario: black-hat *does* manage to crack another box
in the organization, and points multiple netcats from the exploited box at
someone with echo: you'll end up with enough network traffic & load to
cause a slow-down, and the traffic may possibly help him mask very nasty
activities in the noise.

~Tim
-- 
All I see, All I know                       |piglet@stirfried.vegetable.org.uk
Is touching the sacred earth                |http://spodzone.org.uk/
And warming the hallowed ground             |

Reply to:

References:
- Re: rlinetd security
  - From: Noah Meyerhans <noahm@debian.org>
- Re: rlinetd security
  - From: Vineet Kumar <vineet@doorstop.net>
- Re: rlinetd security
  - From: "Noah L. Meyerhans" <frodo@morgul.net>

Prev by Date: RE: rlinetd security
Next by Date: Re: gnupg problem
Previous by thread: Re: rlinetd security
Next by thread: Re: rlinetd security
Index(es):
- Date
- Thread