Convenience, Features, Disaster

“I got tipped-off that the parts of the MSD network were completely exposed to the public. You could go into any WINZ office and use their self-service kiosks to access their corporate network.

These locked-down kiosks are provided so you could look for jobs online, send off CVs etc. They’ve had some basic features disabled, which supposedly meant that you couldn’t just open up File Manager and poke around the machine. However, by just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network, and then open up any accessible file.”

via MSD's Leaky Servers • OnPoint • Public Address.

Well, it’s not exactly M$’s fault that they made their brand of networking so easy to set up but they also made it easy to neglect to lock it down and similarly easy to exploit. TFA is a rather boring thing except that I have seen similar situations several times. In one place where I worked the client machines were locked down pretty tightly so that I could not do stuff I needed to do for my job. Since technical help was weeks away, I hooked another client machine to the LAN and fired away. No one had bothered to lock down the DHCP server nor to define unknown machines as unprivileged on the network. I could do what I wanted… Of course, I did no harm, just setting up some GNU/Linux clients in my classroom but the methods, screens and simplicity of my “intrusion” were eerily similar to TFA. I was able to download FireFox onto the new client and then send it over to my “locked-down” XP machine totally bypassing restrictions which prevented browsing to any site not on a white list.

That event was in ~2003 and here we are in 2012 with the same sorts of issues.

I prefer GNU/Linux. A distro usually ships with NFS not sharing anything and privileges are a high priority. With that other OS, one can just “share” and be done with it. I’ve even been places where the system administrator shared “C:” to all and sundry from every machine to every machine. It was no wonder malware thrived quite unopposed for several years. Imagine just sprinkling malware hither and yon and waiting for someone to click on an icon to unleash the hounds.

I have no idea how the situation in New Zealand evolved. Probably someone added the kiosks without realizing they could access files all over (sad that was not checked…) or someone relaxed security not realizing the kiosks were around. Bad things happen when systems become more complex than one person knows. The right combination leads to disaster major or minor. One cannot regulate stupidity or ignorance but one can choose to use an OS like GNU/Linux where security is a higher priority than convenience.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , . Bookmark the permalink.

16 Responses to Convenience, Features, Disaster

  1. oiaohm says:

    That Exploit Guy just to be a kick with NFSv4 security fully enabled its technically strong enough to be used on the Internet raw. Not that I would risk that.

    NFSv3 and NFSv2 should be disabled. The common reason they are not is people trying to connect Windows machines.

    OS X machines support NFSv4 same with most other OS’s out there. Windows is the odd ball out.

    NFSv2 and NFSv3 authorises by machine not use. So the machines you authorises have to be fully secure or you have very big spoofing problems.

    NFSv4 authorises by user and machine. So unless user you are trying to write to server with has logged in on the machine you are writing from with NFSv4 its not happening.

    NFS had its protocol rewritten to kill the problem.

    That Exploit Guy NFS 4.1 from 2010 is cluster aware. Something SMB 3.0 is only just getting around to.

    The reality here Microsoft is along way behind on implementing NFS.

    The most annoying part is NFS 4.1 and 4.0 drivers for windows are open source and were funding for creating by Microsoft.

    http://citi.umich.edu/projects/ Yet it don’t ship with windows.

    Its just like windows server still containing a telnet server and no ssh server.

    That Exploit Guy exactly why should I not be pissed over this. Windows servers shipping out box with out of date NFS servers and clients. There is at least an upto date client MS paid to be made.

    A slightly broken NFS 4.x client is better than forcing usage of NFS 3.x and before that is security busted.

  2. oiaohm says:

    That Exploit Guy PS the bug with UID and GID being hacked over the wire with NFS was done in 1998. Was removed from 2000 NFSv4 protocal due to the fact it could be spoofed.

    Reason why Windows 12 years latter still only being able to provide NFSv3 properly is a problem.

  3. oiaohm says:

    That Exploit Guy
    http://docstore.mik.ua/orelly/other/puis3rd/0596003234_puis3-chp-15-sect-4.html

    nfs_portmon not required on Linux default NFS servers. Different option to enable the same security feature done in export feature.

    –Tell me then, if you don’t have nfs_portmon enabled on your server, and the attacker is not seeking to mount the share in the local filesystem, how is your set-up going to stop him/her from doing anything?–

    NFSv4 is stateful. So its not stupid. So disabling NFSv3 and NFSv2 kills you attack even without Kerberos. Since UID and GID don’t travel over the wire with NFSv4.

    —rpc.idmapd — This process provides NFSv4 client and server upcalls which map between on-the-wire NFSv4 names (which are strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function with NFSv4, the /etc/idmapd.conf must be configured. This service is required for use with NFSv4.—

    Notice something here UID and GID don’t travel over wire with NFSv4. String does. String requiring login to work. That string is checked against GSS Methods. If your machine you are on is not approved its not happening.

    GSS Methods can include radius server check.

    NfSpy basically does not work at all on NFSv4 That Exploit Guy.

    Since UID/GID with NFSv4 don’t exist in the over the wire protocol.

    Next is NFSv4 does check if user is logged in and from where. So you cannot use some random UID/GID. You would have to fake a full IP packet with fake source address at min to beat NFSv4 by packet injection. Yes beat the password most likely simpler. krb5i is design to make doing a fully fake packet harder.

    NFSv4 removes synced UID/GID between machines. Each machine has its own mapping file from NFS users and groups to local UID/GID numbers. If you are dealing with many locations you can have a many to 1 mapping.

  4. TEG wrote, “how is your server going to deal with a rogue client that has gained access to the network?”

    We had DHCP deny IP addresses to unknown machines and we denied WIFI to unauthenticated machines. Visitors were given the key, so there was a weakness but we never had a problem that way. Who cares if a M$-only virus visits when we were running GNU/Linux?

    I could also have tightened the firewall on each machine but did not bother. We were solid. Students rarely carried notebook PCs and we did not have any unused RJ-45 jacks… In six months the GNU/Linux system hummed along with zero problems.

  5. That Exploit Guy says:

    @dougman

    ‘No Windows computer should EVER be trusted!! PERIOD!’

    Is this one of your sales pitches or just an odd habit of yours that causes you to scream nonsense at random? I am confused.

    @oiaohm

    I think Kerberos had been mentioned in this discussion for quite a while even before you decided to chip in on the matter.

    Why not just shut up and let the grown men talk?

    @Robert Pogson

    Tell me then, if you don’t have nfs_portmon enabled on your server, and the attacker is not seeking to mount the share in the local filesystem, how is your set-up going to stop him/her from doing anything?

    What’s more – didn’t you mention you had also installed wifi access points in some of those schools? Tell me, then, how is your server going to deal with a rogue client that has gained access to the network?

    What I am afraid is that you simply have no answer to any of these questions, but instead you are simply hoping that “GNU/Linux” is somehow the magic charm that solves all the problems all by themselves. That just doesn’t appear to me to be very enlightened or even very bright.

  6. Chris Weig says:

    Again M$ shills blame the user!

    No, TEG blamed the administrators. And that was absolutely justified.

    And, just in case you forgot, blaming the user is a standard modus operandi on Linux discussion boards. The places you go to for support.

  7. oiaohm says:

    That Exploit Guy have you read security recommendations.

    http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-security.html

    Fairly much universal use NFSv4. Using NFSv4 kills the defect.

    https://github.com/bonsaiviking/NfSpy

    That Exploit Guy if you had read not just goggle you will notice NfSpy is only for NFSv3 and before. The recommendation under Linux is run NFSv4.

    There are also 3 NFSv4 Kerberos modes.

    –1) krb5 Use Kerberos for authentication only.

    2) krb5i Use Kerberos for authentication, and include a has with each transaction to ensure integrity. Traffic can still be intercepted and examined, but modifications to the traffic will be apparent.

    3) krb5p Use Kerberos for authentication, and encrypt all traffic between the client and server. This is the most secure, but also incurs the most load.–

    Problem here is once you are running in these modes changing the UID and GID on the packet will not work. NFSv4 is design to work in incorrect aligned UID/GID environment. You can only use the UID/GID that that matches your authentication on NFSv4.

    NFSv4 was release the year 2000. NFSv4 is stateful. So those dirty tricks of wrong GID/UID don’t work.

    That Exploit Guy if you want to know a reason why a Linux server will be running NFSv3 that is a secuirty flaw.

    http://social.technet.microsoft.com/Forums/en-US/winserver8gen/thread/6ca3ca0b-6ca2-4521-b225-cdf6e573cfd5

    Yep windows 2012 just released for testing 12 years latter still does not support NFSv4 so has people running security flawed NFSv3.

    Explains dougman response right.

    That Exploit Guy so you are pointing to a windows server weakness not a Linux one. Even better 0 id in MS default NFS server is SYSTEM. Its one reason why its highly stupid to run a Microsoft NFS server from a windows box.

    Your problem is you don’t know the topic That Exploit Guy and you don’t read enough.

  8. TEG wrote, “With a client that can spoof UID and GID?”

    The ordinary user does not have root access to run that application.

  9. dougman says:

    No Windows computer should EVER be trusted!! PERIOD!

  10. That Exploit Guy says:

    ‘and just how is an ordinary user going to fudge packets?’

    With a client that can spoof UID and GID? I have even linked to one in my previous comment, so what exactly is your excuse?

    ‘that doesn’t happen on any GNU/Linux system I have seen’

    That’s quite a limited subset of what’s really happening in the real world, isn’t it?

  11. TEG wrote, “If you think locking down /etc/passwd will somehow prevent a malicious attacker from spoofing UID or GID at the packet level, then you are sorely mistaken.”

    and just how is an ordinary user going to fudge packets? Of course if they become root, all bets are off but that doesn’t happen on any GNU/Linux system I have seen. I don’t run Ubuntu on my machines these days.

  12. That Exploit Guy says:

    @dougman

    ‘Again M$ shills blame the user!’

    So are you advocating that both trusted and untrusted machines should be on the same network where sensitive services are run? How astounding!

    @Robert Pogson

    ‘Normal users cannot fudge their user/host id without root access.’

    Chuckle. If you think locking down /etc/passwd will somehow prevent a malicious attacker from spoofing UID or GID at the packet level, then you are sorely mistaken. People wouldn’t advice you to use kerberos if the problem could simply solve itself with what you did there in that particular school.

    Actually, never mind that. You don’t even seem to be able to tell the difference between a browser feature and a firewall, so what possibly on earth would you know about “packets”?

    Just spare me from your meaningless gobbledygook, already.

  13. TEG wrote, “Little does he know that NFS, by design, has no built-in credential verification mechanism and anyone with the right Unix UID can access a NFS share without the entire system asking a single question about your identity.”

    NFS relies on host identification and user identification. I would use SSHFS if I wanted better security. Normally host identification and user identification are assigned by the OS and can be centralized with LDAP to make sure that security works system-wide. I used LDAP at Easterville. It was solid. Normal users cannot fudge their user/host id without root access. One can use whatever authentication one wants such as kerberos or fingerprints too.

  14. dougman says:

    Again M$ shills blame the user!

  15. That Exploit Guy says:

    From article:

    ‘There were similar files for other “special” clients as well. There are probably a lot of personally identifying details in there, but I didn’t spend much time going through them, because then I got tipped-off about the invoice server. It contains what appears to be all of MSD invoices for this year.’

    As Windows shares are not exposable across routers without a WINS proxy, it appears to me that the kiosks and the more sensitive machines are simply co-inhabiting the same network as opposed to assigned seperate ones as anyone with the faintest idea about establishing proper levels of trust would find necessary under such circumstances. Of course, such blatant disregard for proper implementation practices had also no doubt evaded Robert Pogson as any long-time reader here would recall his clumsy attempts to secure public shares and Internet access on a school network only to blame MS for his own sheer incompetence thereafter (a trait that is also evident in his excuse of using Firefox to bypass IE parental control without explaining how he has somehow installed Firefox without administrative privileges to begin with, or why he thinks a browser feature should be effective outside of the browser itself). Little does he know that NFS, by design, has no built-in credential verification mechanism and anyone with the right Unix UID can access a NFS share without the entire system asking a single question about your identity. Of course, this won’t stop a fanatic/liar such as Mr. Pogson himself from saying something as idiotic as ‘a distro usually ships with NFS not sharing anything and privileges are a high priority’ and then mumbling something about kerberos afterwards.

    I guess it’s just another typical day at mrpogson.com.

  16. dougman says:

    The new features and innovations are now your latest exploits and security problems!

    Microsoft. No rules just headaches.

Leave a Reply