Bugtraq mailing list archives
Security issues with S&P ComStock multiCSP (Linux)
From: kadokev-bugtraq () MSG NET (Kevin Kadow)
Date: Tue, 1 Feb 2000 07:27:30 -0800
Standard & Poor's ComStock (http://www.spcomstock.com/) provides stock quotes and news as a real-time data feed on dedicated circuits. ComStock offers a 'Client Site Processor' as a means of receiving their data feed, the MultiCSP I tested against is shipped as a PC running Red Hat Linux 5.1, with version 4.2.x.x of 'mcsp', the MultiCSP application software. On January 12th, Standard & Poor, Mcgraw-Hill and ComStock were contacted about the issues detailed below. We have yet to receive any response. The MultiCSP system I examined was a textbook example of how NOT to ship a Linux-based 'appliance', with numerous extraneous services enabled, several UN-passworded accounts (including a root-equivalent account), world-writable files, and multiple root holes. It does not appear that there is any effort to update the OS after the machine is deployed at a client site, or to train clients (Most of whom are only familiar with MS-Windows) to update the system. The network connection for the stock quote service is a leased line or other dedicated data feed. The Linux client at customer sites use reserved (private) address space, however clients are connected to Bay routers on the Concentric network which are Internet accessible. I see no evidence of IP filters anywhere within the network, there is nothing on the Concentric network to prevent leaking of 172.23.*.* traffic to the public Internet, or to prevent clients from within the ComStock network forging source IPs on outbound packets. The most obvious root hole on the MultiCSP host is the 'netconfig' account, an unpassworded UID 0 login that runs a menu program. This account displays a menu allowing for changing the IP addresses, and the ability to edit the MCSP startup script, using the 'vi' editor. The implications are obvious. The system ships with very weak default passwords for the root account as well as 'support' and 'isdnconfig'. Root can be logged into via telnet. If you have the misfortune of having a MultiCSP on your network, you have my sympathy. If you can't live without their stock information, It is possible to use the root holes to lock down the box as best you can, then put it behind a firewall with just the CSP TCP port open _inbound_ to the MCSP system from your hosts, or at least a router with equivalent traffic filters. Then pray for the best. Kevin Kadow MSG.Net, Inc. bugtraq () msg net Copyright 2000 by MSG.Net, Inc, No restriction on redistribution in complete and unmodified form.
Current thread:
- Security issues with S&P ComStock multiCSP (Linux) Kevin Kadow (Feb 01)