Security issues with S&P ComStock multiCSP (Linux)

[kadokev () MSG NET (kadokev () MSG NET)]

Standard & Poor's ComStock (http://www.spcomstock.com/) provides stock quotes
and news as a real-time feed on dedicated circuits (ISDN, 56K, T1). ComStock
offers a 'Client Site Processor' as a means of receiving their data feed,
the MultiCSP I tested against is shipped as a PC running Red Hat Linux 5.1,
with version 4.2.4 of 'mcsp', the MultiCSP application software.

On January 12th, Standard & Poor, Mcgraw-Hill and ComStock were contacted
about the issues detailed below. We have yet to receive any response. I
was given access to a brand new MultiCSP unit in early March, and found all
of the same issues, with only minor, cosmetic, changes.

The MultiCSP system I examined was a textbook example of how NOT to ship a
Linux-based 'appliance', with numerous extraneous services enabled, several
UN-passworded accounts (including a root-equivalent account), world-writable
files, and multiple root holes. It does not appear that there is any effort
to update the OS after the machine is deployed at a client site, or to train
clients (Most of whom are only familiar with MS-Windows) to update the system.

The network connection for the stock quote service is a leased line or other
dedicated data feed. The Linux client at customer sites use reserved
(private) address space, however the private address space goes through Bay
routers on the Concentric network, these routers are Internet accessible.

I see no evidence of IP filters anywhere within the network, there is nothing
on the Concentric network to prevent leaking of traffic from the 172.23.*.*
address space out to the public Internet, or to prevent clients from within
the ComStock network forging source IPs on outbound packets, to other clients
or to the Internet.

The system ships with very weak default passwords for the root account as well
as 'support' and 'isdnconfig'. Root can be logged into via telnet.

The most obvious root hole on the MultiCSP host is the 'netconfig' account,
a UID 0 login with the same password as 'support'. This login goes directly
to a menu program. The menu allows for changing the IP addresses, and the
ability to edit the MCSP startup script, using the 'vi' editor.
The implications are obvious.

In March I had access to a newly deployed CSP, and found that the accounts
with blank passwords had them set to the (guessable) 'support' password. The
new version does not have the menu item for editing the startup script, but
has other, equally trivial, opportunities to get a root shell.

If you have the misfortune of having a MultiCSP on your network, you have
my sympathy.  If you can't live without their stock information, It is
possible to use the root holes to lock down the box as best you can, then
put it behind a firewall with just the CSP TCP port open _inbound_ to the MCSP
system from your hosts, or at least a router with equivalent traffic filters.

Then pray for the best.

Kevin Kadow
MSG.Net, Inc.
bugtraq () msg net

Copyright 2000 by MSG.Net, Inc,
No restriction on redistribution in complete and unmodified form.