Bugtraq mailing list archives
Re: TCP Timestamping and Remotely gathering uptime information
From: arivanov () SIGSEGV CX
Date: Fri, 16 Mar 2001 20:56:41 -0000
-----BEGIN PGP SIGNED MESSAGE----- On 15-Mar-2001 Darren Reed wrote:
So when do we change things like "uname" such that they no longer report the system "identity" (OS, OS rev) to anyone but root ? Why do you think all timestamps should not reveal uptime information ? What do you think is at risk here ? Are script kiddies going to say "ooh, he's been up for 500 days and he's not linux, lets flood him to death" ? Or is there something more fundamental ? One potential use of uptime information to an attackers advantage is in attacking things which use the current time (seconds, microseconds, whatever) as a seed for some sort of thing when the start up at boot time. An server which has a week PRNG or similar might be at risk, where it otherwise would not, do you think ?
Just two examples of the top of my head. 1. Detecting subversion of an operating system that are vulnerable but not distinguishable by normal fingerprinting. Example: Linux 2.2.x that has an uptime of more than 500 days is guaranteed to be a pre-2.2.8 and vulnerable to the specific IP stack issue reported on bugtraq for 2.2.7. A more recent is quite likely to be something that has been patched. Similar examples can be made with BSD. 2. Some OSes require reboot for fixes that are expected to be userland. There you have a sure indication that a fix has not been applied. I would say that this is a very good and almost undetectable method of collecting vulnerable IIS installations ;-) You can even use third parties (netcraft) for some of them. List of course can be extended. - ---------------------------------- Anton R. Ivanov ARI2-RIPE Today's deliverables will have to be delayed because: Recursive traversal of loopback mount points - ---------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iQEVAwUBOrJ+CSlWAw/bM84zAQEZlwf/YKVBSLmFhfWSAYraRG+wzYu9MEK7I+yD bAVUicuHwVzznRAKPiqUF0eEOa6cISXpH6LmUd6tU9ngXEDdNVFmn0WSsqVaPJ9r d5NmIgIvCIiKrFKKGkqF1QfwYo0/BMhjQRreFUU0Lz0rC0852OpejPOiosvt0Bvs nLVdA3zvBNz1nEQWd/cwcPF5t5VJ3dmg2xBOvjalPitQLmZ7GGrmnryRPrQS+QeK jZXD7nxofDdnexsLQJS4d2N8L0tsrwIkDeyaiNxXNqFRk4ubKAkmuRsvJmKsgnjD CKdMjX7OmT980rL1jU4EInvSBLGMfDPnDXR/BbA3L+NgK/2Qw8ZifA== =hZh4 -----END PGP SIGNATURE-----
Current thread:
- TCP Timestamping and Remotely gathering uptime information Bret (Mar 13)
- Re: TCP Timestamping and Remotely gathering uptime information Fyodor (Mar 14)
- <Possible follow-ups>
- Re: TCP Timestamping and Remotely gathering uptime information Bret (Mar 15)
- Re: TCP Timestamping and Remotely gathering uptime information Ted U (Mar 16)
- Re: TCP Timestamping and Remotely gathering uptime information Darren Reed (Mar 16)
- Re: TCP Timestamping and Remotely gathering uptime information Valdis Kletnieks (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Saint skullY the Dazed (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information arivanov (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Stephen White (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information bert hubert (Mar 20)
- Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Darren Reed (Mar 20)
- Re: Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Jason R Thorpe (Mar 22)
- Re: TCP Timestamping and Remotely gathering uptime information Chris Tobkin (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Ted U (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Matt Lewis (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Theo de Raadt (Mar 20)
- Re: TCP Timestamping and Remotely gathering uptime information Darren Reed (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information van der Kooij, Hugo (Mar 20)