Bugtraq mailing list archives

Re: TCP Timestamping and Remotely gathering uptime information

From: arivanov () SIGSEGV CX
Date: Fri, 16 Mar 2001 20:56:41 -0000

-----BEGIN PGP SIGNED MESSAGE-----


On 15-Mar-2001 Darren Reed wrote:

So when do we change things like "uname" such that they no longer
report
the system "identity" (OS, OS rev) to anyone but root ?

Why do you think all timestamps should not reveal uptime
information ?

What do you think is at risk here ?

Are script kiddies going to say "ooh, he's been up for 500 days
and he's
not linux, lets flood him to death" ?

Or is there something more fundamental ?

One potential use of uptime information to an attackers advantage
is in
attacking things which use the current time (seconds,
microseconds,
whatever) as a seed for some sort of thing when the start up at
boot
time.  An server which has a week PRNG or similar might be at
risk,
where it otherwise would not, do you think ?


Just two examples of the top of my head.

1. Detecting subversion of an operating system that are vulnerable
but not distinguishable by normal fingerprinting. Example: Linux
2.2.x that has an uptime of more than 500 days is guaranteed to be a
pre-2.2.8 and vulnerable to the specific IP stack issue reported on
bugtraq for 2.2.7. A more recent is quite likely to be something
that has been patched.

Similar examples can be made with BSD.

2. Some OSes require reboot for fixes that are expected to
be userland. There you have a sure indication that a fix has not
been applied. I would say that this is a very good and almost
undetectable method of collecting vulnerable IIS installations ;-)
You can even use third parties (netcraft) for some of them.

List of course can be extended.

- ----------------------------------
Anton R. Ivanov
ARI2-RIPE
Today's deliverables will have to be delayed because:

Recursive traversal of loopback mount points

- ----------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQEVAwUBOrJ+CSlWAw/bM84zAQEZlwf/YKVBSLmFhfWSAYraRG+wzYu9MEK7I+yD
bAVUicuHwVzznRAKPiqUF0eEOa6cISXpH6LmUd6tU9ngXEDdNVFmn0WSsqVaPJ9r
d5NmIgIvCIiKrFKKGkqF1QfwYo0/BMhjQRreFUU0Lz0rC0852OpejPOiosvt0Bvs
nLVdA3zvBNz1nEQWd/cwcPF5t5VJ3dmg2xBOvjalPitQLmZ7GGrmnryRPrQS+QeK
jZXD7nxofDdnexsLQJS4d2N8L0tsrwIkDeyaiNxXNqFRk4ubKAkmuRsvJmKsgnjD
CKdMjX7OmT980rL1jU4EInvSBLGMfDPnDXR/BbA3L+NgK/2Qw8ZifA==
=hZh4
-----END PGP SIGNATURE-----

Current thread:

TCP Timestamping and Remotely gathering uptime information Bret (Mar 13)
- Re: TCP Timestamping and Remotely gathering uptime information Fyodor (Mar 14)
- <Possible follow-ups>
- Re: TCP Timestamping and Remotely gathering uptime information Bret (Mar 15)
  - Re: TCP Timestamping and Remotely gathering uptime information Ted U (Mar 16)
  - Re: TCP Timestamping and Remotely gathering uptime information Darren Reed (Mar 16)
    - Re: TCP Timestamping and Remotely gathering uptime information Valdis Kletnieks (Mar 19)
    - Re: TCP Timestamping and Remotely gathering uptime information Saint skullY the Dazed (Mar 19)
    - Re: TCP Timestamping and Remotely gathering uptime information arivanov (Mar 19)
  - Re: TCP Timestamping and Remotely gathering uptime information Stephen White (Mar 19)
    - Re: TCP Timestamping and Remotely gathering uptime information bert hubert (Mar 20)
    - Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Darren Reed (Mar 20)
    - Re: Remote fingerprinting/uptime (was Re: TCP Timestamping ...) Jason R Thorpe (Mar 22)
- Re: TCP Timestamping and Remotely gathering uptime information Chris Tobkin (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Ted U (Mar 19)
- Re: TCP Timestamping and Remotely gathering uptime information Matt Lewis (Mar 19)
  - Re: TCP Timestamping and Remotely gathering uptime information Theo de Raadt (Mar 20)
- Re: TCP Timestamping and Remotely gathering uptime information Darren Reed (Mar 19)
  - Re: TCP Timestamping and Remotely gathering uptime information van der Kooij, Hugo (Mar 20)