-----BEGIN ASSIST BULLETIN----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 93-27 Release date: 7 Oct 93, 15:45 EDT Subject: Internet Security Scanner (ISS) BACKGROUND: Software that allows automated scanning of TCP/IP networked computers for security vulnerabilities has been posted to the comp.sources.misc Usenet newsgroup. The software package, known as ISS or Internet Security Scanner, will interrogate all computers within a specified IP address range, determining the security posture of each with respect to several common system vulnerabilities. The software was designed as a security tool for system and network administrators, and ISS does not attempt to gain access to a system being tested. However, given its wide distribution and ability to scan remote networks, it is likely ISS will also be used to locate vulnerable hosts for malicious reasons. While none of the vulnerabilities ISS checks for are new, the aggregation of these tests into a widely available automated tool represents a significant threat to networked machines. ASSIST recommends that administrators take this opportunity to examine systems for the vulnerabilities described below. Detailed below are available security tools that may assist in the detection and prevention of malicious use of ISS. Finally, common symptoms of an ISS attack are outlined to allow detection of malicious use. Vulnerabilities probed by ISS ----------------------------- The following vulnerabilities are currently tested for by the ISS tool. Administrators should verify the state of their systems and perform corrective actions as indicated. Default Accounts The accounts "guest" and "bbs", if they exist, should have non-trivial passwords. If login access to these accounts is not needed, they should be removed, or disabled by placing a "*" in the password field and the string "/bin/false" in the shell field in /etc/passwd. See the system manual entry for "passwd(1)" for more information on changing passwords and disabling accounts. For example, the /etc/passwd entry for a disabled guest account should resemble the following: guest:*:2311:50:Guest User:/home/guest:/bin/false lp Account The account "lp", if it exists, should not allow logins. It should be disabled by placing a "*" in the password field and the string "/bin/false" in the shell field in /etc/passwd. Decode Alias Mail aliases for decode and uudecode should be disabled on UNIX systems. If the file /etc/aliases contains entries for these programs, they should be removed, or disabled by placing a "#" at the beginning of the line and then executing the command "newaliases". Consult the manual page for "aliases(1)" for more information on UNIX mail aliases. A disabled decode alias should appear as follows: # decode: "|/usr/bin/uudecode" Sendmail The sendmail commands "wiz" and "debug" should be disabled. This may be verified by executing the following commands: % telnet 25 220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 EDT wiz You wascal wabbit! Wandering wizards won't win! (or 500 Command unrecognized) quit % telnet 25 220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 EDT debug 500 Command unrecognized quit If the "wiz" command returns "Please pass, oh mighty wizard", your system is vulnerable to attack. The command should be disabled by adding the following line to the sendmail.cf configuration file containing the string: OW* For this change to take effect, kill the sendmail process, refreeze the sendmail.cf file, and restart the sendmail process. "200 Debug set", you should immediately obtain a newer version of sendmail software from your vendor. Anonymous ftp anonymous ftp allows users without accounts to have restricted access to certain directories on the system. The availability of anonymous ftp on a given system may be determined by executing the following commands: % ftp hostname connected to hostname. 220 Host ftp server ready. Name (localhost:jdoe): anonymous 530 user anonymous unknown. Login failed. The above results indicate that anonymous ftp is not enabled. If the system instead replies with the string "331 guest login ok" and then prompts for a password, anonymous ftp access is enabled. The configuration of systems allowing anonymous ftp should be checked carefully, as improperly configured ftp servers are frequently attacked. Refer to assist bulletins 93-12 and 93-20 for more information. NIS iss attempts to guess the nis domainname. The program will try to grab the password file from ypserv. See assist bulletin 92-39 for more information regarding sunos 4.X machines using nis. See assist bulletin 93-01 for more information regarding hp machines using nis. NFS filesystems exported under nfs should be mountable only by a restricted set of hosts. The unix "showmount" command will display the filesystems currently exported by a given host: % /usr/etc/showmount -e hostname export list for hostname: /usr hosta:hostb:hostc /usr/local (everyone) the above output indicates that this nfs server is exporting two partitions: /usr, which can be mounted by hosta, hostb, and hostc; and /usr/local which can be mounted by anyone. In this case, access to the /usr/local partition should be restricted. Consult the system manual entry for /usr/local (everyone) The above output indicates that this NFS server is exporting two partitions: /usr, which can be mounted by hosta, hostb, and hostc; and /usr/local which can be mounted by anyone. In this case, access to the /usr/local partition should be restricted. Consult the system manual entry for "exports(5)" or "NFS(4P)" for more information. rusers The UNIX rusers command displays information about accounts currently active on a remote system. This may provide an attacker with account names or other information useful in mounting an attack. To check for the availability of rusers information on a particular machine, execute the following command: % rusers -l hostname hostname: RPC: Program not registered If the above example had instead generated a list of user names and login information, a rusers server is running on the host. The server may be disabled by placing a "#" at the beginning of the appropriate line in the file /etc/inetd.conf and then sending the SIGHUP signal to the inetd process. For example, a disabled rusers entry might appear as follows: #rusersd/2 dgram rpc/udp wait root /usr/etc/rusersd rusersd rexd The UNIX remote execution server rexd provides only minimal authentication and is easily subverted. It should be disabled by placing a "#" at the beginning of the rexd line in the file /etc/inetd.conf and then sending the SIGHUP signal to the inetd process. The disabled entry should resemble the following: #rexd/1 stream rpc/tcp wait root /usr/etc/rexd rexd See CERT Advisory CA-92:05 for more information regarding IBM AIX machines using rexd. Available Tools --------------- Available tools: There are several available security tools that may be used to prevent or detect malicious use of ISS. ASSIST can provide additional information about these, and other tools and procedures that can be used to evaluate systems security posture. SPI The Security Profile Inspector (SPI) is a security tool distributed within the DoD by ASSIST that will detect the vulnerabilities described above. ASSIST will also provide technical support to sites that require help installing and running SPI. TCP Wrappers Access to most UNIX network services can be more closely controlled using software known as a TCP wrapper. The wrapper provides additional access control and flexible logging features that may assist in both the prevention and detection of network attacks. This software is available via anonymous FTP from cert.org (IP 192.88.209.5) in the directory pub/tools/tcp_wrappers. Detecting an ISS Attack ----------------------- Given the wide distribution of the ISS tool, it is likely that remote attacks are going to occur. Such attacks can cause system warnings to be generated that may prove useful in tracking down the source of the attack. The most probable indicator of an ISS attack is a mail message sent to "postmaster" on a scanned system similar to the following: From: Mailer-Daemon@hostname (Mail Delivery Subsystem) Subject: Returned mail: Unable to deliver mail Message-Id: <9309291633.AB04591@> To: Postmaster@hostname ----- Transcript of session follows ----- <<< VRFY guest 550 guest... User unknown <<< VRFY decode 550 decode... User unknown <<< VRFY bbs 550 bbs... User unknown <<< VRFY lp 550 lp... User unknown <<< VRFY uudecode 550 uudecode... User unknown <<< wiz 500 Command unrecognized <<< debug 500 Command unrecognized 421 Lost input channel to remote.machine ----- No message was collected ----- ASSIST would like to thank the CERT Coordination Center, and the Department of Energy's CIAC Team for the information provided in this advisory. ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins are available on the ASSIST bbs (see below), and through anonymous ftp from assist.ims.disa.mil. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" and ASSIST will return your call within 5 minutes. Electronic mail: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. Recipients of ASSIST bulletins who use PEM will be able to verify with a very high level of assurance that the information originated from ASSIST. PEM is compatible with all e-mail implementations available on the Milnet, and sites not using PEM will still be able to read bulletins that have PEM digital signatures. Information about PEM can be obtained via anonymous ftp from nic.ddn.mil (IP 192.112.36.5) in the /rfc directory files rfc1421.txt, rfc1422.txt, rfc1423.txt, and rfc1424.txt. These files can also be downloaded from the ASSIST bbs. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future.