Application: Dragon Fire 3.1 IDS for Unices
Developer: Network Security Wizards
Urgency: VERY HIGH
Symptoms: Web users can run arbitrary commands *remotely*.
Storyline:
----------
In the middle of developement of a Linux IDS , I wanted to take a short glimpse
at some similar products on the net. Seems like the most impressive (and commercial,
yuck)
is NSW's (Network Security Wizard's) Dragon Fire 3.1, just released. I've followed the
nice
link there (Live demo) and I've chosen there Database telnet1, Forensic tool mkchart,
sensor ALL and as 'IP one' | ls -lsa / . I was unpleasantly surprised when I've seen
my command
executed very well, with a nice output. Too bad it doesn't run as root (maybe other
tools in that
package do). Anyhow, they don't run that system on a Linux station ( try as 'IP one' |
echo `uname -a`
and vote for SunOS!?). I guess many customers run it on oher buggy Unices (Irix etc)
so watch your asses
and claim your support, or switch to a local tool implemented by your system
administrator (wow,
my company is lucky, don't you think so? :)) Go there if you don't believe me, and try
as many
commands as possible, maybe that IDS is smart enough to log them too ! :)
Fix:
----
The sources are not public (and they are buggy too) so I reccomend IMMEDIATE
protection
of the web pages (.htaccess if you use Apache). You may also keep your mouth shut
unless NSW
releases a *elementary* secure wrapper and don't make your DragonFire URLs public.
There is
an enterprise version too :>
Funstuff:
--------
Well, if you read http://www.securitywizards.com/wsj1.html, I guess Mr Gula
wil not
forget to invite me at his next DefCon, near all the feds and US crackers (=
kiddies,for me) there to
penetrate newer versions of 'DragonFire'. I guess the feds will have to focus their
attention
on some other IDSes.
--
Stefan Laudat
Data Networks Analyst
ASIT SA
-------------
!07/11 PDP a ni deppart m'I !pleH
