can you provide the output of: lsof -i | grep LISTEN and post what SMTP is listening to?
On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <[email protected]> wrote: > This is my problem: > > You are arguing with me when you don't understand how SSH port > forwarding works. > > In the exploit I've illustrated, the port is tunneled via SSH. Then on > the remote machine (the sipxecs server) the traffic originates as > LOCALHOST. That's why it's a OOTB security flaw. > > I have not made changes to the smtp config. > > ~Noah > > On Nov 16, 2012, at 6:02 PM, "Tony Graziano" <[email protected]> > wrote: > > There is that too. I keep bringing it up but he skips over it. > > In a default sipx installation, the output shows: > > sendmail TCP localhost.localdomain:smtp (LISTEN) > > and there are no other entries related to SMTP. So again, something is > different here than in all the others (remember that kids game?). Why is > your installation different? Why is SMTP open to begin with? Why is SMTP > open on your system and noone else's? > > I still don't agree with your assessment. It is the way your firewall > and/or sendmail is configured to begin with that is not consistent with the > way the system is used. Security is the admin's and certainly port SSH > forward can be turned off and the user can be denied. I don't think it very > helpful to make changes to secure a system if someone keeps opening holes > or changing smtp configs and then opening another case that the system is > not secure enough... I'm just saying. You still have neglected to explain > why SMTP is open from waaaayyyy back in this thread. > > Realize the developers list are some of the same people here (I won't > dissuade you from posting to it to that list, or opening a JIRA) but > realize it can be discussed and decided there is no problem and a change is > not warranted, only an implementation decision gone awry. On the other > hand, if enough people agree those are two things that can be done by > default "in the event someone decides to open SMTP". I'm not a fortune > teller. > > I think it took a lot of your time to find it and to bring it up, and I > think its worthy of consideration though. > > On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <[email protected]> wrote: > >> Hey! FINALLY, I got some information that's actually usefully to me!!! >> Where is the JIRA link where I can post a bug? Is there a different >> mailing list for Sipxecs dev? >> >> No, my argument is that two users are created by the SipXecs install: >> PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from >> the install script. >> >> I do not believe that this is a Redhat/Centos problem, because they DO >> NOT ship system users with passwords in /etc/shadow. Or any user with a >> password in /etc/shadow except for the password one sets for root during >> install, and the password for the first user during install. >> >> Since SipXecs install creates these users, and thereby creates the >> security issue, part of the user creation should deny those users access to >> ssh in the sshd_config. That's the only part of this scenario that isn't >> secure. I will be happy to submit a bug, etc... >> >> As it happens, I'm not the first person to be hacked because of this: >> http://www.mail-archive.com/[email protected]/msg04471.html And >> it's highly likely that many people have been bitten by this, and no >> one knew what the cause was. >> >> This serves as a warning to ALL SipXecs 4.4.x users: >> >> 1. If you have SipXecs 4.4.x >> 2. You still have the PlcmSIp and lvp2890 users, with unchanged password >> (which you would by default, not knowing they had been added to your server) >> 3. Anyone has SSH port access to the server >> 4. Then you are wide open >> >> I don't care how one solves the issue, we have 3 solutions so far: >> >> 1. Disable or heavily restrict all ssh access to the machine >> 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config >> 3. AllowTcpForwarding no in /etc/ssh/sshd_config >> >> I prefer method 2 because I don't want to remove a useful tool in my >> arsenal (ssh port forwarding), and I don't want to change the default >> passwords (because of provision stock phones). But I HIGHLY suggest >> everyone takes a quick look at their settings, because I bet a lot of >> people are susceptible to this. Thanks. >> >> ~Noah >> >> On Nov 16, 2012, at 5:37 PM, Tony Graziano < >> [email protected]> >> wrote: >> >> You do realize the other side of this argument is that SSH forwarding >> is enabled by default on Redhat/Centos and that since you have SSH >> available to the public at large it also makes this an effective use of >> your system. >> >> I think the place for you to ask for a change is submitting a JIRA and >> posting a link on the users and dev groups so people can comment and/or >> vote for this change... >> >> add in /etc/ssh/sshd_config by default: >> >> AllowTcpForwarding no >> DenyUsers PlcmSpIp >> >> >> >> >> On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <[email protected]>wrote: >> >>> Shall I make a screencast to explain? >>> >>> ~Noah >>> >>> On Nov 16, 2012, at 5:20 PM, Noah Mehl <[email protected]> wrote: >>> >>> Gerald. >>> >>> That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP >>> SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass >>> of PlcmSIp, utilizing ssh port forwarding. >>> >>> ~Noah >>> >>> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <[email protected]> >>> wrote: >>> >>> On 11/16/2012 1:57 PM, Noah Mehl wrote: >>> >>> Does nobody on the list know what SSH port forwarding is? I am running >>> the first two commands from a remote machine (connecting to the sipxecs >>> machine) in separate terminals to forward my local 25 port to the sipxecs >>> box, and the 25 port on the sipxecs box locally. The third command is run >>> locally on the remote machine. This exploit gives the remote machine >>> access to port 25 on the SipXecs box even if all other ports are blocked. >>> This could be used for any port that is blocked by firewall, ids, etc, if >>> the remote machine has ssh access to the sipxecs box. >>> >>> ~Noah >>> >>> Do you understand that if your sipx smtp server is only running on >>> localhost that you will not be able to connect to it via >>> telnet/ssh/whatever? >>> >>> >>> -- >>> Regards >>> -------------------------------------- >>> Gerald Drouillard >>> Technology Architect >>> Drouillard & Associates, Inc.http://www.Drouillard.biz >>> <http://www.drouillard.biz/> >>> >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >>> >>> >>> >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >>> >>> >>> >>> >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >> >> >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Tony Graziano, Manager >> Telephone: 434.984.8430 >> sip: [email protected] >> Fax: 434.465.6833 >> ~~~~~~~~~~~~~~~~~~ >> Linked-In Profile: >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >> Ask about our Internet Fax services! >> ~~~~~~~~~~~~~~~~~~ >> >> Using or developing for sipXecs from SIPFoundry? Ask me about >> sipX-CoLab 2013! >> <http://sipxcolab2013.eventbrite.com/?discount=tony2013> >> >> >> LAN/Telephony/Security and Control Systems Helpdesk: >> Telephone: 434.984.8426 >> sip: [email protected].**net<[email protected]> >> >> Helpdesk Customers: >> http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/> >> Blog: http://blog.myitdepartment.net >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> > > > > -- > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: [email protected] > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > ~~~~~~~~~~~~~~~~~~ > > Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab > 2013! > <http://sipxcolab2013.eventbrite.com/?discount=tony2013> > > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: [email protected].**net<[email protected]> > > Helpdesk Customers: > http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net> > Blog: http://blog.myitdepartment.net > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013> -- LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
