That is with ssh open or available from the outside. I still suggest a JIRA... On Nov 16, 2012 6:41 PM, "Noah Mehl" <[email protected]> wrote:
> I would also like to mention: > > This works for any port, including SIP. There might be huge amounts of > SIP piracy across peoples servers. > > ~Noah > > On Nov 16, 2012, at 6:27 PM, Alan Worstell <[email protected]> > wrote: > > What Noah is posting about is correct. SMTP is listening on 127.0.0.1. > However, if you use SSH port redirection, from an outside host you can > forward your remote 127.0.0.1:25 to your own 127.0.0.1:25. I just tested > this with a development 4.6 server we have, from a system completely > off-network: > ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25 > After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and send > mail. I would consider that to be a pretty large security flaw, as every > sipx server out there that has SSH Password logins allowed to the world can > be used as spam relays. > > Regards, > > Alan Worstell > A1 Networks - Systems Administrator > VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS > (707)570-2021 x204 > For support issues please email [email protected] or call 707-703-1050 > > On 11/16/12 3:17 PM, Tony Graziano wrote: > > can you provide the output of: lsof -i | grep LISTEN > > and post what SMTP is listening to? > > > > On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <[email protected]> wrote: > >> This is my problem: >> >> You are arguing with me when you don't understand how SSH port >> forwarding works. >> >> In the exploit I've illustrated, the port is tunneled via SSH. Then on >> the remote machine (the sipxecs server) the traffic originates as >> LOCALHOST. That's why it's a OOTB security flaw. >> >> I have not made changes to the smtp config. >> >> ~Noah >> >> On Nov 16, 2012, at 6:02 PM, "Tony Graziano" < >> [email protected]> wrote: >> >> There is that too. I keep bringing it up but he skips over it. >> >> In a default sipx installation, the output shows: >> >> sendmail TCP localhost.localdomain:smtp (LISTEN) >> >> and there are no other entries related to SMTP. So again, something is >> different here than in all the others (remember that kids game?). Why is >> your installation different? Why is SMTP open to begin with? Why is SMTP >> open on your system and noone else's? >> >> I still don't agree with your assessment. It is the way your firewall >> and/or sendmail is configured to begin with that is not consistent with the >> way the system is used. Security is the admin's and certainly port SSH >> forward can be turned off and the user can be denied. I don't think it very >> helpful to make changes to secure a system if someone keeps opening holes >> or changing smtp configs and then opening another case that the system is >> not secure enough... I'm just saying. You still have neglected to explain >> why SMTP is open from waaaayyyy back in this thread. >> >> Realize the developers list are some of the same people here (I won't >> dissuade you from posting to it to that list, or opening a JIRA) but >> realize it can be discussed and decided there is no problem and a change is >> not warranted, only an implementation decision gone awry. On the other >> hand, if enough people agree those are two things that can be done by >> default "in the event someone decides to open SMTP". I'm not a fortune >> teller. >> >> I think it took a lot of your time to find it and to bring it up, and I >> think its worthy of consideration though. >> >> On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <[email protected]>wrote: >> >>> Hey! FINALLY, I got some information that's actually usefully to me!!! >>> Where is the JIRA link where I can post a bug? Is there a different >>> mailing list for Sipxecs dev? >>> >>> No, my argument is that two users are created by the SipXecs install: >>> PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from >>> the install script. >>> >>> I do not believe that this is a Redhat/Centos problem, because they DO >>> NOT ship system users with passwords in /etc/shadow. Or any user with a >>> password in /etc/shadow except for the password one sets for root during >>> install, and the password for the first user during install. >>> >>> Since SipXecs install creates these users, and thereby creates the >>> security issue, part of the user creation should deny those users access to >>> ssh in the sshd_config. That's the only part of this scenario that isn't >>> secure. I will be happy to submit a bug, etc... >>> >>> As it happens, I'm not the first person to be hacked because of this: >>> http://www.mail-archive.com/[email protected]/msg04471.html >>> And it's highly likely that many people have been bitten by this, and no >>> one knew what the cause was. >>> >>> This serves as a warning to ALL SipXecs 4.4.x users: >>> >>> 1. If you have SipXecs 4.4.x >>> 2. You still have the PlcmSIp and lvp2890 users, with unchanged password >>> (which you would by default, not knowing they had been added to your server) >>> 3. Anyone has SSH port access to the server >>> 4. Then you are wide open >>> >>> I don't care how one solves the issue, we have 3 solutions so far: >>> >>> 1. Disable or heavily restrict all ssh access to the machine >>> 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config >>> 3. AllowTcpForwarding no in /etc/ssh/sshd_config >>> >>> I prefer method 2 because I don't want to remove a useful tool in my >>> arsenal (ssh port forwarding), and I don't want to change the default >>> passwords (because of provision stock phones). But I HIGHLY suggest >>> everyone takes a quick look at their settings, because I bet a lot of >>> people are susceptible to this. Thanks. >>> >>> ~Noah >>> >>> On Nov 16, 2012, at 5:37 PM, Tony Graziano < >>> [email protected]> >>> wrote: >>> >>> You do realize the other side of this argument is that SSH forwarding >>> is enabled by default on Redhat/Centos and that since you have SSH >>> available to the public at large it also makes this an effective use of >>> your system. >>> >>> I think the place for you to ask for a change is submitting a JIRA and >>> posting a link on the users and dev groups so people can comment and/or >>> vote for this change... >>> >>> add in /etc/ssh/sshd_config by default: >>> >>> AllowTcpForwarding no >>> DenyUsers PlcmSpIp >>> >>> >>> >>> >>> On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <[email protected]>wrote: >>> >>>> Shall I make a screencast to explain? >>>> >>>> ~Noah >>>> >>>> On Nov 16, 2012, at 5:20 PM, Noah Mehl <[email protected]> wrote: >>>> >>>> Gerald. >>>> >>>> That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP >>>> SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass >>>> of PlcmSIp, utilizing ssh port forwarding. >>>> >>>> ~Noah >>>> >>>> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard < >>>> [email protected]> wrote: >>>> >>>> On 11/16/2012 1:57 PM, Noah Mehl wrote: >>>> >>>> Does nobody on the list know what SSH port forwarding is? I am running >>>> the first two commands from a remote machine (connecting to the sipxecs >>>> machine) in separate terminals to forward my local 25 port to the sipxecs >>>> box, and the 25 port on the sipxecs box locally. The third command is run >>>> locally on the remote machine. This exploit gives the remote machine >>>> access to port 25 on the SipXecs box even if all other ports are blocked. >>>> This could be used for any port that is blocked by firewall, ids, etc, if >>>> the remote machine has ssh access to the sipxecs box. >>>> >>>> ~Noah >>>> >>>> Do you understand that if your sipx smtp server is only running on >>>> localhost that you will not be able to connect to it via >>>> telnet/ssh/whatever? >>>> >>>> >>>> -- >>>> Regards >>>> -------------------------------------- >>>> Gerald Drouillard >>>> Technology Architect >>>> Drouillard & Associates, Inc.http://www.Drouillard.biz >>>> <http://www.drouillard.biz/> >>>> >>>> _______________________________________________ >>>> sipx-users mailing list >>>> [email protected] >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> sipx-users mailing list >>>> [email protected] >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> sipx-users mailing list >>>> [email protected] >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>>> >>> >>> >>> >>> -- >>> ~~~~~~~~~~~~~~~~~~ >>> Tony Graziano, Manager >>> Telephone: 434.984.8430 >>> sip: [email protected] >>> Fax: 434.465.6833 >>> ~~~~~~~~~~~~~~~~~~ >>> Linked-In Profile: >>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >>> Ask about our Internet Fax services! >>> ~~~~~~~~~~~~~~~~~~ >>> >>> Using or developing for sipXecs from SIPFoundry? Ask me about >>> sipX-CoLab 2013! >>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013> >>> >>> >>> LAN/Telephony/Security and Control Systems Helpdesk: >>> Telephone: 434.984.8426 >>> sip: [email protected] >>> >>> Helpdesk Customers: http://myhelp.myitdepartment.net >>> Blog: http://blog.myitdepartment.net >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >>> >>> >>> >>> >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >> >> >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Tony Graziano, Manager >> Telephone: 434.984.8430 >> sip: [email protected] >> Fax: 434.465.6833 >> ~~~~~~~~~~~~~~~~~~ >> Linked-In Profile: >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >> Ask about our Internet Fax services! >> ~~~~~~~~~~~~~~~~~~ >> >> Using or developing for sipXecs from SIPFoundry? Ask me about >> sipX-CoLab 2013! >> <http://sipxcolab2013.eventbrite.com/?discount=tony2013> >> >> >> LAN/Telephony/Security and Control Systems Helpdesk: >> Telephone: 434.984.8426 >> sip: [email protected] >> >> Helpdesk Customers: http://myhelp.myitdepartment.net >> Blog: http://blog.myitdepartment.net >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> > > > > -- > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: [email protected] > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > ~~~~~~~~~~~~~~~~~~ > > Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab > 2013! > <http://sipxcolab2013.eventbrite.com/?discount=tony2013> > > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: [email protected].**net<[email protected]> > > Helpdesk Customers: > http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/> > Blog: http://blog.myitdepartment.net > > > _______________________________________________ > sipx-users mailing [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
