Thanks for the JIRA. On Nov 16, 2012 9:16 PM, "Noah Mehl" <[email protected]> wrote:
> Tony, > > You know what? I think everyone is clear on *YOUR* opinion on the > matter. > > In *MY* opinion, this is a serious bug. I have created a Jira story: > > http://track.sipfoundry.org/browse/XX-10529 > > Next time, I would appreciate constructive comments instead of: "This is > only a problem for you... You must be doing something wrong… You're not > setting a firewall/ids up correctly…." I know I am not the only person who > thinks this is a serious issue. > > ~Noah > > > On Nov 16, 2012, at 7:30 PM, Tony Graziano <[email protected]> > wrote: > > That is with ssh open or available from the outside. > > I still suggest a JIRA... > On Nov 16, 2012 6:41 PM, "Noah Mehl" <[email protected]> wrote: > >> I would also like to mention: >> >> This works for any port, including SIP. There might be huge amounts of >> SIP piracy across peoples servers. >> >> ~Noah >> >> On Nov 16, 2012, at 6:27 PM, Alan Worstell <[email protected]> >> wrote: >> >> What Noah is posting about is correct. SMTP is listening on 127.0.0.1. >> However, if you use SSH port redirection, from an outside host you can >> forward your remote 127.0.0.1:25 to your own 127.0.0.1:25. I just tested >> this with a development 4.6 server we have, from a system completely >> off-network: >> ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25 >> After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and >> send mail. I would consider that to be a pretty large security flaw, as >> every sipx server out there that has SSH Password logins allowed to the >> world can be used as spam relays. >> >> Regards, >> >> Alan Worstell >> A1 Networks - Systems Administrator >> VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS >> (707)570-2021 x204 >> For support issues please email [email protected] or call 707-703-1050 >> >> On 11/16/12 3:17 PM, Tony Graziano wrote: >> >> can you provide the output of: lsof -i | grep LISTEN >> >> and post what SMTP is listening to? >> >> >> >> On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <[email protected]>wrote: >> >>> This is my problem: >>> >>> You are arguing with me when you don't understand how SSH port >>> forwarding works. >>> >>> In the exploit I've illustrated, the port is tunneled via SSH. Then on >>> the remote machine (the sipxecs server) the traffic originates as >>> LOCALHOST. That's why it's a OOTB security flaw. >>> >>> I have not made changes to the smtp config. >>> >>> ~Noah >>> >>> On Nov 16, 2012, at 6:02 PM, "Tony Graziano" < >>> [email protected]> wrote: >>> >>> There is that too. I keep bringing it up but he skips over it. >>> >>> In a default sipx installation, the output shows: >>> >>> sendmail TCP localhost.localdomain:smtp (LISTEN) >>> >>> and there are no other entries related to SMTP. So again, something is >>> different here than in all the others (remember that kids game?). Why is >>> your installation different? Why is SMTP open to begin with? Why is SMTP >>> open on your system and noone else's? >>> >>> I still don't agree with your assessment. It is the way your firewall >>> and/or sendmail is configured to begin with that is not consistent with the >>> way the system is used. Security is the admin's and certainly port SSH >>> forward can be turned off and the user can be denied. I don't think it very >>> helpful to make changes to secure a system if someone keeps opening holes >>> or changing smtp configs and then opening another case that the system is >>> not secure enough... I'm just saying. You still have neglected to explain >>> why SMTP is open from waaaayyyy back in this thread. >>> >>> Realize the developers list are some of the same people here (I won't >>> dissuade you from posting to it to that list, or opening a JIRA) but >>> realize it can be discussed and decided there is no problem and a change is >>> not warranted, only an implementation decision gone awry. On the other >>> hand, if enough people agree those are two things that can be done by >>> default "in the event someone decides to open SMTP". I'm not a fortune >>> teller. >>> >>> I think it took a lot of your time to find it and to bring it up, and >>> I think its worthy of consideration though. >>> >>> On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <[email protected]>wrote: >>> >>>> Hey! FINALLY, I got some information that's actually usefully to me!!! >>>> Where is the JIRA link where I can post a bug? Is there a different >>>> mailing list for Sipxecs dev? >>>> >>>> No, my argument is that two users are created by the SipXecs install: >>>> PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from >>>> the install script. >>>> >>>> I do not believe that this is a Redhat/Centos problem, because they >>>> DO NOT ship system users with passwords in /etc/shadow. Or any user with a >>>> password in /etc/shadow except for the password one sets for root during >>>> install, and the password for the first user during install. >>>> >>>> Since SipXecs install creates these users, and thereby creates the >>>> security issue, part of the user creation should deny those users access to >>>> ssh in the sshd_config. That's the only part of this scenario that isn't >>>> secure. I will be happy to submit a bug, etc... >>>> >>>> As it happens, I'm not the first person to be hacked because of this: >>>> http://www.mail-archive.com/[email protected]/msg04471.html >>>> And it's highly likely that many people have been bitten by this, and no >>>> one knew what the cause was. >>>> >>>> This serves as a warning to ALL SipXecs 4.4.x users: >>>> >>>> 1. If you have SipXecs 4.4.x >>>> 2. You still have the PlcmSIp and lvp2890 users, with unchanged >>>> password (which you would by default, not knowing they had been added to >>>> your server) >>>> 3. Anyone has SSH port access to the server >>>> 4. Then you are wide open >>>> >>>> I don't care how one solves the issue, we have 3 solutions so far: >>>> >>>> 1. Disable or heavily restrict all ssh access to the machine >>>> 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config >>>> 3. AllowTcpForwarding no in /etc/ssh/sshd_config >>>> >>>> I prefer method 2 because I don't want to remove a useful tool in my >>>> arsenal (ssh port forwarding), and I don't want to change the default >>>> passwords (because of provision stock phones). But I HIGHLY suggest >>>> everyone takes a quick look at their settings, because I bet a lot of >>>> people are susceptible to this. Thanks. >>>> >>>> ~Noah >>>> >>>> On Nov 16, 2012, at 5:37 PM, Tony Graziano < >>>> [email protected]> >>>> wrote: >>>> >>>> You do realize the other side of this argument is that SSH forwarding >>>> is enabled by default on Redhat/Centos and that since you have SSH >>>> available to the public at large it also makes this an effective use of >>>> your system. >>>> >>>> I think the place for you to ask for a change is submitting a JIRA >>>> and posting a link on the users and dev groups so people can comment and/or >>>> vote for this change... >>>> >>>> add in /etc/ssh/sshd_config by default: >>>> >>>> AllowTcpForwarding no >>>> DenyUsers PlcmSpIp >>>> >>>> >>>> >>>> >>>> On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <[email protected]>wrote: >>>> >>>>> Shall I make a screencast to explain? >>>>> >>>>> ~Noah >>>>> >>>>> On Nov 16, 2012, at 5:20 PM, Noah Mehl <[email protected]> >>>>> wrote: >>>>> >>>>> Gerald. >>>>> >>>>> That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP >>>>> SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass >>>>> of PlcmSIp, utilizing ssh port forwarding. >>>>> >>>>> ~Noah >>>>> >>>>> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard < >>>>> [email protected]> wrote: >>>>> >>>>> On 11/16/2012 1:57 PM, Noah Mehl wrote: >>>>> >>>>> Does nobody on the list know what SSH port forwarding is? I am >>>>> running the first two commands from a remote machine (connecting to the >>>>> sipxecs machine) in separate terminals to forward my local 25 port to the >>>>> sipxecs box, and the 25 port on the sipxecs box locally. The third >>>>> command >>>>> is run locally on the remote machine. This exploit gives the remote >>>>> machine access to port 25 on the SipXecs box even if all other ports are >>>>> blocked. This could be used for any port that is blocked by firewall, >>>>> ids, >>>>> etc, if the remote machine has ssh access to the sipxecs box. >>>>> >>>>> ~Noah >>>>> >>>>> Do you understand that if your sipx smtp server is only running on >>>>> localhost that you will not be able to connect to it via >>>>> telnet/ssh/whatever? >>>>> >>>>> >>>>> -- >>>>> Regards >>>>> -------------------------------------- >>>>> Gerald Drouillard >>>>> Technology Architect >>>>> Drouillard & Associates, Inc.http://www.Drouillard.biz >>>>> <http://www.drouillard.biz/> >>>>> >>>>> _______________________________________________ >>>>> sipx-users mailing list >>>>> [email protected] >>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> sipx-users mailing list >>>>> [email protected] >>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> sipx-users mailing list >>>>> [email protected] >>>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>>>> >>>> >>>> >>>> >>>> -- >>>> ~~~~~~~~~~~~~~~~~~ >>>> Tony Graziano, Manager >>>> Telephone: 434.984.8430 >>>> sip: [email protected] >>>> Fax: 434.465.6833 >>>> ~~~~~~~~~~~~~~~~~~ >>>> Linked-In Profile: >>>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >>>> Ask about our Internet Fax services! >>>> ~~~~~~~~~~~~~~~~~~ >>>> >>>> Using or developing for sipXecs from SIPFoundry? Ask me about >>>> sipX-CoLab 2013! >>>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013> >>>> >>>> >>>> LAN/Telephony/Security and Control Systems Helpdesk: >>>> Telephone: 434.984.8426 >>>> sip: [email protected] >>>> >>>> Helpdesk Customers: http://myhelp.myitdepartment.net >>>> Blog: http://blog.myitdepartment.net >>>> _______________________________________________ >>>> sipx-users mailing list >>>> [email protected] >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> sipx-users mailing list >>>> [email protected] >>>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>>> >>> >>> >>> >>> -- >>> ~~~~~~~~~~~~~~~~~~ >>> Tony Graziano, Manager >>> Telephone: 434.984.8430 >>> sip: [email protected] >>> Fax: 434.465.6833 >>> ~~~~~~~~~~~~~~~~~~ >>> Linked-In Profile: >>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >>> Ask about our Internet Fax services! >>> ~~~~~~~~~~~~~~~~~~ >>> >>> Using or developing for sipXecs from SIPFoundry? Ask me about >>> sipX-CoLab 2013! >>> <http://sipxcolab2013.eventbrite.com/?discount=tony2013> >>> >>> >>> LAN/Telephony/Security and Control Systems Helpdesk: >>> Telephone: 434.984.8426 >>> sip: [email protected] >>> >>> Helpdesk Customers: http://myhelp.myitdepartment.net >>> Blog: http://blog.myitdepartment.net >>> >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >>> >>> >>> >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >> >> >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Tony Graziano, Manager >> Telephone: 434.984.8430 >> sip: [email protected] >> Fax: 434.465.6833 >> ~~~~~~~~~~~~~~~~~~ >> Linked-In Profile: >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >> Ask about our Internet Fax services! >> ~~~~~~~~~~~~~~~~~~ >> >> Using or developing for sipXecs from SIPFoundry? Ask me about >> sipX-CoLab 2013! >> <http://sipxcolab2013.eventbrite.com/?discount=tony2013> >> >> >> LAN/Telephony/Security and Control Systems Helpdesk: >> Telephone: 434.984.8426 >> sip: [email protected].**net<[email protected]> >> >> Helpdesk Customers: >> http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/> >> Blog: http://blog.myitdepartment.net >> >> >> _______________________________________________ >> sipx-users mailing [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: [email protected].**net<[email protected]> > > Helpdesk Customers: > http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/> > Blog: http://blog.myitdepartment.net > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
