ch29.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,136 行 · 第 1/4 页

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 29 -- Telnet-Based Attacks</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch28/ch28.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch30/ch30.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">29</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Telnet-Based Attacks</FONT></H1>
</CENTER>
<P>This chapter examines attacks developed over the years using the Telnet service.
That examination begins with a bit of history. The Telnet protocol was first comprehensively
defined by Postel in 1980. In RFC 764, Postel wrote:

<DL>
	<DD>The purpose of the Telnet protocol is to provide a fairly general, bi-directional,
	eight-bit byte oriented communications facility. Its primary goal is to allow a standard
	method of interfacing terminal devices and terminal-oriented processes to each other.
	It is envisioned that the protocol may also be used for terminal-terminal communication
	(&quot;linking&quot;) and process-process communication (distributed computation).
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>RFC 764 can be found
	on the Web at <A HREF="http://sunsite.auc.dk/RFC/rfc/rfc764.html"><TT>http://sunsite.auc.dk/RFC/rfc/rfc764.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Telnet</B></FONT></H2>
<P>As I mentioned in Chapter 6, &quot;A Brief Primer on TCP/IP,&quot; Telnet is unique
in its design with the notable exception of rlogin. Telnet is designed to allow a
user to log in to a foreign machine and execute commands there. Telnet (like rlogin)
works as though you are at the console of the remote machine, as if you physically
approached the remote machine, turned it on, and began working.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>PC users can get a feel for this
	by thinking in terms of PCAnywhere or CloseUp. These programs allow you to remotely
	log in to another PC and execute commands at the remote machine's <TT>C:</TT> prompt
	(or even execute commands in Windows, providing you have a very high-speed connection
	to transmit those graphics over the wire). 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Virtual Terminal</B></FONT></H3>
<P>The magic behind Telnet is that it imitates an ASCII terminal connection between
two machines located great distances from each other. This is accomplished through
the use of a <I>virtual terminal</I>, as described by Postel in this excerpt from
RFC 854:

<DL>
	<DD>When a Telnet connection is first established, each end is assumed to originate
	and terminate at a &quot;Network Virtual Terminal,&quot; or NVT. An NVT is an imaginary
	device which provides a standard, network-wide, intermediate representation of a
	canonical terminal...The Network Virtual Terminal (NVT) is a bi-directional character
	device. The NVT has a printer and a keyboard. The printer responds to incoming data
	and the keyboard produces outgoing data which is sent over the Telnet connection
	and, if &quot;echoes&quot; are desired, to the NVT's printer as well. &quot;Echoes&quot;
	will not be expected to traverse the network (although options exist to enable a
	&quot;remote&quot; echoing mode of operation, no host is required to implement this
	option). The code set is seven-bit USASCII in an eight-bit field, except as modified
	herein. Any code conversion and timing considerations are local problems and do not
	affect the NVT.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Read RFC 854 in its entirety
	at <A HREF="http://sunsite.auc.dk/RFC/rfc/rfc854.html"><TT>http://sunsite.auc.dk/RFC/rfc/rfc854.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>A virtual terminal is the equivalent (at least in appearance) of a hard-wired
serial connection between the two machines. For example, you can simulate something
very similar to a Telnet session by uncommenting the <TT>respawn</TT> instructions
in the <TT>inittab</TT> file on a Linux box (and most other UNIX boxes) or by disconnecting
both the monitor and keyboard on a SPARC and plugging a VT200 terminal into serial
A or B. In the first instance, a <TT>login:</TT> prompt is issued. In the second,
all boot process messages are echoed to the connected terminal and eventually, a
<TT>boot</TT> prompt is issued (or perhaps, if the right SCSI disk drive is specified
as the boot device in the PROM, the machine will boot and issue a <TT>login:</TT>
prompt).</P>
<P>Therefore, Telnet-based connections are what are called <I>bare bones connections</I>.
You will notice that if you use a VT220 terminal as a head for your SPARC that, when
the boot occurs, the cool Sun logo is not printed in color, nor do the cool graphics
associated with it appear. Telnet and terminal sessions are completely text based.
In addition, Telnet connections do not have facilities to interpret display-oriented
languages such as HTML without the assistance of a text-based browser such as Lynx.
Therefore, retrieving a Web page through Telnet will reveal no pictures or nicely
formatted text; it will reveal only the source of the document (unless, of course,
you have logged in via Telnet and are now using Lynx).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Lynx is a completely terminal-based
	HTML browser for use with shell-account or even DOS-based TCP/IP connections. It
	is a no-frills way to access the World Wide Web. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Telnet Security History</B></FONT></H3>
<P>Telnet has cropped up in security advisories many times. Telnet security problems
vary considerably, with a large number of vulnerabilities surfacing due to programming
errors. However, programming errors are not the only reasons Telnet has appeared
on advisories. In August of 1989, for example, the problem was a trojan, as the CERT
advisory &quot;Telnet Break-in Warning&quot; explains:

<DL>
	<DD>Many computers connected to the Internet have recently experienced unauthorized
	system activity. Investigation shows that the activity has occurred for several months
	and is spreading. Several UNIX computers have had their &quot;Telnet&quot; programs
	illicitly replaced with versions of &quot;Telnet&quot; which log outgoing login sessions
	(including user names and passwords to remote systems). It appears that access has
	been gained to many of the machines which have appeared in some of these session
	logs.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>To view this CERT advisory
	in its entirety, visit <A HREF="ftp://ftp.uwsg.indiana.edu/pub/security/cert/cert_advisories/CA-89:03.telnet.breakin.warning."><TT>ftp://ftp.uwsg.indiana.edu/pub/security/cert/cert_advisories/CA-89:03.telnet.breakin.warning</TT>.</A>
	
<HR>


</BLOCKQUOTE>

<P>That attack occurred just prior to the establishment of the DDN Security Coordination
Center (September 1989), so there is little documentation about whether it affected
government computers. Also, although the efforts of CERT are appreciated and vital
to Internet security, DDN advisories sometimes contain a more technical analysis
of the problem at hand.</P>
<P>In March, 1991, the telnetd daemon on certain Sun distributions was found to be
flawed. As the CERT advisory &quot;SunOS<TT> </TT>in.telnetd Vulnerability&quot;
notes:

<DL>
	<DD>The Computer Emergency Response Team/Coordination Center (CERT/CC) has obtained
	information from Sun Microsystems, Inc. regarding a vulnerability affecting SunOS
	4.1 and 4.1.1 versions of in.telnetd on all Sun 3 and Sun 4 architectures. This vulnerability
	also affects SunOS 4.0.3 versions of both in.telnetd and in.rlogind on all Sun3 and
	Sun 4 architectures. To our knowledge, a vulnerability does not exist in the SunOS
	4.1 and 4.1.1 versions of in.rlogind. The vulnerability has been fixed by Sun Microsystems,
	Inc.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>To view this CERT advisory
	in its entirety, visit <A HREF="ftp://info.cert.org/pub/cert_advisories/CA-91%3A02a.SunOS.telnetd.vulnerability"><TT>ftp://info.cert.org/pub/cert_advisories/CA-91%3A02a.SunOS.telnetd.vulnerability</TT></A>.
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>If you buy an old Sun 3/60 over the
	Net, you will want to get the patches, which are included in the previous advisory.
	
<HR>


</BLOCKQUOTE>

<P>Months later, it was determined that a specialized LAT/Telnet application developed
by Digital Corporation was flawed. As the CERT advisory &quot;ULTRIX LAT/Telnet Gateway
Vulnerability&quot; explains:

<DL>
	<DD>A vulnerability exists such that ULTRIX 4.1 and 4.2 systems running the LAT/Telnet
	gateway software can allow unauthorized privileged access...Anyone who can access
	a terminal or modem connected to the LAT server running the LAT/Telnet service can
	gain unauthorized root privileges.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>To view this CERT advisory
	in its entirety, visit <A HREF="ftp://info.cert.org/pub/cert_advisories/CA-91%3A11.Ultrix.LAT-Telnet.gateway.vulnerability"><TT>ftp://info.cert.org/pub/cert_advisories/CA-91%3A11.Ultrix.LAT-Telnet.gateway.vulnerability</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>The first Telnet problem that rocked the average man on the street was related
to a distribution of the NCSA Telnet client for PC and Macintosh machines. So that
there is no misunderstanding here, this was a <I>client</I> Telnet application that
included an FTP <I>server</I> within it. The hole was fostered primarily from users'
poor understanding of how the application worked. As articulated by the folks at
DDN:

<DL>
	<DD>The default configuration of NCSA Telnet for both the Macintosh and the PC has
	a serious vulnerability in its implementation of an FTP server...Any Internet user
	can connect via FTP to a PC or Macintosh running the default configuration of NCSA
	Telnet and gain unauthorized read and write access to any of its files, including
	system files.
</DL>

<P>The problem was related to a configuration option file in which one could enable
or disable the FTP server. Most users assumed that if the statement enabling the
server was not present, the server would not work. This was erroneous. By omitting
the line (or adding the line option <TT>ftp=yes</TT>), one allowed unauthorized individuals
read and write access to the files on your hard drive.</P>
<P>I hope this will settle the argument regarding whether a PC user could be attacked
from the outside. So many discussions on Usenet become heated over this issue. The
NCSA Telnet mishap was only one of many situations in which a PC or Mac user could
be attacked from the void. So depending on the circumstances, the average user at
home on his or her PC can be the victim of an attack from the outside. People may
be able to read your files, delete them, and so forth.</P>
<P>What is more interesting is that even today, those using the NCSA Telnet application
are at some risk, even if they only allow access to the FTP server by so-called authorized
individuals. If a cracker manages to obtain from the target a valid username and
password (and the cracker is therefore an authorized user), the cracker may then
obtain the file <TT>FTPPASS</TT>. This is an authentication file where the usernames
and passwords of users are stored. The encrypted passwords in this file are easily
cracked.</P>
<P>The username in this file is not stored in encrypted form (in reality, few programs
encrypt usernames). The password is encrypted, but the encryption scheme is very
poorly implemented. For example, if the password is fewer than six characters, it
will take only seconds to crack. In fact, it is so trivial to crack such passwords
that one can do so with a 14-line BASIC program.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The BASIC program that
	cracks passwords can be found at <A HREF="http://www.musa.it/gorgo/txt/NCSATelnetHack.txt"><TT>http://www.musa.it/gorgo/txt/NCSATelnetHack.txt</TT></A>.
	
<HR>