_____________________________________________________
                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
            _____________________________________________________

                             INFORMATION BULLETIN

                           SATAN password disclosure 


April 13, 1995 1100 PDT                                           Number F-22
_____________________________________________________________________________

PROBLEM:      Unauthorized users may execute commands through SATAN.
PLATFORMS:    Any system running SATAN.
DAMAGE:       Commands can be sent to the SATAN HTML server where the commands
              will be executed with the privileges of the SATAN process.
SOLUTION:     Upgrade to SATAN 1.1.1 and follow the steps outlined in this
              bulletin to keep SATAN's password secret.
_____________________________________________________________________________

VULNERABILITY Disclosure of SATAN's password along with descriptions
ASSESSMENT:   in the current release of SATAN provided adequate
              information that knowledgable users could execute
              commands through SATAN.

_____________________________________________________________________________

                 Information about SATAN password disclosure

Earlier releases of SATAN, prior to version 1.1, use a 32-bit
"quasi-random" number for the password. If the password is disclosed,
unauthorized users can send commands to the SATAN HTML server where
the commands will be executed with the privileges of the SATAN process
which typically runs as root.

Some of the ways SATAN's password can be disclosed are:

  1) Visiting another web site from the SATAN client, either by
     directly entering the URL or by going to a site on their local
     hotlist. Some clients send the last document visited in the
     Referer field that may include SATAN's password.

  2) Systems running SATAN that also have their filesystem containing
     SATAN's directory exported. Unauthorized users can then read
     files within SATAN's directory and obtain SATAN's password.

  3) Permitting unauthorized users to connect to the X server when
     running SATAN. In addition to capturing the screen contents, some
     HTML clients display the current URL, which in SATAN's case
     contains the password.

Steps to protect SATAN password require that X Windows and NFS be used in
a secure manner. CIAC recommends that users of SATAN: 

  Avoid using the xhost mechanism.
  - Any user from the authorized host can connect to the X server.

  Avoid running X applications with output to a remote display.  
  - X magic cookie information can be captured from the network while
    X clients connect to the remote display.

  Avoid running SATAN with output to a remote display.
  - SATAN password information can be captured from the network while
    URL information is shown on the remote display.

  Avoid sharing your home directory.
  - X magic cookie information (e.g., .Xauthority) may be captured
    from the network while the X software accesses that file.

  Avoid sharing the SATAN directories with other hosts.
  - SATAN password information may be captured from the network.

  Use a browser that does not send the Referer field (Netscape and
  Lynx send the Referer field) and/or do not connect to other Web
  servers from SATAN's client.  
  - Web servers can be modified to log Referer fields which contain
    SATAN's password.

Additional checks have been added to SATAN version 1.1.1 in the event
SATAN's password has been compromised. These new features include:

  1) SATAN displays a warning and advises the user to not contact
     other HTML servers from within a SATAN session.

  2) SATAN rejects requests that appear to come from hosts other than
     the one it is running on, that refer to resources outside its own
     HTML tree, or that contain unexpected data.

     example: SATAN password from unauthorized client: 128.115.19.53

  3) SATAN terminates with a warning when it finds a valid SATAN
     password in an illegal request.

     example: 
     Illegal URL: /7a1e696b41ecb710936dbc317b9122f7/ \
                  /home/satan-1.1.1/bad.html  \
                  received from: 128.115.19.53


The current vulnerabilities that SATAN version 1.1.1 checks for are:

  1)  FTP vulnerabilities
      - Root access via the wuarchive FTPD server
  2)  NFS export to unprivileged programs 
      - NFS server executes requests from unprivileged user programs.
  3)  NFS export via portmapper 
      - NFS file exports via the portmapper
  4)  NIS password file access 
      - NIS password file access by arbitrary hosts
  5)  REXD access 
      - REXD remote access from arbitrary hosts
  6)  SATAN password disclosure 
      - SATAN password disclosure via flawed HTML clients or environmental 
        problems
  7)  Sendmail vulnerabilities 
      - Assorted sendmail vulnerabilities
  8)  TFTP file access 
      - File access via the TFTP service
  9)  remote shell access 
      - Remote shell/remote login access from arbitrary hosts
  10) unrestricted NFS export 
      - File systems exported via NFS to arbitrary hosts
  11) unrestricted X server access 
      - X server access from arbitrary hosts
  12) unrestricted modem 
      - A live and potentially unrestricted modem has been detected
  13) writable FTP home directory 
      - FTP home directory is writable for anonymous users

------------------------------------------------------------------------------
CIAC would like to thank CERT/CC, Matthew Gray, Dan Farmer and Wietse
Venema for the information contained in this bulletin.
------------------------------------------------------------------------------
CIAC is the computer security incident response team for the U.S.
Department of Energy.  Services are available free of charge to DOE and DOE
contractors.
 
DOE and DOE contractor sites can contact CIAC at:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov
 
For DOE and DOE contract site emergencies only, call 1-800-SKYPAGE
(1-800-759-7243) and enter PIN number 8550070 (primary) or 8550074
(secondary).
 
Previous CIAC notices, anti-virus software, and other information are
available via WWW (http://ciac.llnl.gov/) and anonymous FTP from
ciac.llnl.gov (IP address 128.115.19.53).
 
CIAC has several self-subscribing mailing lists for electronic publications:
1.  CIAC-BULLETIN for Advisories, highest priority - time critical
    information, and Bulletins, important computer security information;
2.  CIAC-NOTES for Notes, a collection of computer security articles;
3.  SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
    software updates, new features, distribution and availability;
4.  SPI-NOTES, for discussion of problems and solutions regarding the use of
    SPI products.
 
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:
 
subscribe list-name LastName, FirstName PhoneNumber
 
as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber."  Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov
 
e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36
 
You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________
 
 
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.
 
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
 
_____________________________________________________________________________