Date: Fri, 29 Mar 2024 10:00:44 -0400 (EDT) Message-ID: <822149167.41.1711720844316@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_40_1056960668.1711720844315" ------=_Part_40_1056960668.1711720844315 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
There was a potential vulnerability introduced into systems running SATA= N 1.0 and earlier, as described below. The problem has been addressed in ve= rsion 1.1 and later. The CERT/CC team recommends that you take the precauti= ons described in Section III below before you run SATAN and that you upgrad= e to the latest version of SATAN--currently 1.1.1.
The following two statements from CA-95.07 are inaccurate.
This statement is misleading: "This vulnerability affects all system= s that support the use of SATAN with the HTML interface." For SATAN 1.0 and= earlier, whether a system is vulnerable depends on the system configuratio= n, the net browser supporting SATAN, and how SATAN is used. The problem has= been solved in later versions of SATAN.
We will update this advisory as we receive additional information. Pleas= e check advisory files regularly for updates that relate to your site.
For an overview of a beta version of SATAN, see CERT advisory CA-95.06.
If you use SATAN only through the command line interface, your system is= not vulnerable to the problem because there is no session key.
Additional details are in the "SATAN Password Disclosure" tutorial provi= ded with SATAN. We have included the tutorial as an Appendix B of this advi= sory.
MD5 (satan-1.1.1.tar.Z) =3D de2d3d38196ba6638b5d7f37ca8c54d7
MD5 (satan-1.1.1.README) =3D 3f935e595ab85ee28b327237f1d55287
MD5 (satan-1.1.1.tar.Z.asc) =3D a9261070885560ec11e6cc1fe0622243
and put in the body of the message (not the subject line):
get satan mirror-sites
There are reports of modified copies of SATAN, so ensure that the copy t= hat you obtain is authentic by checking the MD5 checksum or SATAN author Wi= etse Venema's PGP signature. Appendix A of this advisory contains his PGP k= ey.
We urge you to read the SATAN documentation carefully before running SAT= AN.
Execute SATAN only from the console of the system on which it is ins= talled (e.g., do not run SATAN from an X terminal, from a diskless workstat= ion, or from a remote host).
Ensure that the SATAN directory tree is not NFS-mounted (or AFS, etc= .) from a remote system.
Ensure that the SATAN directory tree cannot be read by users other t= han root.
Do not open any URLs outside your own system and site while running = the browser started by SATAN. For example, do not use previously stored URL= s such as those found in bookmarks and pull-down menus.
Do not link to any URLs outside your own system and site while runni= ng the browser started by SATAN. If you use external links while SATAN is r= unning from the SATAN browser, security can be compromised on the system fr= om which you are executing SATAN. So, for example, do not use previously st= ored links such as those found in bookmarks and pull-down menus.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
mQCNAirDhV8AAAED/i4LrhQ/mwOgam8ZfQpEcxYoE9kru5oRDGtoVeKae/4bUver aGX7qVtskD6vwPwr2FF6JW2c+z2oY4JGPGUArORiigoT82/q6vqT0Wm1jIPsXQSB ZCkBoyvBcmXEi+J7eDBbWLPDxeDimgrORbAIQ4uikRafs8KlpNyA8qbVMny5AAUR tCV3aWV0c2UgdmVuZW1hIDx3aWV0c2VAd3p2Lndpbi50dWUubmw+ =3DPQUu
-----END PGP PUBLIC KEY BLOCK-----
SATAN password disclosure via flawed HTML clients or environmental probl= ems
IMPACT
Unauthorized users may execute commands through SATAN
BACKGROUND
By default, SATAN runs as a custom HTML (hypertext markup language) serv= er, executing requests from a user-provided HTML browser, or client program= . Examples of common HTML clients are Netscape, NCSA Mosaic and Lynx.
An HTML client request is nothing but a network message, and network mes=
sages may be sent by any user on the network. To defend itself against requ=
ests from unauthorized users, SATAN takes the following precautions:
=
p>
SATAN creates HTML files with the secret password embedded in URL (u= niform resource locator) links. The HTML file access permissions are restri= cted to the owner of the SATAN process (and the superuser).
SATAN rejects HTML requests whose URL does not contain the current S= ATAN password. This requirement prevents access by unauthorized clients, pr= ovided that the current SATAN password is kept secret.
The protection scheme used by SATAN is in essence the same as the scheme= used by many implementations of the X Window system: MIT magic cookies. Th= ese secrets are normally kept in the user's home directory, in a file calle= d .Xauthority. Before it is granted access to the screen, keyboard and mous= e, an X client program needs to prove that it is authorized, by handing ove= r the correct magic cookie. This requirement prevents unauthorized access, = provided that the magic cookie information is kept secret.
THE PROBLEM
It is important that the current SATAN password is kept secret. When the= password leaks out, unauthorized users can send commands to the SATAN HTML= server where the commands will be executed with the privileges of the SATA= N process.
Note that SATAN generates a new password every time you start it up unde= r an HTML client, so if you are suspicious, simply restart the program.
SATAN never sends its current password over the network. However, the pa=
ssword, or parts of it, may be disclosed due to flaws in HTML clients or du=
e to weak protection of the environment that SATAN is running in. One possi=
ble scenario for disclosure is:
Other scenarios for SATAN password disclosure are discussed in the next = section, as part of a list of counter measures.
PREVENTING SATAN PASSWORD DISCLOSURE
The security of SATAN is highly dependent on the security of environment= that it runs in. In the case of an X Window environment:
Steps that can help to keep the X magic cookie information secret:
<=
/p>
Avoid running X applications with output to a remote display. Otherw= ise, X magic cookie information can be captured from the network while X cl= ients connect to the remote display, so that unauthorized users can take ov= er the screen, keyboard and mouse.
Finally, steps that can help to keep the current SATAN password secret: =
Avoid running SATAN with output to a remote display. Otherwise, SATA= N password information can be captured from the network while URL informati= on is shown on the remote display, so that unauthorized users can take over= the SATAN HTML server.
ADDITIONAL SATAN DEFENSES
The SATAN software spends a lot of effort to protect your computer and d= ata against password disclosure. With version 1.1 and later, SATAN even att= empts to protect you after the password has fallen into the hands of unauth= orized users:
SATAN rejects requests that appear to come from hosts other than the= one it is running on, that refer to resources outside its own HTML tree, o= r that contain unexpected data.
SATAN terminates with a warning when it finds a valid SATAN password= in an illegal request: SATAN assumes the password has fallen into the hand= s of unauthorized users and assumes the worst.
Copyright 1995, 1996 Carnegie Mellon University.
Sep. 23, 1997 - Updated copyright statement Aug. 30, 1996 - Information previously in the CA-95.07 and CA-95.07a README files was inserted into the advisory.