Full Disclosure: Re: Sony: No firewall and no patches

[Bruno Cesar Moreira de Souza <bcmsouza () yahoo com br>]

--- On May 10, 2011, Dobbins, Roland <rdobbins () arbor net> escreveu:

> On May 10, 2011, at 10:56 PM, Bruno
> Cesar Moreira de Souza wrote:
>
> > If the compromised server is not behind a stateful
> firewall, it will be easier to create a tunnel to access
> unauthorised ports (such as database network services) and
> attack other servers. 
>
>
> That's untrue if even the most basic BCPs for crafting and
> enforcing network access policies have been followed. 
> Plus, the moment the httpd stops working, that should ring
> alarm bells via even the most basic NMS/OSS monitoring.
How would you block an ACK tunnel using only a packet filter? (http://ntsecurity.nu/papers/acktunneling/) You don't 
need to stop the httpd service to create this kind of tunnel, as the packets from the attacker would just be ignored by 
the httpd service, but could be intercepted by the malicious code executed on the compromised server (using the same 
approach employed by network sniffers). 

> > Even if the exploited vulnerability is fixed in a
> short time, the attacker will still be able to easily
> control the compromised server.
>
> Not if it's taken offline and scrubbed down to the bare
> metal, as should be routine after a compromise.
This is true IF the compromise was detected. I'm talking about the common case when the compromise is not detected, but 
after some time the vulnerability is fixed (for example, through patching).  If the attacker installed a backdoor in 
the compromised server, which uses a convert channel through your packet filter, then you may not detect the problem 
for a long time.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/