COMMAND

    Breeze Network Server

SYSTEMS AFFECTED

    Breeze Network Server

PROBLEM

    Stany found following.  A Breeze Network Server is a NetBSD  1.3.2
    based system produced  by WindDance Networks  Corporation.  It  is
    marketed as an email,  fax, printer, internet/intranet web  server
    and a firewall.  Physically it is an AMD K6/300 AFR system with 64
    megs of RAM and  6 Gig IDE hard  drive.  It includes  a LS120 disk
    drive  as  the  primary  floppy   drive,  and  according  to   the
    documentation that drive is  used for distributing updates  to the
    system.  The system  is marketed to be  easy in use ("so  even the
    secretary  would  not  have  any  problems  to set up Breeze in 15
    minutes") and upon receiving it  one has to connect up  a keyboard
    and  a  monitor  to  it,  power  it on, answer a few configuration
    questions  (What  is  my  ip?   What  is  my  gateway?  What is my
    subnet?) and  then one  should be  able to  access it  with a  web
    browser and be  able to modify  all sorts of  things - add  users,
    back up the system, set  up filesharing etc.  Following  that, the
    keyboard and a screen are no longer needed.

    After booted it into single user mode, it will provide you with a
    root shell, so you may remount / read-write and look around.  gcc
    is installed.  This seems to be a first mistake - one doesn't
    install a compiler on a production system, especially on a secure
    one, as it makes it so much easier to compile a sniffer and cause
    more harm.

    First thing you'll notice once the system is running in  multiuser
    mode is that apache is runing as root.  The CGI scripts do not use
    any range checking nor sanity  checks what so ever.   A particular
    script should attracted you attention:

        root@wdbreeze:/usr/local/breeze/cgi-bin[24]# tail -3 configbreeze

        &rebootnow;
        exit 0;
        root@wdbreeze:/usr/local/breeze/cgi-bin[25]#

    Ugh.  Is that not beautiful?  That's right, *anyone* accessing

        http://BreezenetworkserverIP/start/configbreeze

    is greeted with "Internal Server Error" message, while the  system
    reboots  itself.   It  is  interesting  how  the reboot is done as
    well:  the script creates a file /tmp/reboot.now, and writes "Rest
    in Peace\n" into it.  A daemon /usr/local/breeze/bin/rebootwrapper
    checks (a cursory strings  on rebootwrapper shows that  the daemon
    is also  checking for  /tmp/halt.now).   If that  file exists, the
    contents of the file are checked against an internal lookup table,
    and then the system  reboots itself through calling  /sbin/reboot.
    Stany has done  a few tests  and another beautiful  peecularity of
    the  system  came  to  light  as  well:  if  one  creates an empty
    /tmp/reboot.now:

        root@wdbreeze:/[1]# cd /tmp
        root@wdbreeze:/tmp[2]# touch reboot.now

    the system doesn't reboot.  No,  it just locks up, and closes  all
    network  ports,  which  is  deadly  for  a system that should be a
    primary  network  gateway/firewall  for  a  small  business.   The
    behavior is  very similar  to halting  the system,  but the screen
    doesn't show the typical shutdown notices, and the last shows that
    the system was rebooted and not  crashed.  Oh, and the hard  drive
    gets  fscked  on  startup.   So,  if  you  were a malicious script
    kiddie,  who  have  managed  to  obtain  any  sort of login on the
    system, all you  had to do  is set up  a simple cron  job to touch
    /tmp/reboot.now every five  or so minutes  and laughing.   It will
    take  a  good  long  while  for  someone  to  think about checking
    crontab on a system that  all of a sudden started  malfunctioning.
    With the amount  of ports running  on that system  some exploit is
    bound to appear at some point that will allow you to get a  remote
    login, or just add another line to root crontab.

SOLUTION

    Update expected.  Beta release image is available.