UUCP-Over-TCP: Security and Abuse Issues |
![[back]](/images/arrow.blue.left25.gif)
![[home]](/images/button.home25.gif)
|
Copyright, License, and Disclaimer
Configuring UUCP-over-TCP: A Practical, Skeletal "How To"
Copyright (C) 1999-2004 James S. Seymour
This information is free; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This work is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You may have received a copy of the GNU General Public License
along with this work; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
An on-line copy of the GNU General Public License can be found
here.
UUCP-Over-TCP: Security and Exploits
This is by no means an exhaustive treatment of the subject. What I did was
to pose a question about known security exploits to a couple of UseNet
newsgroups (see the reference at the bottom of this page) and do a little
searching in the most common security-related resources that I knew of.
What follows is my own common-sense assessments and the results of those
searches. And I must note that it's quite possible that I missed something.
In other words: buyer beware!
The most obvious security issue is that UUCP passes login names and
passwords in clear text. While the same can be said of POP3, there is a
difference. In the case of multiple mailboxes, for a customer to have all
of their email for all of their users snatched, multiple passwords would
have to be discovered. With UUCP-over-TCP, only one.
There are also security implications for the client. For example: a site
masquerading as their ISP's mail server might have a tendency to be far
more effective against an automated service running "in the background"
than an "interactive" scenario like POP3. The customer needs to be aware
of these issues.
Note: I wonder if these services can be "wrapped" in SSL?
The bugtraq archives list four (4) items relevant to "bootpd" security
exploits:
Bugtraq archives for 2nd quarter (Apr-Jun) 1998: RSI.0002.05-18-98.BNU.UUCPD
Bugtraq archives for 3rd quarter (Jul-Sep) 1998: RSI.0007.05-26-98.SUN.LIBAUTH
[RSI's home page is at http://www.repsec.com/]
Bugtraq archives for 2nd quarter (Apr-Jun) 1996: Re: brute force
Bugtraq archives for 2nd quarter (Apr-Jun) 1996: Re: brute force
[The bugtraq mailing list archive can be found at
http://www.geek-girl.com/bugtraq/
Of the four items above, the first two, from RSI, indicate that both
Solaris 2.5.1 and 2.6 are vulnerable (amongst other systems).
Checking Sun's public patch listings, security-oriented patches were noted
for "in.bootpd" for Solaris 2.4 and 2.5.1 (both Sparc and x86), but none
for 2.6 or 2.7 (aka: "Solaris 7"). Security-oriented patches for
"libauth" were found for Solaris 2.5.1 and 2.6 (both Sparc and x86). The
relevant URLs are:
[in.uucpd only]
ftp://sunsolve.Sun.COM/pub/patches/Solaris2.4.PatchReport
ftp://sunsolve.Sun.COM/pub/patches/Solaris2.4_x86.PatchReport
[in.uucpd and libauth]
ftp://sunsolve.Sun.COM/pub/patches/Solaris2.5.1.PatchReport
ftp://sunsolve.Sun.COM/pub/patches/Solaris2.5.1_x86.PatchReport
[libauth only]
ftp://sunsolve.Sun.COM/pub/patches/Solaris2.6.PatchReport
ftp://sunsolve.Sun.COM/pub/patches/Solaris2.6_x86.PatchReport
[The SunSolve Online Public Patch Access page is at
http://sunsolve.Sun.COM/pub-cgi/us/pubpatchpage.pl]
No relevant entries for "uucico" were found in the bugtraq archives nor in
Sun's public patch listings.
No matches for the keywords "uucp", "uucico" or "libauth" were found at
CERT, AusCERT, CIAC, L0pht or AntiOnLine.
You should also check the various comments posted to a thread I started (on
Usenet news) relevant to the security issues surrounding the use of UUCP-
over-TCP. An archive of that thread can be found at Deja News. The
question was originally posted to both "comp.mail.uucp" and
"comp.security.misc", but the thread in the comp.mail.uucp newsgroup is the
most complete. The best way to track it down is probably to go to the
Deja News Power Search Page, enter "UUCP-over-TCP vs. Security" for the
"Search Keywords" and "comp.mail.uucp" for the "Forum".
UUCP-Over-TCP: Abuse
As with POP3 or IMAP email accounts, UUCP accounts can certainly be abused
by a client site. (Think "SPAM") But UUCP accounts offer additional
opportunities for abuse: mail relaying and mailing lists. These are not
insurmountable obstacles, but they do need to be taken into consideration.
![[100% MS Free Site]](/images/ms-free-03.gif){kind=small}