|UUCP-Over-TCP: Security and Abuse Issues|
Configuring UUCP-over-TCP: A Practical, Skeletal "How To" Copyright (C) 1999-2004 James S. Seymour
This information is free; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This work is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You may have received a copy of the GNU General Public License along with this work; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. An on-line copy of the GNU General Public License can be found here.
This is by no means an exhaustive treatment of the subject. What I did was to pose a question about known security exploits to a couple of UseNet newsgroups (see the reference at the bottom of this page) and do a little searching in the most common security-related resources that I knew of. What follows is my own common-sense assessments and the results of those searches. And I must note that it's quite possible that I missed something. In other words: buyer beware! The most obvious security issue is that UUCP passes login names and passwords in clear text. While the same can be said of POP3, there is a difference. In the case of multiple mailboxes, for a customer to have all of their email for all of their users snatched, multiple passwords would have to be discovered. With UUCP-over-TCP, only one. There are also security implications for the client. For example: a site masquerading as their ISP's mail server might have a tendency to be far more effective against an automated service running "in the background" than an "interactive" scenario like POP3. The customer needs to be aware of these issues. Note: I wonder if these services can be "wrapped" in SSL? The bugtraq archives list four (4) items relevant to "bootpd" security exploits: Bugtraq archives for 2nd quarter (Apr-Jun) 1998: RSI.0002.05-18-98.BNU.UUCPD Bugtraq archives for 3rd quarter (Jul-Sep) 1998: RSI.0007.05-26-98.SUN.LIBAUTH [RSI's home page is at http://www.repsec.com/] Bugtraq archives for 2nd quarter (Apr-Jun) 1996: Re: brute force Bugtraq archives for 2nd quarter (Apr-Jun) 1996: Re: brute force [The bugtraq mailing list archive can be found at http://www.geek-girl.com/bugtraq/ Of the four items above, the first two, from RSI, indicate that both Solaris 2.5.1 and 2.6 are vulnerable (amongst other systems). Checking Sun's public patch listings, security-oriented patches were noted for "in.bootpd" for Solaris 2.4 and 2.5.1 (both Sparc and x86), but none for 2.6 or 2.7 (aka: "Solaris 7"). Security-oriented patches for "libauth" were found for Solaris 2.5.1 and 2.6 (both Sparc and x86). The relevant URLs are: [in.uucpd only] ftp://sunsolve.Sun.COM/pub/patches/Solaris2.4.PatchReport ftp://sunsolve.Sun.COM/pub/patches/Solaris2.4_x86.PatchReport [in.uucpd and libauth] ftp://sunsolve.Sun.COM/pub/patches/Solaris2.5.1.PatchReport ftp://sunsolve.Sun.COM/pub/patches/Solaris2.5.1_x86.PatchReport [libauth only] ftp://sunsolve.Sun.COM/pub/patches/Solaris2.6.PatchReport ftp://sunsolve.Sun.COM/pub/patches/Solaris2.6_x86.PatchReport [The SunSolve Online Public Patch Access page is at http://sunsolve.Sun.COM/pub-cgi/us/pubpatchpage.pl] No relevant entries for "uucico" were found in the bugtraq archives nor in Sun's public patch listings. No matches for the keywords "uucp", "uucico" or "libauth" were found at CERT, AusCERT, CIAC, L0pht or AntiOnLine. You should also check the various comments posted to a thread I started (on Usenet news) relevant to the security issues surrounding the use of UUCP- over-TCP. An archive of that thread can be found at Deja News. The question was originally posted to both "comp.mail.uucp" and "comp.security.misc", but the thread in the comp.mail.uucp newsgroup is the most complete. The best way to track it down is probably to go to the Deja News Power Search Page, enter "UUCP-over-TCP vs. Security" for the "Search Keywords" and "comp.mail.uucp" for the "Forum".
As with POP3 or IMAP email accounts, UUCP accounts can certainly be abused by a client site. (Think "SPAM") But UUCP accounts offer additional opportunities for abuse: mail relaying and mailing lists. These are not insurmountable obstacles, but they do need to be taken into consideration.
|Comments or Questions?||Created: 31 Jan, 1999 / Last updated: 12 Oct, 1999|