[linux-elitists] Re: Robert Graham's SQL Slammer analysis

Karsten M. Self kmself@ix.netcom.com
Fri Jan 31 14:15:14 PST 2003

on Fri, Jan 31, 2003 at 04:20:58PM -0500, Aaron Sherman (ajs@ajs.com) wrote:
> On Fri, 2003-01-31 at 16:08, Karsten M. Self wrote:
> > Other examples.  SAS software's help system is now available as
> > web-based content.  Rather than serve this over :80, it's run from an
> > arbitrary port above 3126.  This behavior was (as of September, 2000)
> > undocumented.  I commented on this in Usenet at the time, there's a
> > footnote at the bottom of:
> > 
> >     http://twiki.iwethey.org/twiki/bin/view/Main/SlapperWorm
> Let me get this straight... they have a Web interface on a random port
> (not *so* bad), 

Needling their R&D dude, I was told "arbitrary".  Which appears to mean
it starts at 3126 and climbs if the port's occupied.  I've never found
it at another address.

> which is undocumented (then why is it there?) and on by default?!


The alternatives IMO would have been to present the data through an
existing webserver on the system, or *to offer to install* a webserver,
at port 80 (or other user-specified port).  Remote access (other than
localhost) should be disabled by default.

For an example of doing this *right*, take a look at Debian's dwww.

> This is, though, not as bad as what MS has done. MS has created a tool
> that sits in desktop applications -- not server software -- 

SAS is effectively a "desktop application".  That is, typical operation
utilizes it largely as an interpreter -- similar to Perl or Python
(there's more to it than this).  The application doesn't typically run
as a service (though there are service-type versions for shared data

> and opens listening ports to the net for API-level access. 

SAS appears to limit its web interface to just serving pages, though
it's not clear whether there's dynamic generation going on within the
pages (I don't recall such).  Testing this with lsof & netstat, I did
note that it was the primary SAS executable which was listening at the
port.  This is definitely a nontrivial application.

So the similarity between MSDE and SAS is closer than you might think.

> While I may protect my server via a firewall, MS knows damn well that
> a huge number of folk run their Windows boxes behind nothing more than
> a cable modem.  

Not unknown in the the case of SAS either, though installs are arguably
far less common.

> This is, IM--IANAL--HO, criminally negligent on MS' part, and they
> should be taken to court for it BEFORE being publicly beaten with a
> rotten zucchini.

As my post to SAS-L / comp.soft-sys.sas indicates, I feel the same
indictment applies to SAS Inc.  The issue *has* been brought to their
attention and *is* independently documented.

Other similar examples include 3Ware's 3dm utility, which allows access
to the RAID card configuration of a server.  The port selected is one
reserved in /etc/services for antoher service (which I forget at the
moment).  The port is by default globally accessible, and the
documentation *doesn't* recommend filtering such traffic.   This is
among the reasons I recommend *against* 3Ware products.


Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   The Amazon "one-click" patent boycott -- yes, it continues:

More information about the linux-elitists mailing list