Article delegate-en/3549 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] Antwort: Re: [DeleGate-En:3553] delegate security flaw [Virus checked]
18 Oct 2006 12:26:05 GMT p3igqbdyi-c2jtqbf7abvr.ml@ml.delegate.org


Hello Yutaka,

even with stls this is not the case ! the permission is denied after an 
initial relay has been made to an arbitrary server.
therefore the delegate master process still is vulnerable to ddos ! :-(

greetz martin papadopoulos



feedback@delegate.org (Yutaka Sato) 
18.10.2006 13:46
Bitte antworten an
feedback@delegate.org


An
feedback@delegate.org
Kopie
p3igqbdyi-c2jtqbf7abvr.ml@ml.delegate.org, feedback@delegate.org
Thema
Re: [DeleGate-En:3553] delegate security flaw [Virus checked]






Hi,

In message 
<_A3546@delegate-en.ML_> 
on 10/18/06(18:36:53)
you p3igqbdyi-c2jtqbf7abvr.ml@ml.delegate.org wrote:
 |i recently discovered a security flaw which is related to the delegate 
 |permission control
 |
 |allthough using a filter like FCL="sslway ..... -Vrfy" , when running in 

 |master mode , clients which are rejected by the ssl-layer, still
 |cause delegate to open a connection to a destination server , this can 
and 
 |has been used to accomplish ddos . the FCL should reject the connection
 |establishment to an arbitrary server , before rejecting the ssl 
handshake 
 |. in case you need log files for forensik analysis, i will post them. 
for 
 |now, i strongly 
 |recommend everyone to shut down delegate master services until this one 
is 
 |fixed :-)

Maybe you are using a version of DeleGate older than DeleGate/9.2.5-pre7.
As written in <URL:http://www.delegate.org/delegate/tls/> after 
DeleGate/9.0
I'm shifting to STLS=fcl,fsv instead obsoleted FCL,FSV=sslway in the 
recent
versions.  In fact, FCL,FSV=sslway for MASTER is disabled in 9.2.5-pre7.

With STLS=fcl, the whole communication between DeleGates is encrypted with
SSL, so if the SSL-layer is not established, no father action will be 
taken. 
Chaining DeleGates with MASTER and STLS can be done as follows.

  a% delegated -Pa:8888 STLS=fcl
  b% delegated -Pb:8023 STLS=fsv MASTER=a:8888 SERVER=telnet

You can use authentication by client-side certificate as follows:

  a% delegated -Pa:8888 STLS="fcl,sslway -Vrfy"
  b% delegated -Pb:8023 STLS="fsv,sslway -cert file" MASTER=a:8888 
SERVER=telnet

Now the latest pre-release version of DeleGate has become 9.2.5-pre19 
which
is almost ready to be released as an official version DeleGate/9.2.5
to be released tomorrow <URL:http://delegate.org/mail-lists/delegate/13534
>
So you are strongly recommended to use the latest version of DeleGate with
STLS=fcl,fsv.

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller



  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V