On Mon, 12 Apr 1999, Nick Themopolis wrote:
> I was searching on the Yahoo! stock boards, and found
> this message about NFR. Has anyone heard about this security flaw in
> NFR?
The message refers to a NAI security advisory concerning a stack overflow
in the Web server's handling of http POST commands in NFR version
2.0.2-research.
Gr. Arjan
>
> -Nicky
>
> ---
> http://messages.yahoo.com/bbs?action=m&board=8729209&tid=issx&mid=702&sid=8729209
>
> 702 A Correction to one of MJR's Points
> 04/05/99, 11:54AM EDT, tptacek
>
> Hi. I used to work for Network Associates, where
> I discovered the recently publicized security
> flaw in NFR and brought it to MJR's attention. I'd
> like to clarify what happened with this.
>
> The problem my team found in NFR allowed an arbitrary
> person on the Internet to gain complete, remote,
> supervisory access to a machine running certain versions
> of NFR in it's default configuration. It's
> probably not possible to overstate the
> severity of this problem. NFR is currently the only network
> IDS known to have had such a problem.
> It was some time after we notified MJR of the problem that
> a patch was published. The controversy that ensued
> between my team and MJR is probably not important to
> discuss here, but suffice it to say, there certainly
> was not a "24 hour turnaround" on this problem for
> the overwhelming vast majority of people
> who downloaded vulnerable versions of this software.
>
> ISS RealSecure has never been known to have similar problem.
> Neither, to my knowledge, was any other "competing" I-D
> system. To some extent this may be due to the published
> source code in NFR.
>
> NFR is not an "open source" package. It is a commercial package
> that happens to allow users to see the source code. The
> actual definition of "open source" software, as readers of this
> board have heard it used, is located at
> http://www.opensource.org.
>
> It is hard to feel sorry for MJR about being
> harangued by anonymous posters on this board; not
> because he deserves it, but because EVERY ONE of his
> competitors deals with exactly the same behavior
> (<cough><cough>fastnet101<cough>) and doesn't
> see the need to have representatives of the company address
> the cranks.
>
> I don't think it's embarassing to let consumers know that
> products they are using to enhance the security of their
> network can actually be leveraged against them. It takes
> signficant amounts of effort to find such problems, and I
> think it's honorable to disclose them to vendors, wait
> for patches, and post unbiased advisories about them
> as soon as is reasonably possible. This is what my
> team did. It's sad that MJR has fallen into the
> "slighted vendor" behavior patterns (see
> http://www.pobox.com/~tqbf/bug-reports.html).
>
> Hopefully, pointing out that NFR currently has the worst
> public operational security track record of any network
> intrusion detection system will motivate him to disclose
> holes in ISS, Cisco, NAI, and Axent software, so that the
> goals of full-disclosure security can be further realized.
>
>
> Get your free E-mail from http://www.fresnomail.com/
> Visit The Fresno Bee at http://www.fresnobee.com/
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
----
Eat hard
Sleep hard
Wear glasses if you need them
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
