USR Netserver Security

USR Netserver Security

Post by Vik Baj » Wed, 21 Aug 1996 04:00:00



I thought I'd ask if anyone is familiar with any security problems with
the US Robotics Netserver line of terminal servers or their
implementation of RADIUS.  I haven't come across anything so far (good or
bad), as the product is somewhat new.  I'd appreciate any coments.

Truly,

Vik

 
 
 

USR Netserver Security

Post by David-Michael Linc » Thu, 22 Aug 1996 04:00:00


: I thought I'd ask if anyone is familiar with any security problems with
: the US Robotics Netserver line of terminal servers or their
: implementation of RADIUS.  I haven't come across anything so far (good or
: bad), as the product is somewhat new.  I'd appreciate any coments.
:
: Truly,
:
: Vik

US Robotics Netservers are virtually identical to Livingston Portmaster
communications servers running ComOS 3.1.4 (later revisions aren't being
licensed to US Robotics anymore). They are quite popular with many ISPs and
I haven't heard about any security problems relating to ComOS or their
implementation of Radius ever.

dave

--
David-Michael Lincke
Research Assistant
Institute for Information Management IWI-HSG, University of St. Gallen

URL:    http://www-iwi.unisg.ch/about/team/dal.html

 
 
 

USR Netserver Security

Post by Lance Caven » Thu, 22 Aug 1996 04:00:00





>: I thought I'd ask if anyone is familiar with any security problems with
>: the US Robotics Netserver line of terminal servers or their
>: implementation of RADIUS.  I haven't come across anything so far (good or
>: bad), as the product is somewhat new.  I'd appreciate any coments.
>:
>: Truly,
>:
>: Vik
>US Robotics Netservers are virtually identical to Livingston Portmaster
>communications servers running ComOS 3.1.4 (later revisions aren't being
>licensed to US Robotics anymore). They are quite popular with many ISPs and
>I haven't heard about any security problems relating to ComOS or their
>implementation of Radius ever.

They ARE identical to PM's because thats what they are :) Oh, did I
mention they are higher priced? Anyway, ComOS 3.1.4 is buggy.. So
Don't waste your time buying the USR Netserver, and go to
www.livingston.com.

--
,..............................................,
|               Lance Cavener                  |


`----------------------------------------------'
|  "The Apple Macintosh is for people who get  |
|   confused with more than 1 mouse button"    |
|               Former lead programmer of OS/2 |
`----------------------------------------------'

 
 
 

USR Netserver Security

Post by Thomas H. Ptac » Fri, 23 Aug 1996 04:00:00



Quote:>licensed to US Robotics anymore). They are quite popular with many ISPs and
>I haven't heard about any security problems relating to ComOS or their
>implementation of Radius ever.

You're not listening closely enough.

The RADIUS server, as distributed by Livingston, has serious
bounds-checking problems. The server runs with root creds, meaning that as
soon as someone releases a slick DNS-overflow exploit for Linux or
FreeBSD, it'll be modified within a day to a "get root quick through
radiusd" exploit.

On top of that, the "shared secrets" between the terminal servers and the
authentication server are stored in cleartext.

Finally, within the last quarter, there was a row about a ComOS
denial-of-service problem which allowed arbitrary people to crash their
Portmaster products.

-----------------------------------------------------------------------------
Tom Ptacek at The rdist Organization / exit(main(kfp->kargc, argv, environ));

"If you're so special, why aren't you dead?"

 
 
 

USR Netserver Security

Post by Lance Caven » Fri, 23 Aug 1996 04:00:00





>>licensed to US Robotics anymore). They are quite popular with many ISPs and
>>I haven't heard about any security problems relating to ComOS or their
>>implementation of Radius ever.
>You're not listening closely enough.
>The RADIUS server, as distributed by Livingston, has serious
>bounds-checking problems. The server runs with root creds, meaning that as
>soon as someone releases a slick DNS-overflow exploit for Linux or
>FreeBSD, it'll be modified within a day to a "get root quick through
>radiusd" exploit.
>On top of that, the "shared secrets" between the terminal servers and the
>authentication server are stored in cleartext.
>Finally, within the last quarter, there was a row about a ComOS
>denial-of-service problem which allowed arbitrary people to crash their
>Portmaster products.

 Ok so explain what RADIUS has to do with his question?

 Then explain how to fix all thoes exploits.

--
,..............................................,
|               Lance Cavener                  |


`----------------------------------------------'
|  "The Apple Macintosh is for people who get  |
|   confused with more than 1 mouse button"    |
|               Former lead programmer of OS/2 |
`----------------------------------------------'

 
 
 

1. SUN ISDN 1.0.4 to USR Netserver

I have been trying to get my Sparc 5 with a SUN ISDN adaptor card and
SUNISDN 1.0.4 to make a PPP conection with a US Robotics netserver 8/i

Has anybody else out there ever had any success with this ??
Would they be prepared to advise me ??

Has anybody else come to the conclusion that mybe it isn't possible ??

Steve Holmes

2. extract columns from line

3. PPP to USR Netserver 3.4.77 Config-Request failure

4. Authentication failed - xinit: Server error

5. /usr/bin/ls /usr/ucb/ls /usr/local/bin/ls

6. Strange permission error

7. /usr/usr -> /usr ????

8. (no subject)

9. Consequences of moving /usr/dt, /usr/java1.1, /usr/share

10. is /usr/bin/passwd as a shell a security-hazard?

11. (Re: Thanks) SECURITY (Solaris 8) /usr/bin/login echoing username

12. reboot required for /usr/lib/security/methods.cfg change?

13. SSHd on Solaris: can not open module /usr/lib/security/pam_unix.so.1