Network security on AmigaOS with MiamiDx or any other stack

[tormedhammaren]

I want to address this subject because I don't see it
discussed often in Amiga newsgroups, amiga.org, ann.lu or
any other. Does few  Amiga users have concerns about
security on theire systems?

Some things I would like to know:

- Where can I find information about expolits in AmigaOS tcp/ip stacks and networking apps?
(Edit: Asked it in a confusing sense)

- Which firewall solutions exist on AmigaOS? I allready
know about MiamiIPFW. Are there any open source
solutions? Have anyone ported more modern solutions than
IPFW?

- Does anyone have any thoughts on which AmigaOS stack
is overall most secure?

- Is AmiTCP (the version geekgadgets distributes) still
updated and fixed?

My own discoveries: MiamiDx is very easy to flood . Just:

ping -l (from unix system) 100000 |amiga ip|.

ping -l 10000 |amiga ip| sends 100000 echo request packets
without waiting for echo replys. It doesn't have to be
100000, but it should do.This surpasses the Flood-protection
in MiamiDx, and MiamiDx crashes because of some buffer
overrun. MiamiPFW is by the way helpless when this
occurs.

My system is btw. immune to ping -f floods and ping of
death packets. My version of MiamiDx is 1.0c, and it's a
legal version.

Have anyone brought up solutions to this problem? ;-)

Regards
Tor

[mikeymike]

I'm not sure you fully understand what you're asking.

AmigaOS by default has no network stack.  Therefore by default it has no network services.

Once you add a stack, you can have vulnerabilities in the stack.  Once you add software/services to use the stack, you can have vulnerabilities in those too, including the IP filter or firewall software.  None of these say anything about the security of the operating system.  The only fault of AmigaOS in this context therefore is that it has no memory protection*.  However if any operating system has a vulnerability in the stack that is remotely exploitable, the operating system is almost certainly going to be fully exploitable.

- Where can I find information about expolits in AmigaOS and apps?

Try searching the bugtraq archives?  I doubt AmigaOS software get many mentions, but that's the only central place I can think of.

- Does anyone have any thoughts on which AmigaOS stack is overall most secure?

I doubt any of the available stacks have a bad reputation.  I think I've heard of a single vulnerability in each of them.

My own discoveries: MiamiDx is very easy to flood . Just:
ping -l (from unix system) 100000 |amiga ip|.

I did a bit of testing myself once, I wasn't able to make Miami 3.2b crash.  I did however slow my Amiga to a virtual halt when I had it logging and displaying traffic during a complete port scan.  Poor little 040 and PIO0.  :-)

* - WARNING everyone.  Do not start an argument about memory protection.

[KennyR]

- Which firewall solutions exist on AmigaOS?

(Edit: pasted wrong question, D'oh!)

There are none that I know of, apart from MiamiDX's. If you want a secure Amiga, use a linux, BSD or hardware router (not Windows - ICS is incredibly unsafe).

- Is AmiTCP (the version geekgadgets distributes) still updated and fixed?

AmiTCP v5 will be available eventually, but only for MorphOS.

[tormedhammaren]

@mikeymike:

I'm not sure you fully understand what you're asking.

AmigaOS by default has no network stack. Therefore by default it has no network services.

I'm fully aware of what I'm asking. Maybe my question was
a bit clumsy in that I asked about exploits in AmigaOS and
apps. I really mean exploits in tcp/ip stacks and networking
apps. I'm addressing the securiy of these software
components.

* - WARNING everyone. Do not start an argument about memory protection.

?

@KennyR:

There are none that I know of, apart from MiamiDX's. If you
want a secure Amiga, use a linux, BSD or hardware router
(not Windows - ICS is incredibly unsafe).

Yes, I know that's an option. But I would really like to make
the system safe from inside. At least not exploitable. I
know it's far to easy to DOS it. That's why your option
counts as important.

There is an Amiga security page that is pretty good. The
address is www.geocities.com/SiliconValley/Bridge/5737/Main/sw/security.html
But it hasn't been updated since january 2002.

[T_Bone]

> But it hasn't been updated since january 2002.

Neither has any of the software or stacks!!
That's downright right off the press in these circles! :-P

[lempkee]

t_bone:why are u saying such? , please check before you state such.

tor: the ping issue you are talking about , you can protect it from it and the system wont crash but it will slow the system down alot (even on a 060 66mhz.)


for stacks in development , roadshow  , this is 68k and ppc .. it will be released as a buyable program for os3.x and will be included in os4 (full).

Amitcp is the morphos way , and its still beeing toot'd and that one is also looking to be great.


but i must add that none of theese are iinside the OS! .


tor: which tools do you use ? , have you tried the port nabber's on aminet ? , sure its free but it doesnt mean it stinks, been too long since i installed snooptools so i can't really help you on that right away,but i will look into it asap zulu.

cheers

[KennyR]

If it helps, here are my recommendations on getting the most secure Amiga system. You'll probably know them, though.

· Don't put your Amiga on a direct connection to the net if possible. Their TCP/IP stacks are just too old and not updated.

· If you use AmIRC, never accept CTCP requests from users you don't know. AmIRC can be pushed over by flooding by CTCP.

· Use the most up to date MUI applications. Older internet MUI apps had a control string exploit which could be used to execute AmigaDOS commands.

· Try not to use FTP or telnet. An open port is an easy target for a nuke.

· Set your firewall not to reply to ICMP pings. Nobody is immune to DoS attacks, but at least this way it'll take powerful attack to saturate your whole bandwidth.

· Scan outgoing ports on a regular basis for trojan activity. Make sure there are no suspicious processes.

[tormedhammaren]

@lempkee:

tor: the ping issue you are talking about , you can protect it from it and the system wont crash but it will slow the system down alot (even on a 060 66mhz.)

Since my system run on a 040@40, I probably won't do it.
But how can I? Will it slow down my system only when
beeing flooded. Or - else to?

tor: which tools do you use ? , have you tried the port nabber's on aminet ? , sure its free but it doesnt mean it stinks, been too long since i installed snooptools so i can't really help you on that right away,but i will look into it asap zulu.

What's the port nabber's? Network security tools I've been
using on my Amiga includes nmap, netcat, icmpwatch,
MiamiIPFW, GoPortscan!, FWControl and openssh 3.6.

Cool avatar btw!

@KennyR:
Good advices! No, not anyone should run ftp/telnet on theire
systems anymore.  Neither deamons or clients. We should really get
sshd to work on AmigaOS.

Do you know how can I test if a MUI app is vulnerable?

[KennyR]

ping -l (from unix system) 100000 |amiga ip|.

ping -l 10000 |amiga ip| sends 100000 echo request packets without waiting for echo replys. It doesn't have to be 100000, but it should do.This surpasses the Flood-protection in MiamiDx, and MiamiDx crashes because of some buffer overrun. MiamiPFW is by the way helpless when this occurs.

I did actually try this on someone, with their permission. MiamiDX's flood protection kicked in after the first packet and they did not crash. The only difference is I pinged from MOS and not from UNIX.

Do you know how can I test if a MUI app is vulnerable?

I'm sorry, I don't know. It was something to do with sending control characters via internet. YAM, Voyager, SimpleMail, FreeCiv, IBrowse and AmIRC at least were made immune to this exploit.

Oh, and one more thing - never accept amigaguide files from users you don't know. It's extremely easy to imbed commands inside it and quick format your hard drive the moment you open it or click on a link.

[platon42]

> > Do you know how can I test if a MUI app is vulnerable?
>
> I'm sorry, I don't know. It was something to do with sending control characters via internet. YAM, Voyager, SimpleMail, FreeCiv, IBrowse and AmIRC at least were made immune to this exploit.

You should be a bit more precise. It is not a MUI problem per se. It is, a very dangerous file handler is installed by default on OS3.5/3.9 systems, namely the AWNPIPE:. This "thing" allows to *execute programs* using a *filepath*.

The "vulnerability" of MUI is, that it allows to load images through text strings. Now if you would try to display a text through MUI that contained a AWNPIPE: filepath with some nasty command, it would be executed without user control.

BUT the problem is not MUI. It is AWNPIPE! Because it is broken by design. It is the security hole! Any program that would use filenames from an external source (e.g. internet) then is a potential key to your machine. Let it be a browser (e.g. an image). Let it be an E-Mail. DCC request, Sound requests, etc. But also, let it just be some *configuration file* with external paths. The possibilities are endless, and no one application programmer has to take care of such a mess in a system.

Just take care that you don't use (mount) the AWNPIPE and you're safe.

[tormedhammaren]

@KennyR:

I did actually try this on someone with their permission. MiamiDX's flood protection kicked in after the first packt and they did not crash. The only difference is I pinged from MOS and not from UNIX.

Hmm. Am I the only one with this problem? I've
pinged my Amiga from bought a FreeBSD 5.1 box and
a linux 2.4.20 box. MiamiDx's flood protection
kicks in, but is surpassed. If I do a normal ping
flood, the flood protection works. What is ping
-l in MOS? If it's the same as in UNIX it's
preloading packets, not altering the lenght of
them.

I found the full security advisory about the MUI
security issue by searching for "MUI exploit" on
google.

@platon42:
Sounds like something not even M$ could have
created... When programmers want to add some
fancy functionallity that other programms don't
have, this is what often happens.

[Piru]

Just take care that you don't use (mount) the AWNPIPE and you're safe.

APIPE: has similar problem, so take care you don't mount either AWNPIPE or APIPE:.

[Piru]

MiamiDx's flood protection kicks in, but is surpassed.

ping flood protection is pretty much useless, as the packets get processed until they enter the filter part. It takes considerable resources to process the packets before they "flow down" to part where the filtering is made. Enough fragmented packets with packet reassembly, and the rate of packet I/O, packet reassembly and filtering will consume all CPU time and internal buffer memory.

Also, if you are unlucky enough to piss up some scriptkiddie with a botnet, you could be in real trouble. With his flood the incoming traffic will be so enormous that it will prevent any other legit traffic from reaching the system anyway, and all incoming traffic will stop (including TCP streams, that will disconnect if the flood stays persistent). Usually this is caused by DDOS attack using a botnet (network of hundreds to thousands of hacked zombie windows machines controlled by the scriptkiddie).

Only way to stop such flood is to have 100mbit pipe to internet and serious networking hardware filtering the traffic at that point, or by having your ISP block the flood earlier.

[Piru]

Is AmiTCP (the version geekgadgets distributes) still updated and fixed?

Free version of AmiTCP is not updated, and never really was.

Even latest commercial AmiTCP included with AmigaOS 3.9 has some grave issues:

- TCP ISN generator is a simple 64k ruler. It is child's play to predict. (spoofing TCP connections)

- ftpd 1.2 (Oct  3 1994) has a crash bug in STAT command:

What happen is that ftpd STAT command blindly assume fopen() succeed, that is, it doesn't check against NULL result from the call. If NULL is returned ftpd will happily peek & poke zeropage, eventually causing trashing of execbase pointer (absolute address 4). This problem is exploitable as anonymous user.

I won't provide an example on this public forum, for obvious reasons.

[mikeymike]

   * - WARNING everyone. Do not start an argument about memory protection.

?

The next bone-headed discussion I hear on the lines of 'whether AmigaOS needs memory protection or not' is going to result in casualties.  Some people appear to just want to kick off another discussion on the subject.

I would put a smiley here but I'm not really joking.