[wpkg-users] security issues

Marco Gaiarin gaio at sv.lnf.it
Tue Jun 5 11:52:34 CEST 2007 

Mandi! Tomasz Chmielewski
  In chel di` si favelave...

> As in 99% cases wpkg.js sits on the remote server, it is by definition 
> insecure, isn't it?

It's a pint of view...

> Handling security by something which is hosted on a potentially not 
> secure machine isn't the best idea - you would never know if it's your 
> or attacker's wpkg.js.

Indeed ther's some different problems to take care.

What i'm speaking about is a:

a) an attacker have no access to the server (indeed, done that we have
 no more things to speak about... ;), no access to the clients apart
one/two to get some knowledge on the system

b) the attacker want to take control of all clients (that use WPKG, of
 course).

In a scenario like that, currently, and if not using a domain account
to access WPKG shares, to the attacker suffices to do a DOS against the
server, tear it down, start their hacked server *and* restart clients
to be able to install whatever on client machine.
I think this is a simple attack, but it costs so much because you have
to shut down server *and* all client to force WPKG execution on all
cient, and doing so without that sysadmin or users note that it is
really hard...

If domain password are used to access the server, this indeed make the
things harder and costly, probably so costly that does not worth,
because we have to crack a password, probably choosen to be very hard
to crack.

... mumble ...

Thinking about all the stuff works. Indeed you're right.

wpkg.js run client side, so access share with client rights; if a
'secret' have to be checked someway, they have to be read client side
and server side by the same wpkg.js instance.
So, indeed, simple auth schema does not offer more security than
without it, because the 'secrets file' have to be placed somewhere in
the shares, accessible.

To have mode security it is needed to setup some challenge from client
to server, no shares, and indeed this is out of wpkg.js scope.


> > Exactly this. I Admit that i'm a bit lazy in my domain to use guest
> > access to WPKG and %SOFTWARE% shares, but indeed a 'minimal'
> > client/server authentication have to be implemented.
> OK, but how? :)

No way, sorry. ;)


-- 
dott. Marco Gaiarin				    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it	  tel +39-0434-842711  fax +39-0434-842797


wpkg-users mailing list
wpkg-users at lists.wpkg.org
http://lists.wpkg.org/mailman/listinfo/wpkg-users

More information about the wpkg-users mailing list