[wpkg-users] security issues
Tomasz Chmielewski
mangoo at wpkg.org
Tue Jun 5 12:38:44 CEST 2007
Marco Gaiarin schrieb:
> Mandi! Tomasz Chmielewski
> In chel di` si favelave...
>
>> As in 99% cases wpkg.js sits on the remote server, it is by definition
>> insecure, isn't it?
>
> It's a pint of view...
>
>> Handling security by something which is hosted on a potentially not
>> secure machine isn't the best idea - you would never know if it's your
>> or attacker's wpkg.js.
>
> Indeed ther's some different problems to take care.
>
> What i'm speaking about is a:
>
> a) an attacker have no access to the server (indeed, done that we have
> no more things to speak about... ;), no access to the clients apart
> one/two to get some knowledge on the system
Just bring a laptop with an evil server installed, and connect
workstation's cable to it.
> b) the attacker want to take control of all clients (that use WPKG, of
> course).
>
> In a scenario like that, currently, and if not using a domain account
> to access WPKG shares, to the attacker suffices to do a DOS against the
> server, tear it down, start their hacked server *and* restart clients
> to be able to install whatever on client machine.
> I think this is a simple attack, but it costs so much because you have
> to shut down server *and* all client to force WPKG execution on all
> cient, and doing so without that sysadmin or users note that it is
> really hard...
What we should care about, is the way to make sure we connect to the
right server. Nothing more, nothing less.
Which can be a little hard to do - for example here with my setup, the
clients connect to a server called "branchserver" - which is just a DNS
entry to ease the management - it's easier to do so with multiple
servers around the country.
So, in the above scenario, I don't connect to a real name of the server,
but to some DNS alias instead.
The question - how does the Windows client know it's connecting to the
legitimate domain server when the user logs on?
--
Tomasz Chmielewski
http://wpkg.org
wpkg-users mailing list
wpkg-users at lists.wpkg.org
http://lists.wpkg.org/mailman/listinfo/wpkg-users
More information about the wpkg-users
mailing list