Thursday, January 29, 2009

You say features, I say (possible) vulnerabilities

I was listening to a recent MindOfRoot podcast (good podcast BTW if you are interested in IT type topics) which included an interview with a Microsoftie about WS-MAN (sorry for not recalling the exact name of the person). If you don't know (I didn't) WS-MAN stands for (drum roll please): web services management. That's right boys and girls, getting SOA in your switches and routers. I thought SOA was soo over - grin :). Getting (somewhat) serious, the value proposal makes almost no sense and is (IMHO) an other example of Microsoft showing the Not Invented Here syndrome. Points:

  • He admits that we already have SNMP but criticizes it for being quirky. The example that he gives is that the method to reboot some equipment is to set uptime to zero. WS-MAN, he says (I really should look up this chaps name, shouldn't I?) will have "real methods". Well, no standard has been ever implemented the same way by all vendors. Unless you have a single vendor (*cough* Microsoft *cough*) delivering all the software, there will be differences, just as there are differences in SNMP and management software will have to adjust for them (just the way it does for SNMP today).
  • An other argument is "security". He says that by using SSL (TLS) you just double encrypt the data, since it is already encrypted, but then admits that passwords go in the clear unless you do use TLS. First of all, web services but no mention of WS-Security? Second of all, are you really telling me that vendors will put all that extra processing power in their equipments to support TLS? And if not (if this is an optional feature), we're back to SNMP (cleartext passwords - cool). Also, given how less than 1% of the websites on the Internet correctly supports SSL, what exactly makes you think that admins will configure this infrastructure correctly with server and client certificates? (BTW, they didn't mention client certificates, but I really hope they support them)
  • An other argument: it has the option to enumerate all the parameters! How is this substantially different from the SNMP MIB's?
  • Yet an other argument: it will run trought port 80 (ok, this definitely seems to indicate a cleartext protocol), so you won't have problems passing trough your corporate firewall / proxy. BTW, did I mention that this friggin thing will run over HTTP? (WS is defined for multiple transports - including email and FTP - but HTTP is the most popular one which always gets associated). So now you want to shove an HTTP server in the network equipments and just assume that it won't have any vulnerabilities because the HTTP and XML standards are soo simple - not! Getting back to the "bypassing firewall" argument:
    • First of all - you are IT! WTF are you trying to do bypassing yourself? If your organization is f***'d up at that level that you can't open ports for legitimate reasons, you have bigger problems. And if it isn't a legitimate business reason, it is very good that they are blocking your ass!
    • Putting everything over the same port makes it very hard to categorize traffic. Of course this is not the first time MS has done that: open up filesharing and congratultions - now others can use DCOM, WMI, etc on your system. Talk about a large attack surface and a complete disregard for the "one port - one service" principle!
    • Incidentally you can use HTTP proxies to tunnel arbitrary TCP connections (if they are so configured) with the CONNECT method (this is how HTTPS trough a proxy works if the proxy doesn't MITM's it).
  • And finally: an other proclaimed advantage is its integration with PowerShell. Yes, PowerShell seems really cool, but wouldn't it have been much simpler (and more compatible and more useful - because we have SNMP capable hardware now) to just add SNMP capabilities to PowerShell? IMHO, it would.

So there you have it, an other thing which isn't needed. Looking forward to exploit bugs and improperly configured services of these types in 5 years.

PS. Maybe Google will index these and we can Google hack switches and routers! :-)

No comments:

Post a Comment