Bugtraq mailing list archives
Tyger Team Security Advisory: Privacy Issues with QuickBooks 200
From: Steve Birnbaum <sbirn () SECURITY ORG IL>
Date: Tue, 24 Oct 2000 19:52:37 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Tyger Team Security Advisory
www.tygerteam.com
============================================================
Intuit Collects information from QuickBooks 2000 users
Found: 03/01/00
Published: 10/19/00
Author: Steve Birnbaum <sbirn () security org il>
URL: http://www.tygerteam.com/advisories.html
Status: Vendor contacted. Update available, though some
issues are still outstanding.
============================================================
- ------------------------------------------------------------
Overview:
- ------------------------------------------------------------
Intuit is collecting information ranging from system configuration to
usage from users of its new QuickBooks 2000 and QuickBooks Pro 2000 software.
Intuit uses Marimba Castanet, an automated software update technology, to
update the QuickBooks 2000 software on their customers' computers
automatically. The client does not allow the user to restrict what
information is sent to Intuit upon request by the Intuit server. Intuit
is able to collect private user information without the user's knowledge.
Intuit has also implemented this software in an insecure manner that
allows malicious users to hijack it and either obtain information
about the user, or install their own files or programs on the
user's computer.
Intuit provides WWW integration by providing links to web sites.
When going to such a link, Intuit is sent both the user's
unique serial number and their registration number. This allows
the monitoring of software installation and user's usage patterns.
- ------------------------------------------------------------
Tested Configuration:
- ------------------------------------------------------------
QuickBooks 2000 (Canadian version) running on a dedicated test platform
Windows NT 4.0 with service pack 6. No other software, other than
Microsoft Internet Explorer 5.0, which Quicken both provides and
requires, was installed.
Some basic tests were conducted with QuickBooks Pro 2000 and it
is confirmed to have the same problems. QuickBooks and QuickBooks Pro
are the same program. The mode in which it runs depends on the
serial number.
- ------------------------------------------------------------
Description:
- ------------------------------------------------------------
Using two different methods, QuickBooks reports user information back to
Intuit.
Issue 1
- -------
QuickBooks has integrated the Marimba Castanet (http://www.marimba.com)
product into their software. Immediately upon first execution, QuickBooks
displays the license agreement. However, before QuickBooks completes its
launch and presents the user with the interface, it connects to Intuit's
Castanet server (qbmarimbaqw.quicken.com) on port 80.
Below is the start of the first http session. It shows the initial
connection to the Castanet server and the sending of information
regarding the configuration of the host running QuickBooks, such as
the operating system version.
The meaning of the other strings that are seen below, such as the
reference to "properties.txt" and "any/any" are currently unknown.
- -----------------------------------------------------------------
qb2000-pc.1046 -> qbmarimbaqw.quicken.com.http over TCP
POST /UpdateDirChanQB HTTP/1.0.
User-Agent: null.
Connection: Keep-Alive.
Content-length: 391.
Pragma: no-cache.
Content-type: application/marimba.
Request-type: update/13.
.
- -----------------------------------------------------------------
qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
<No data>
- -----------------------------------------------------------------
qb2000-pc.1046 -> qbmarimbaqw.quicken.com.http over TCP
........%.......qbmarimbaqw.quicken.com...P.....(..
update.sdk....1..L_L....US..L_C....en..
Windows NT..x86..4.0..en_US....UpdateDirChanQB........DATA=AUC01QFN00000
21911004000011501002 0000000000
0000000005200000057010300000000000000000 05701n
ewfeatures 00000000 0000................
- -----------------------------------------------------------------
- -----------------------------------------------------------------
qb2000-pc.1047 -> qbmarimbaqw.quicken.com.http over TCP
<No data>
- -----------------------------------------------------------------
qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
HTTP/1.0 200 Reply follows.
Server: Marimba-Transmitter/4.0.3.
Content-type: application/marimba.
Expires: 0.
Pragma: no-cache.
Connection: Keep-Alive.
Content-length: 140.
.
.........%...B....B..A....A..segment....any/any....T..........UpdateDirC
han.QFNz...0..kE. () 6 f D properties txt.X+.X.<.....7......p..
- -----------------------------------------------------------------
Next, QuickBooks connects again to the Castanet server and initiates a
request for updated information. The following capture gives an
indication of the control that the server holds over the client. It
includes the receipt of various configuration instructions. The
commands "desktop.shortcut" and "install.inactive=ignore" raised our
suspicions considerably. The explanation we were later given by
Marimba via Intuit is that these options are part of the full version
of Castanet which were not removed from the more limited SDK software
that Intuit uses. We were told that while the server has not had
this code removed and it still sends it as part of the handshaking,
the SDK client has had the code to process them removed. Therefore, we
were told by Intuit that these specific commands are ignored.
- -----------------------------------------------------------------
qb2000-pc.1047 -> qbmarimbaqw.quicken.com.http over TCP
POST /UpdateDirChanQB HTTP/1.0.
User-Agent: null.
Connection: Keep-Alive.
Content-length: 113.
Pragma: no-cache.
Content-type: application/marimba.
Request-type: getfiles/3.
.
- -----------------------------------------------------------------
qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
HTTP/1.0 200 Reply follows.
Server: Marimba-Transmitter/4.0.3.
Content-type: application/marimba.
Expires: 0.
Pragma: no-cache.
.
.......... ...........z...0..kE.@.6.f........DAUS000000000000000000
00QFN0000030111004010011501002 0000000000
0000000005200000139010301000000000000000
11801newfeatures n .edition 000000213dff621c4a11b6c0
2b10fe8c8394cd92..0000000000000000000000002000_01_14_17_21_25.
....X+.X.<.....7..........pcapabilities=none
desktop.shortcut=false
extension=channel
install.inactive=ignore
locale=any
macresourceforks=false
mimetype=application/x-castanet-channel
name=UpdateDirChanQB
platform=any
publish.time=944543763933
title=UpdateDirChanQB
type=Data
update.action=ignore
update.active=never
update.inactive=weekly
update.schedule=every 1 weeks on sun update at 04:00AM
- -----------------------------------------------------------------
There are further exchanges between QuickBooks 2000 and the Castanet
server. During these exchanges files are sent and installed without
user approval. In fact, the user isn't even aware that this entire exchange
is taking place.
We contacted Marimba to find out what their software is capable of.
They informed us that the full version of Castanet is able to retrieve
information such as, but not limited to IP addresses, user names and host
names. The exact information that is obtained depends on what their
customer configures the server to request. Marimba explicitly stated that
there is no way for the user to prevent certain types of information from
being sent if the server requests it. We were informed that there is an
additional module (which Intuit has not purchased) that will perform a
full disk scan of the computer running the client software and send the
output to the Castanet server. We were told that Intuit uses the much
more limited SDK version, which cannot perform this full disk scan.
According to Marimba, the SDK version is limited in the host information
it can retrieve. It is also limited in its ability to download only to
one specific directory within the QuickBooks directory tree. The
information it has access to includes the IP address, OS name, version
and architecture, the locale and time zone. Even though the list of
information retrieved is smaller than the full version, users still
have no ability to control what is sent within that set.
On the other hand, Marimba has also stated that their software is capable
of working with an SSL encrypted session. The client software can store
the server's key and would reject any attempt from someone to represent
himself as the real Castanet server. This would also prevent hijacking of
an already established session. Furthermore, they
support the ability to digitally sign each file being sent.
Castanet seems like a very nice product for an enterprise network. However,
we question Intuit's use of Castanet in this environment. Regardless, Intuit
has not activated the most basic security features in the Castanet software.
This results in the user being at risk of session hijacking.
If someone is able to hijack a session, they could install programs that
create back doors to allow an intruder to take full control of the computer.
These sessions raise a list of issues:
1) Intuit knows the identity of the user connecting. They can theoretically
target specific files to specific users, such as a program to
monitor the user's computer or network, even behind a firewall.
2) Since the sessions are not secured, the session can be hijacked and
a malicious user can insert their own files or backdoors onto the
user's system. Intuit has chosen not to encrypt the sessions, thereby
creating this risk.
3) The user has no control over what information is retrieved from their
system. They must simply hope that Intuit won't do something to violate
their privacy, and that no malicious users will hijack a legitimate session.
4) Users are unaware of what information is being collected and for
what purpose it is being used.
Issue 2
- -------
QuickBooks 2000 is integrated with Microsoft Internet Explorer 5. Many
of the windows in QuickBooks are HTML generated on the fly. With
the seamless web integration, Intuit has created certain text items within
the GUI that are in fact links to web sites, and not buttons, to perform
local program functions. These links are not labeled as such and appear
no different than HTML links that open other local windows. This in itself
is not such a security problem.
The issue lies in the method with which Intuit directs the user to a web
site. The following is the URL that is accessed when the user clicks on
the text of a reminder that the program refers to as an "alert". The
example is linked to by a warning with regard to a periodic tax payment
due to the government.
http://redirect.quickbooks.com/redirect/reg=****-****-****/serial=####-###-####-####/?http://www.ccra-adrc.gc.ca/menu-e.html
The '*' replace the registration number provided by Intuit. If you have
not registered, the value in the URL is "Unregistered". This is a unique
number identifying a particular customer of Intuit.
The '#' replace the serial number found on the back of the manual. This
is a unique number identifying a specific copy of the software.
When you register your purchased copy of QuickBooks with Intuit after
supplying them with your detailed information, you receive a registration
number in return. Even if you buy the software, you can only run it a
certain number of times without entering a registration number. So
unless you provide them with false information when registering,
Intuit knows exactly what actions their users are performing that take
them to Internet sites.
- ------------------------------------------------------------
Vendor Response:
- ------------------------------------------------------------
Once we were able to make contact with the appropriate people within
Intuit, they seemed quite receptive to our concerns.
Since first contacting Intuit on March 14, 2000, they have implemented
the following changes with the US R5 and Canadian R6 updates to
QuickBooks 2000:
1) Users installing the R5 and R6 updates are presented with an html
window the next time they run the application explaining the use
of the Automatic Update feature but also including information on
how to disable it.
2) Added a top-level item on the help menu "About Automatic Update,"
which displays a secondary page used for the previously described html
window, and also provides detail about the Automatic Update
feature. This is more complete than in the previous help index.
3) All, rather than most, html links to Internet sites are now marked
with a lightning bolt. However, users are not told clearly what this
means unless they click on the relevant help link. We've suggested
putting this information in a splash screen on startup, or a one-time
notification on clicking such a link, and Intuit has said it will
include information about the html links in the welcome pages in its
next version of QuickBooks.
4) Instead of sending serial numbers in readable text to their
redirect server, they now perform a two-way hash of the information
using a proprietary algorithm. This is basic obfuscation. This is
not optimum, but Intuit acted to protect against transient sniffing
and will use an MD5 one-way hash in the next version of QuickBooks.
5) We found that when running the installer for the update, a
connection to Intuit's Castanet server was made if that option was
enabled in QuickBooks 2000. This appears to be an unintentional side
effect of installing the Automatic Update software itself. As the
software installs itself into Windows, it starts itself up the default
way; i.e., to check for available updates. However, after installing
itself, the software quits, which will terminate any connection it may
have initiated. Intuit believes that it's unlikely that, even on a
slow computer, any such connection would remain open long enough for
any content to actually be downloaded to the computer.
6) Intuit is planning to switch to the industry standard, highest
security level SSL for all Castanet updates beginning with the next
version of QuickBooks. The Castanet SDK software embedded in
QuickBooks 2000 currently supports SSL enablement and provides other
security features. However, Intuit believes that updating
QuickBooks 2000 to enable SSL would risk key functionality in the
product and risks adversely affecting existing users.
7) We're still not happy with the auto-update feature, although
Intuit has taken steps to inform users of it and gives them the option
to turn it off. Initially, we believed there was too much power in the
Castanet client that can be turned on by the server. Based upon
information provided by Intuit, this was found to be inaccurate.
QuickBooks 2000 does not install any software to customers' PCs that
would allow their hard drives to be scanned or their hard drive file
listings to be hijacked by a rogue server. In addition, Intuit was told
by Marimba that the hard drive scanning capability in the full feature
Castanet product (i.e., not the Castanet SDK used in QuickBooks 2000) is
of limited scope. Since this does not affect QuickBooks, which uses
only the Castanet SDK, we did not pursue this avenue to find out what
scanning is available in the full version. We assume that such a
version would be used by an enterprise network administrator for whom
full drive scanning capabilities for client machines would be acceptable.
We found that while Intuit is ultimately responsible for
what their software does, they seemed genuinely concerned about user
privacy and security. For more information on Intuit's fixes, and for
upgrade information, refer to http://www.quickbooks.com/support/updates.html
- -----------------------------------------------------------
Quick Solution/Workaround:
- ------------------------------------------------------------
Turn off the Automatic Update feature. Information about
how to do this is found in the help menu of QuickBooks 2000.
Or, use Intuit's QuickBooks 2000/QuickBooks Pro 2000 on a
computer that is a dedicated, standalone computer with no modem or
network interface. The computer should not have Internet connectivity
capability at any time.
Paul English of Intuit says that Intuit feels that they offer a
number of beneficial services via the web such as payroll and online
banking and ask that users read their response document to make an
informed decision.
- ------------------------------------------------------------
Long-term Solution:
- ------------------------------------------------------------
Customers should contact Intuit through their web site
at http://www.intuit.com/corporate/quickbooks2000privacy/
and request that this issue be resolved immediately.
The customer service or pay-per-use support representative you speak
with may try to tell you that no method other than the Castanet
automated updates is available for software updates, or that they are
not sure. We received such a response from both departments. However,
an additional phone call to their customer service department
led to the confirmation that the updates are available via FTP on the
Internet and they do indeed mail software updates via diskette to
customers if requested.
The quick solution of using QuickBooks on a dedicated computer with
no Internet capability is also sufficient for the long-term. Intuit
will also be introducing additional security and privacy enhancements
in the next version of the software.
- ------------------------------------------------------------
Additional Information:
- ------------------------------------------------------------
Contacting Tyger Team:
E-Mail: Steve Birnbaum <sbirn () security org il>
Patrick Naubert <patrickn () tygerteam com>
Phone: +1 613 294-2390
Postal address: 4130 Baseline Road RR2
Gloucester, Ontario
K0A 2Y0
Canada
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQEVAwUBOfYVXANowu66bCy5AQHB9gf/ecovAErbo74DHxhThjO748T1kY40w4LO
tQ88IxZf8qpCk+ykUs90kKFwwSnPL+qKBvkpylKE4/Pfk+vOLXoRmMLTcLgoFfbP
N06VYUVkxb74K6awgc8iGwIK+qEmhsY9zdMUU5s4IIwuG5kHJ1WwmSg+0/OoAW/z
C6yOmz50Ahpak8X1liCRN5MLqVElNuY8WczC6J1UjtH7gCGEPQpNW/Co1kuA0v4l
XjKXOK1DbD0xxVkpH97aiEcMWTWkbPTI40rSJvft3i6tHz6Z82upA79jhFUoC1yk
3T9FuOPyQVJHPWqBwdoT49Nw78B2bNqyExBYiCIq9MsVg6warHqyVA==
=BE0O
-----END PGP SIGNATURE-----
Current thread:
- Tyger Team Security Advisory: Privacy Issues with QuickBooks 200 Steve Birnbaum (Oct 26)