Close The Door

[William Knowles <wk () C4I ORG>]

*********************************************************************
Back Door Mania
by Rik Farrow

The first two weeks in April 2000 brought with them a bit of spring
fever in the form of hype and media confusion over two back doors in
Web server software. In each case, the back doors were put there
deliberately by the vendors, although it was not their intention that
either would be used for malicious purposes.

Back doors have an illustrious history, with perhaps the most famous
example being the code engineered by Ken Thompson. Thompson could log
into any Unix system as any user by entering a magic password. The
code for the back door was hidden inside of the compiler used to build
the trojan login program, making it almost impossible to discover what
he had done. Thompson carefully explained his cleverness during his
acceptance speech for the Turing Award in 1984.

Others have included back doors in their code. Eric Allman put back
doors in the sendmail program, but the source code has always been
available, making it relatively easy to uncover and remove them. AT&T
field engineers used a bug in the Unix expreserve program to get root
access while working on customers' systems.

The most recent furor is over code included in Web server software.
The first hint of trouble appeared on a newsgroup devoted to Perl
programming for CGI (Common Gateway Interface) scripts. Kasey Johns
was checking over some code his company had licensed, looking for
security problems. The code in question was version 3.0.4 of the
Dansie Shopping Cart. Johns reported that it was not easy checking
this Perl script, as it was compressed from 7,000 lines into only 250
by removing newline characters.

In the script, Johns discovered code that had been deliberately
obscured by encrypting the command, email address, and subject line.
The code sent email to tech () dansie net when the cart software was
used. Another section of code accepted commands from a hidden variable
that changed permissions on a data file required by the program and
then overwrote it.

Through this back door, Dansie received notification whenever someone
began using the code, and could remotely delete a file, disabling the
script, through the back door. According to emails from Dansie
representatives to the Bugtraq mailing list, these mechanisms were
used only as defenses against software pirates. But another posting to
Bugtraq pointed out that the value associated with the hidden variable
is not checked, permitting anyone who knows about it to execute
arbitrary commands on the Web server.

Dansie responded by removing the offending code in the next release,
which was made available almost immediately, and providing a patch to
existing releases.

Another issue became an overnight sensation largely because of the
words used as the encryption key: "Netscape engineers are weenies!"
Rain Forest Puppy, or rfp, posted his second advisory of the year,
explaining that DVWSSR.DLL, installed either with Option Pack 4 or
with the Microsoft FrontPage extensions, permitted reading any file on
the Web server. Rfp mentioned that the encryption key must be used to
encrypt the filename first, and that only users who had access to
DVWSSR.DLL, who are generally administrators and those who manage
several virtual hosts on the same Web server, could take advantage of
this back door.

CORE SDI explored the same DLL and discovered that it was possible to
overflow its buffer by sending it at least 5,000 characters as a
value, causing IIS to stop functioning. (This would constitute a
denial of service attack.) Again, the attacker would have to have
access to the DLL for this to work. Someone would have had to have
changed the access control list protecting the DLL to open up the
vulnerability to remote attackers (or a remote attacker would have
needed an administrator's password). Unfortunately, the press went
wild with this, leading to some interesting self-contradictory remarks
from the media.

Microsoft put out several versions of security bulletin MS00-025, with
a final suggestion that the offending DLL simply be removed.

Including sneaky back doors in software may be appealing to
programmers, but it is a certain way to stir up customer unrest when
discovered. If you are running a Web server, I suggest you remove any
software that you do not need on the server, shut down any network
services at are not absolutely necessary, and use proper permissions
and ownership on all files and directories.

Web servers make attractive targets. Back doors, whether intentional
or not, make them even more tempting. Shut your doors.


Resources

Creating a basic padded cell
A tutorial with sample scripts
http://www.sunworld.com/swol-01-1999/swol-01-security.html

Web server wiles, Part one
Secure your Solaris Web server from the perils of the Void
http://www.sunworld.com/sunworldonline/swol-04-1996/swol-04-security.html

Securing your Web server
Stop the wrong people from accessing your site!
Make sure your site is secure  from prying eyes and malicious intent
http://www.sunworld.com/sunworldonline/swol-06-1996/swol-06-webmaster.html

************************************************************************
About the author
----------------
Rik provides UNIX and Internet security consulting and training. He
has been working with UNIX system security since 1984, and with TCP/IP
networks since 1988. He has taught for the IRS, Department of Justice,
NSA, US West, Royal Canadian Mounted Police, Swedish Navy, and for
many US and European user groups. Farrow also consults with firms in
the design and implementation of security applications.
*********************************************************************
*********************************************************************
CUSTOMER SERVICE

You can subscribe or unsubscribe to any of your e-mail newsletters by
updating your form at:
http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html?

For subscription changes that cannot be handled via the web, please send
an email to our customer service dept: support () itworld com
*********************************************************************
http://www.itworld.com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".