? Backdoor in Microsoft web server ?
Ichinin
security news from CNN and Wall ST Journal :o)
Francois Grieu
According to <http://cbs.marketwatch.com>, citing The Wall Street
Journal, Microsoft has acknowledged the existence of a "backdoor" in one
of it's consumer web server software. Knowledge of a global password
would grant [?read-all?] privileges on thousands of deployed web servers.
The backdoor is said to be in "dvwssr.dll", containing text [?related to
the password?] "Netscape engineers are weenies!".
Anyone can confirm this story ?
Francois Grieu
sources (these URL may be short-lived):
<http://cbs.marketwatch.com/news/current/msft.htx?source=htx/http2_mw>
<http://aolpf.marketwatch.com/source/blq/aolpf/news/current/press_briefin
g.asp>
<http://www.marketwatch.newsalert.com/bin/story?StoryId=CopAxWdicvJa2mtC&
FQ=Microsoft&ED=04/14/2000&Title=Headlines%20for%3A%20Microsoft%0A#Hilite
>
JPeschel
>Disclaimer: I have NOT verified this story, which may be bogus.
>
Why do you think it might be bogus?.
>According to <http://cbs.marketwatch.com>, citing The Wall Street
>Journal, Microsoft has acknowledged the existence of a "backdoor" in one
>of it's consumer web server software. Knowledge of a global password
>would grant [?read-all?] privileges on thousands of deployed web servers.
>
>The backdoor is said to be in "dvwssr.dll", containing text [?related to
>the password?] "Netscape engineers are weenies!".
>
>Anyone can confirm this story ?
Read the WSJ story.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
Francois Grieu
> fgr...@micronet.fr writes:
>> Disclaimer: I have NOT verified this story, which may be bogus.
> Why do you think it might be bogus ?
No particular reason, except my only source is web press,
and I found no mention on the web site of Microsoft (allegedly
aware of the problem since yesterday) or ClientLogic
(allegedly involved in the backdoor's discovery).
> Read the WSJ story
does not appear to be online for free, and the paper
was unavailable at my (French) newspaper agent.
Who said: doubt until you have a proof, then doubt frequently ?
Francois Grieu
An additional reference:
<http://news.cnet.com/news/0-1003-200-1696137.html>
Tim Tyler
: According to <http://cbs.marketwatch.com>, citing The Wall Street
: Journal, Microsoft has acknowledged the existence of a "backdoor" in one
: of it's consumer web server software. Knowledge of a global password
: would grant [?read-all?] privileges on thousands of deployed web servers.
: The backdoor is said to be in "dvwssr.dll", containing text [?related to
: the password?] "Netscape engineers are weenies!".
See also:
http://news.cnet.com/news/0-1003-200-1696137.html?tag=st.ne.1002.thed.1003-200-1696137
--
__________ Lotus Artificial Life http://alife.co.uk/ t...@cryogen.com
|im |yler The Mandala Centre http://mandala.co.uk/ Be good, do good.
Francois Grieu
Disclaimer: I have NOT verified this story, which may be bogus.
According to CBS marketwatch and CNET, both citing The Wall Street
Journal, Steve Lipner (Microsoft's lead program manager on security
issues) has acknowledged the existence of a "backdoor" in one of the
company's web server software. Knowledge of a global password would
grant [?read-all?] privileges on thousands of web servers that use the
Microsoft software.
The backdoor is said to be in "dvwssr.dll", containing text [?related to
the password?] "Netscape engineers are weenies".
I'm seeking first-hand confirmation of the story. I did NOT find it in
the Friday 14th EUROPEAN paper edition of The Wall Street Journal.
Please advise if it is found in the US or electronic edition.
Francois Grieu
Links working at time of writing (some may be short-lived):
<http://news.cnet.com/news/0-1003-200-1696137.html>
<http://cbs.marketwatch.com/news/current/msft.htx>
<http://aolpf.marketwatch.com/source/blq/aolpf/archive/20000414/news/curr
ent/press_briefing.asp>
<http://www.marketwatch.newsalert.com/bin/story?StoryId=CopAxWdicvJa2mtC&
FQ=Microsoft&ED=04/14/2000&Title=Headlines%20for%3A%20Microsoft%0A#Hilite
>
Robert J. Clark
It also has code to test the backdoor.
- Rob
Francois Grieu wrote:
>
> Disclaimer: I have NOT verified this story, which may be bogus.
>
> According to <http://cbs.marketwatch.com>, citing The Wall Street
> Journal, Microsoft has acknowledged the existence of a "backdoor" in one
> of it's consumer web server software. Knowledge of a global password
> would grant [?read-all?] privileges on thousands of deployed web servers.
>
> The backdoor is said to be in "dvwssr.dll", containing text [?related to
> the password?] "Netscape engineers are weenies!".
>
> Anyone can confirm this story ?
>
Adam Durana
wtshaw
Grieu <fgr...@micronet.fr> wrote:
> pes...@aol.commune.org (JPeschel) wrote:
> > fgr...@micronet.fr writes:
> >> Disclaimer: I have NOT verified this story, which may be bogus.
> > Why do you think it might be bogus ?
It has been reported today on CNN. I figure that they tend to check their
stories, but wanting to maintain control and advantage for themselves is
classic Microsoft.
>
> Who said: doubt until you have a proof, then doubt frequently ?
> Francois Grieu
You rang?
--
Doubt until you have proof, then doubt frequently. Descartes
%/^): [|]"! ?=)@~ ;)[]* :@\@} *#~}> ,=+)! .($`\
Jim Gillogly
> I'm seeking first-hand confirmation of the story. I did NOT find it in
> the Friday 14th EUROPEAN paper edition of The Wall Street Journal.
> Please advise if it is found in the US or electronic edition.
OK, here's first-hand confirmation. I did a Web search of dvwssr.dll
and found somebody in France who had a copy of that library on their
Web page. It was last modified 11 Mar 99, over a year ago, so it wasn't
put up there in response to the current flap. I did a "strings" on it,
and among other things it says:
/global.asa
.asp
!seineew era sreenigne epacsteN
HTTP/1.0 404 Object Not Found
XWebScope Source Retriever
Check the third line -- I think this adds any necessary credibility
to the story.
--
Jim Gillogly
24 Astron S.R. 2000, 21:05
12.19.7.2.4, 9 Kan 7 Pop, Eighth Lord of Night
Tim Tyler
: I did a "strings" on [dvwssr.dll], and among other things it says:
: !seineew era sreenigne epacsteN
Check out the subtle method that was used to make sure the string was
not human-readable! ;-)
--
__________ Lotus Artificial Life http://alife.co.uk/ t...@cryogen.com
|im |yler The Mandala Centre http://mandala.co.uk/ UART what UEAT.
David C. Oshel
> Jim Gillogly <j...@acm.org> wrote:
>
> : I did a "strings" on [dvwssr.dll], and among other things it says:
>
> : !seineew era sreenigne epacsteN
>
> Check out the subtle method that was used to make sure the string was
> not human-readable! ;-)
Depends. If the code is assembler sometimes you store a string backwards
for efficiency. Extremely old technique -- you pop the characters off the
stack from just below your return address, so first out is N, last out is !
--
David C. Oshel mailto:dco...@pobox.com
Cedar Rapids, Iowa http://pobox.com/~dcoshel
``Tension, apprehension, and dissension have begun!" - Duffy Wyg&, in Alfred
Bester's _The Demolished Man_
Mok-Kong Shen
>
> Disclaimer: I have NOT verified this story, which may be bogus.
>
> Journal, Microsoft has acknowledged the existence of a "backdoor" in one
> of it's consumer web server software. Knowledge of a global password
> would grant [?read-all?] privileges on thousands of deployed web servers.
I remember that a couple of months back there was an article in
the Computerzeitung claiming the existence of backdoors in
software of Microsoft and a few other manufacturers, albeit
without supporting details. From the fact backdoor was embedded
in the original UNIX code (cf. ACM award lecture) without being
detected, it shouldn't surprise that software not written by
oneself may have backdoors.
M. K. Shen
David A Molnar
> in the original UNIX code (cf. ACM award lecture) without being
> detected, it shouldn't surprise that software not written by
> oneself may have backdoors.
He never actually admitted to placing the backdoor in login...he simply
described in great detail how one would go about doing it.
Thanks, -Dvid
Francois Grieu
> OK, here's first-hand confirmation. I did a Web search of
> !seineew era sreenigne epacsteN
Thanks; we can now take for granted the sentence "Nescape
engineers are weenies!" is embeded in Microsoft's dvwssr.dll
I found Microsoft's statement on the issue at
<http://www.microsoft.com/technet/security/bulletin/ms00-025.asp>
and
<http://www.microsoft.com/technet/security/bulletin/fq00-025.asp>
Microsoft does acknowledge that dvwssr.dll
" uses an obfuscation key to obscure the names of files being
requested by the client from the server "
My understanding is that "Nescape engineers are weenies!" is this
obfuscation key (now the thread starts to be crypto-related :-)
According to a former version (*) of Microsoft's statement
" The vulnerability could allow a user who has privileges
on a web server to read certain files from other web sites
hosted on the same computer "
This qualifies as a backdoor to me, although not the well known
"universal password" (**) kind of backdoor.
Microsoft now documents the issue with dvwssr.dll as a potential
buffer overrun. The report attempts to justify this focus shift:
the buffer overrun issue (found after the original problem)
could allow arbitrary code to be run, which is more dangerous.
IMHO it's a convenient way to no longer describe a security
override introduced by some programmer _deliberately_, which
makes it quite embarrassing.
Francois Grieu
Various related link are at
<http://www.securityfocus.com/templates/archive.pike?list=1>
discussion on the backdoor
<http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.
4.10.10004140728...@eight.wiretrip.net>
problem report on the buffer overrun
<http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-
8&msg=38F7AD47...@core-sdi.com>
(*) first version of Microsoft's statement on the issue
<http://www.securityfocus.com/templates/archive.pike?list=1&msg=D1A11CCE7
8ADD111A35500805FD43F5867C2E3@RED-MSG-04>
(**) for example, circa 1985 the company I then worked for was
selling the "ASCII Express" BBS for the Apple ][, customised for
our 1200/75 bps modem. To our great embarassement, it turned out
the author had put a backdoor in the login code, allowing him
to connect with the highest privileges by supplying some special
login/password.
Lincoln Yeoh
wrote:
>Disclaimer: I have NOT verified this story, which may be bogus.
>
>According to <http://cbs.marketwatch.com>, citing The Wall Street
>Journal, Microsoft has acknowledged the existence of a "backdoor" in one
>of it's consumer web server software. Knowledge of a global password
>would grant [?read-all?] privileges on thousands of deployed web servers.
Apparently the backdoor may affect you if you run a large website which is
shared by lots of independent people. Should not affect you if you're the
only website developer on your own server unless you've misconfigured stuff
;).
http://packetstorm.securify.com/0004-exploits/RFP2K02.txt
http://www.securityfocus.com/vdb/bottom.html?section=exploit&vid=1108
http://news.cnet.com/news/0-1003-200-1696137.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2543490,00.html
Microsoft is of course trying to deflect things as usual :). They're saying
it's lies all lies. But please delete that file because there's another
problem with it <grin>.
http://www.microsoft.com/misc/data/servervulnerability.htm
Microsoft has been known to present a rather different perspective of
reality.
Go Open Source. It's easier to get the truth from Open Source software
developers. They have nothing to gain from intentionally hiding flaws, and
everything to lose.
Cheerio,
Link.
****************************
Reply to: @Spam to
lyeoh at @peo...@uu.net
pop.jaring.my @
*******************************
Jim Gillogly
You're both mistaken. Thompson's paper described placing the back door
to login in a separate version of the Unix C compiler, not in the original
code nor in any shipping version of it. Thompson confirmed later that he
did indeed perform this experiment, and it spread to another in-house lab
before he blew the gaffe -- it was not merely theoretical. His exposition
has been posted here before.
--
Jim Gillogly
Trewesday, 25 Astron S.R. 2000, 17:14
12.19.7.2.5, 10 Chicchan 8 Pop, Ninth Lord of Night
Roger
> You're both mistaken. Thompson's paper described placing the back door
> to login in a separate version of the Unix C compiler, not in the original
> code nor in any shipping version of it. Thompson confirmed later that he
> did indeed perform this experiment, and it spread to another in-house lab
> before he blew the gaffe -- it was not merely theoretical. His exposition
> has been posted here before.
Here is Thompson's paper.
http://www.cs.umsl.edu/~sanjiv/sys_sec/security/thompson/hack.html
Francois Grieu
> OK, here's first-hand confirmation. I did a Web search of
> dvwssr.dll and [..it contains..]
> !seineew era sreenigne epacsteN
Thanks to this report and a few others, we can now take for
granted the sentence "Nescape engineers are weenies!" is
embedded in Microsoft's dvwssr.dll
I found Microsoft's statement on the issue at
<http://www.microsoft.com/technet/security/bulletin/ms00-025.asp>
and
<http://www.microsoft.com/technet/security/bulletin/fq00-025.asp>
Microsoft does acknowledge that dvwssr.dll
" uses an obfuscation key to obscure the names of files being
requested by the client from the server "
My understanding is that "Nescape engineers are weenies!" is this
obfuscation key (now the thread starts to be crypto-related :-)
It is not entirely clear to me what is allowed by knowing the
obfuscation algorithm and the key, especially since there are
interactions with other file permission mechanisms.
According to a former version (*) of Microsoft's statement
" The vulnerability could allow a user who has privileges
on a web server to read certain files from other web sites
hosted on the same computer "
My best _GUESS_ is that, in order to implement a "link view"
[site map] feature in the web server, a read-all security bypass
was deemed useful, and was implemented with this "security
through obscurity" scheme. This qualifies as a backdoor to me,
although one with limited scope, and not the deliberate
"universal password" (**) kind of backdoor.
Microsoft now documents the issue with dvwssr.dll as a potential
buffer overrun. The report attempts to justify this focus shift:
the buffer overrun issue (found after the original problem)
could allow arbitrary code to be run, which is more dangerous.
IMHO it is a convenient way to no longer describe a security
override introduced by some programmer _deliberately_, which
makes it quite embarrassing.
Francois Grieu
Various related messages are at
<http://www.securityfocus.com/templates/archive.pike?list=1>
Discussion on the backdoor
<http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.
4.10.10004140728...@eight.wiretrip.net>
problem report on the buffer overrun
<http://www.securityfocus.com/templates/archive.pike?list=1&msg=38F7AD47.
6429...@core-sdi.com>
(*) first version of Microsoft's statement on the issue
<http://www.securityfocus.com/templates/archive.pike?list=1&msg=D1A11CCE7
8ADD111A35500805FD43F5867C2E3@RED-MSG-04>
Various related messages [including of the list owner, who admits
he misguided the press with unfounded speculations]
<http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A1=ind0004&L=ntbugtraq
>
(**) for example, circa 1985 the company I then worked for was
selling the "ASCII Express" BBS for the Apple ][, customized for
our 1200/75 bps modem. To our great embarrassment, it turned out
Francois Grieu
The text "Nescape engineers are weenies!" is indeed embedded
[reversed] in the file dvwssr.dll coming with some Microsoft
web server software for Windows 95/98 and NT 4 [not Windows
2000], and reportedly in file mtd2lv.dll coming with some
corresponding web authoring tool.
But contrary to some early press reports, evidence is this
string is NOT a universal password, nor part of such a
deliberate mechanism.
My analysis of Microsoft's statements is
- this string is "an obfuscation key to obscure the names
of files being requested by the client from the server"
while gathering information used to draw a site map.
- knowledge of this algorithm and key only "allows a user
who has privileges on a web server to read certain files
from other web sites hosted on the same computer", and
therefore the vulnerability only affects "customers who
host more than one web site on a server".
Still, it looks like Microsoft has distributed a product
[reportedly acquired from another company] relying
deliberately on obscurity for some of it's security features,
a bad professional practice.
Microsoft statements on dvwssr.dll issues are at
<http://www.microsoft.com/technet/security/bulletin/ms00-025.asp>
and
<http://www.microsoft.com/technet/security/bulletin/fq00-025.asp>
Understandably, the focus is on another vulnerability:
a subsequently discovered potential for a buffer overrun,
which can lead to a denial of service attack, or conceivably
[IMHO assuming the attacker is immensely clever and lucky]
to arbitrary code being run.
Francois Grieu
Jim Gillogly
> The text "Nescape engineers are weenies!" is indeed embedded
> [reversed] in the file dvwssr.dll coming with some Microsoft
> web server software for Windows 95/98 and NT 4 [not Windows
> 2000], and reportedly in file mtd2lv.dll coming with some
> corresponding web authoring tool.
> But contrary to some early press reports, evidence is this
> string is NOT a universal password, nor part of such a
> deliberate mechanism.
The analyst who reported the problem (Rain Forest Puppy) did
not say it was a universal password, if by that you mean something
like the trojanized FTP of a few years ago that had a root access
password built in. However, it was obviously deliberate. See
http://packetstorm.securify.com/0004-exploits/RFP2K02.txt for
the actual claims of the analysts who investigated this back door.
> My analysis of Microsoft's statements is
> - this string is "an obfuscation key to obscure the names
> of files being requested by the client from the server"
> while gathering information used to draw a site map.
> - knowledge of this algorithm and key only "allows a user
> who has privileges on a web server to read certain files
> from other web sites hosted on the same computer", and
> therefore the vulnerability only affects "customers who
> host more than one web site on a server".
>
> Still, it looks like Microsoft has distributed a product
> [reportedly acquired from another company] relying
> deliberately on obscurity for some of it's security features,
> a bad professional practice.
More than that: it fits the classical definition of a back door.
The insiders who placed this back door can access more information
than they're entitled to by using the password they left in there.
To bring back a little sci.crypt relevance, the URL above describes
the weak encryption algorithm used to obscure passwords (which he
calls the "weenie" algorithm).
> Microsoft statements on dvwssr.dll issues are at
> <http://www.microsoft.com/technet/security/bulletin/ms00-025.asp>
> and
> <http://www.microsoft.com/technet/security/bulletin/fq00-025.asp>
> Understandably, the focus is on another vulnerability:
> a subsequently discovered potential for a buffer overrun,
> which can lead to a denial of service attack, or conceivably
> [IMHO assuming the attacker is immensely clever and lucky]
> to arbitrary code being run.
Regardless of precisely which magical powers the back door gives,
it <is> a back door put into offical Microsoft code by official
Microsoft (weenie) engineers.
--
Jim Gillogly
Hevensday, 26 Astron S.R. 2000, 18:07
12.19.7.2.6, 11 Cimi 9 Pop, First Lord of Night
Roger
> Regardless of precisely which magical powers the back door gives,
> it <is> a back door put into offical Microsoft code by official
> Microsoft (weenie) engineers.
And presumably MS will use source code control logs to find
the guilty party, and fire him.
No doubt this incident will be used to support the thesis
that open source software is the only way to get security.
Jim Gillogly
> No doubt this incident will be used to support the thesis
> that open source software is the only way to get security.
It demonstrates yet again that you can't trust closed source
software even if it's from a large company. You can't trust
open source software blindly either, but at least you have an
opportunity to try to verify pieces of it.
However, even if Win2K were open source <I> wouldn't be very
interested in doing a thorough code review on even the 63,000
bugs they've admitted in a leaked internal memo, much less the
entire bloated 29 million lines of code. Heck, I wouldn't even
read through the one or two million lines of code in Linux (or
whatever the number is)... but I certainly do pull out the
Linux code and study whatever portion of it is important to
what I'm doing at the time.
You have a different take on this? Do you claim closed source
software is inherently as secure as, or more secure than open
source?
We see this in sci.crypt and the rest of the crypto world all
the time: a company develops a cryptosystem or protocol in
private, and as soon as it's exposed to the air it crumbles.
This stuff is difficult, and doing it in a vacuum is foolish.
--
Jim Gillogly
Hevensday, 26 Astron S.R. 2000, 20:13
Mok-Kong Shen
>
> It demonstrates yet again that you can't trust closed source
> software even if it's from a large company. You can't trust
> open source software blindly either, but at least you have an
> opportunity to try to verify pieces of it.
>
> However, even if Win2K were open source <I> wouldn't be very
> interested in doing a thorough code review on even the 63,000
> bugs they've admitted in a leaked internal memo, much less the
> entire bloated 29 million lines of code. Heck, I wouldn't even
> read through the one or two million lines of code in Linux (or
> whatever the number is)... but I certainly do pull out the
> Linux code and study whatever portion of it is important to
> what I'm doing at the time.
How about having software certification by some official bodies?
To my knowledge, compilers of some programming languages could be
certified at some centres.
M. K. Shen
Francois Grieu
> More than that: it fits the classical definition of a back door.
> The insiders who placed this back door can access more information
> than they're entitled to
Yes. Despite Microsoft denials (*), the word "backdoor" does
applies IMHO.
> by using the password they left in there.
It's not really a "password" I believe. It is the key of an
encryption scheme, which makes some difference. The intend was
apparently to rush a feature to the market quickly, rather than
leave an open access to a selected few.
BTW: how would you define "weenies" ? It is not in my dictionary.
Francois Grieu
(*) from
<http://www.microsoft.com/technet/security/bulletin/fq00-025.asp>
Q: I heard that Dvwssr.dll provides a "back door" into a web site.
Is this true?
A: No. A "back door" is a means by which a user who knows a
password or some other secret information can bypass access
control checking. Dvwssr.dll does not provide a way to do this.
Francois Grieu
> More than that: it fits the classical definition of a back door.
> The insiders who placed this back door can access more information
> than they're entitled to
Yes. Despite Microsoft denials (*), the word "backdoor" does
apply IMHO.
> by using the password they left in there.
It is not really a "password" I believe. It is the key of an
encryption scheme, which makes some difference. The intend was
apparently to rush a feature to the market, rather than leave
Trevor L. Jackson, III
Perhaps we should characterize this as a zero-length key.
Jerry Coffin
says...
[ ... ]
> How about having software certification by some official bodies?
> To my knowledge, compilers of some programming languages could be
> certified at some centres.
I doubt this would work nearly as well with security products as with
compilers. The difference is fairly fundamental: with a compiler you
have a well defined set of inputs that should be accepted, another
(usually somewhat less defined) set that should be rejected, a
reasonable definition of what a particular program should do, and so
on.
With security, things are a lot more wide-open. If you start with a
VERY small part of it that's well-defined, you can at least get
somewhere. For example, certifying that a particular product has a
correct implementation of SSL 3.0 or L2TP is probably possible.
Likewise, it would be quite easy to certify that a particular
implementation of an algorithm correctly encrypted/decrypted some set
of test vectors.
By itself those doesn't mean much though: if you can bypass the
encryption, it doesn't make much difference whether it was
implemented correctly. A spec like SSL defines a framework within
which it might be possible to produce a secure product, but a correct
implementation doesn't gurantee anything of the sort -- e.g. see the
Counterpane writeup on their cryptanalysis of MS's VPN code. The
code met the spec. The spec is good enough that a product CAN
implement it and (at least AFAIK) be reasonably secure. For better
or worse, it's quite apparently also possible to implement the spec,
and still have a terribly insecure product.
I doubt this is going to change anytime soon either: it's simply
impossible for anybody writing a spec to foresee all the says in
which a weenie might screw things up.
--
Later,
Jerry.
The universe is a figment of its own imagination.
Mike Rosing
>
> BTW: how would you define "weenies" ? It is not in my dictionary.
weak, small, wimpy and just a general "disrepectful" term, but mild.
Mostly used by children aged 9-12. But obviously, not alwasy :-)
Patience, persistence, truth,
Dr. mike
Mok-Kong Shen
>
> I doubt this is going to change anytime soon either: it's simply
> impossible for anybody writing a spec to foresee all the says in
> which a weenie might screw things up.
I have less concrete information than about compilers, but to
my knowledge there are operating systems that have acquired
certificates of attaining certain security levels. I mean, if
some software has been similarly certified to be o.k. and later
found to contain backdoors, then the official body examining that
would be responsible.
M. K. Shen
Mok-Kong Shen
>
> Understandably, the focus is on another vulnerability:
> a subsequently discovered potential for a buffer overrun,
> which can lead to a denial of service attack, or conceivably
> [IMHO assuming the attacker is immensely clever and lucky]
> to arbitrary code being run.
I have never studied the details of any hacks that exploit
buffer overflows, but I remember that more than a decade
ago the problem was already known to be one of the security
holes of some components of the UNIX system of that time.
Can buffer overflow remain today an excusable software flaw
in security relavant software? Where are the scientific
advances in software quality control during all these years?
M. K. Shen
Pred.
Files\Common Files\Microsoft Shared\MSDesigners98\MDT2LV.DLL containing
the "weenies" text in reverse. Looking at the exports, it contains a
function called VSetActiveSite. I wonder what it does...
Has anybody tried to search the string in Unicode format? That could be
rather interesting!
In article <fgrieu-F4DA0F....@news.wanadoo.fr>,
Francois Grieu <fgr...@micronet.fr> wrote:
> I'm glad I started the thread with a disclaimer.
>
> The text "Nescape engineers are weenies!" is indeed embedded
> [reversed] in the file dvwssr.dll coming with some Microsoft
> web server software for Windows 95/98 and NT 4 [not Windows
> 2000], and reportedly in file mtd2lv.dll coming with some
> corresponding web authoring tool.
> But contrary to some early press reports, evidence is this
> string is NOT a universal password, nor part of such a
> deliberate mechanism.
> My analysis of Microsoft's statements is
> - this string is "an obfuscation key to obscure the names
> of files being requested by the client from the server"
> while gathering information used to draw a site map.
> - knowledge of this algorithm and key only "allows a user
> who has privileges on a web server to read certain files
> from other web sites hosted on the same computer", and
> therefore the vulnerability only affects "customers who
> host more than one web site on a server".
>
> Still, it looks like Microsoft has distributed a product
> [reportedly acquired from another company] relying
> deliberately on obscurity for some of it's security features,
> a bad professional practice.
>
> Microsoft statements on dvwssr.dll issues are at
> <http://www.microsoft.com/technet/security/bulletin/ms00-025.asp>
> and
> <http://www.microsoft.com/technet/security/bulletin/fq00-025.asp>
> Understandably, the focus is on another vulnerability:
> a subsequently discovered potential for a buffer overrun,
> which can lead to a denial of service attack, or conceivably
> [IMHO assuming the attacker is immensely clever and lucky]
> to arbitrary code being run.
>
> Francois Grieu
>
--
Thanks,
- Pred.
Sent via Deja.com http://www.deja.com/
Before you buy.
Jerry Coffin
says...
[ ... ]
> I have less concrete information than about compilers, but to
> my knowledge there are operating systems that have acquired
> certificates of attaining certain security levels. I mean, if
> some software has been similarly certified to be o.k. and later
> found to contain backdoors, then the official body examining that
> would be responsible.
Yes, there are certifications of security levels, but you need to
read what they're certifying before you put too much faith in them.
At least the normal Orange Book classifications don't guarantee much:
they're more about the fundamental design than the real security of
the system.
Just for example, here's what the NSA says it will do when testing a
system for C2 level security:
2.2.3.2.1 Security Testing
The security mechanisms of the ADP system shall be tested
and found to work as claimed in the system documentation.
Testing shall be done to assure that there are no obvious
ways for an unauthorized user to bypass or otherwise
defeat the security protection mechanisms of the TCB.
Testing shall also include a search for obvious flaws that
would allow violation of resource isolation, or that
would permit unauthorized access to the audit or
authentication data. (See the Security Testing
guidelines.)
Take particular note of the fact that all of this is looking only for
_obvious_ flaws.
As the security level goes up, there are greater requirements placed
on the architecture and the testing becomes more stringent as well.
For example at the B1 level, testing is described as follows:
3.1.3.2.1 Security Testing
The security mechanisms of the ADP system shall be tested
and found to work as claimed in the system documentation.
A team of individuals who thoroughly understand the
specific implementation of the TCB shall subject its
design documentation, source code, and object code to
thorough analysis and testing. Their objectives shall
be: to uncover all design and implementation flaws that
would permit a subject external to the TCB to read,
change, or delete data normally denied under the
mandatory or discretionary security policy enforced by
the TCB; as well as to assure that no subject (without
authorization to do so) is able to cause the TCB to enter
a state such that it is unable to respond to
communications initiated by other users. All
discovered flaws shall be removed or neutralized and
the TCB retested to demonstrate that they
have been eliminated and that new flaws have not been
introduced. (See the Security Testing Guidelines.)
This is clearly a MUCH more serious level of testing than at the C2
level. The wording is still such that I doubt you could hold anybody
responsible if it fails in some area though -- it says "their
objective shall be" to disover all the problems, but doesn't say they
will necessarily achieve that objective. In fairness, I don't think
there's any way you can really expect anybody to completely achieve
such an objective.
As the security level goes still higher, the requirements go up even
more. Even though I've said I don't think absolute assurances of
security are possible, I have to admit that I'd be somewhat surprised
to see a major break in an A1 system. At the same time I feel
obliged to point that out that a system that even TRIES to meet the
criteria for B1 or above not only can be, but in fact WILL be a major
pain to use for most purposes.
NIST has initiated a different set of tests and such that try to be
oriented more toward commercial use rather than the primarily
military orientation of the NSA orange book. I haven't had a chance
to look through that too carefully, but my guess is that it might at
least come closer to what you're thinking about.
Even with that, system administration is still almost certainly going
to be the single most important thing involved in achieving any kind
of security though.
Jim Gillogly
> I have never studied the details of any hacks that exploit
> buffer overflows, but I remember that more than a decade
> ago the problem was already known to be one of the security
> holes of some components of the UNIX system of that time.
Quite right -- and also of other operating systems and applications.
> Can buffer overflow remain today an excusable software flaw
> in security relavant software? Where are the scientific
> advances in software quality control during all these years?
Sacrificed to the expediencies of marketing. You don't make sales
by fixing bugs: you make sales by adding features. Customers
forgive all the problems immediately, if they even pay attention
to the news reports on them -- the weak password encryption, back
doors, buffer overruns in browsers and active mail, etc. If the
customers are satisfied to reboot their systems after the daily
blue-screen, fixing bugs is not a high priority. The priority
becomes half-supporting the latest whiz-bang graphics card or
sound card. If the customers are satisfied to be told to reboot
as the first item on the list from tech support, they deserve
what they've bought -- and they deserve it doubly if they buy the
upgrade.
--
Jim Gillogly
Mersday, 27 Astron S.R. 2000, 21:12
12.19.7.2.7, 12 Manik 10 Pop, Second Lord of Night
Jonathan Thornburg
David A Molnar <dmo...@fas.harvard.edu> wrote
(about Ken Thompson's infamous login.c self-replicating backdoor):
>He never actually admitted to placing the backdoor in login...he simply
>described in great detail how one would go about doing it.
First of all, for anyone who hasn't read it, Ken Thompson's Turing
Award lecture "Reflections on Trusting Trust" (which describes this
(in)famous episode) is a "must read" for computer security people.
It appeared in Communications of the ACM for September 1995, and is
online at both
http://www.acm.org/classics/sep95/
and
http://www.cs.umsl.edu/~sanjiv/sys_sec/security/thompson/hack.html
Second, let's get the historical facts straight: He did indeed place
the backdoor, and it successfully caught another Bell Labs group. But
the compiler was never released outside. See message
From: j...@news.IntNet.net (Jay Ashworth)
Newsgroups: alt.sys.pdp10,alt.folklore.computers,comp.lang.lisp,alt.os.multics
Subject: The Thompson Login Trojan: The REAL Story
Date: 30 Apr 1995 01:11:47 -0400
Organization: Intelligence Network Online, Inc.
Lines: 84
Message-ID: <3nv66j$b...@xcalibur.IntNet.net>
also reposted in message
From: k...@linux.stevens-tech.edu (Kurt M. Hockenbury)
Newsgroups: comp.security.unix
Subject: Re: UNIX Download Policy?
Date: 19 Jun 1996 23:45:49 GMT
Organization: Stevens Institute of Technology
Lines: 125
Message-ID: <4qa3fd$8...@apocalypse.dmi.stevens-tech.edu>
Quoting from the former posting (by Jay Ashworth):
It occured to me last week that k...@research.att.com is _still_ a valid
address, 25 years later... so I asked. Here, from Ken himself, is the
Real Story<tm>:
) From k...@plan9.att.com Sun Apr 23 14:42 EDT 1995
) Received: from plan9.att.com by IntNet.net (5.x/SMI-SVR4)
) id AA19375; Sun, 23 Apr 1995 14:42:51 -0400
) Message-Id: <9504231842.AA19375@ IntNet.net>
) From: k...@plan9.att.com
) To: j...@IntNet.net
) Date: Sun, 23 Apr 1995 14:39:39 EDT
) Content-Type: text
) Content-Length: 928
) Status: RO
)
) thanks for the info. i had not seen
) that newsgroup. after you pointed it
) out, i looked up the discussion.
)
) writing to news just causes more
) misunderstandings in the future. there
) is no way to win.
[ note: I asked him if he minded my posting the reply, he had no objection ]
) fyi: the self reproducing cpp was
) installed on OUR machine and we
) enticed the "unix support group"
) (precursor to usl) to pick it up
) from us by advertising some
) non-backward compatible feature.
) that meant they had to get the
) binary and source since the source
) would not compile on their binaries.
)
) they installed it and in a month or
) so, the login command got the trojan
) hourse. later someone there noticed
) something funny in the symbol table
) of cpp and were digging into the
) object to find out what it was. at
) some point, they compiled -S and
) assembled the output. that broke
) the self-reproducer since it was
) disabled on -S. some months later
) the login trojan hourse also went
) away.
)
) the compiler was never released
) outside.
)
) ken
Everyone: please save this post, so the next time the question comes up,
you can just go look. :-)
--
-- Jonathan Thornburg <jth...@galileo.thp.univie.ac.at>
http://www.thp.univie.ac.at/~jthorn/home.html
Universitaet Wien (Vienna, Austria) / Institut fuer Theoretische Physik
"Stock prices have reached what looks like a permanently high plateau"
-- noted economist Irving Fisher, 15 October 1929
Diet NSA
In article <fgrieu-
F95A2F.133...@news.cybercab
le.fr>, Francois Grieu <
fgr...@micronet.fr> wrote:
>Jim Gillogly <j...@acm.org> wrote:
>> More than that: it fits the classical definition of a back
door.
>> The insiders who placed this back door can access more
information
>> than they're entitled to
>
>Yes. Despite Microsoft denials (*), the word "backdoor" does
>apply IMHO.
>
>
>> by using the password they left in there.
>
>It is not really a "password" I believe. It is the key of an
>encryption scheme, which makes some difference. The intend was
>apparently to rush a feature to the market, rather than leave
>an open access to a selected few.
>
>
Y'all might want to take a look at this
recent & brief news article entitled
"Gates and Gerstner Helped NSA Snoop"
which discusses the _NSAKEY, etc. The
article is near the bottom of this page:
"I feel like there's a constant Cuban Missile Crisis in my pants."
- President Clinton commenting on the Elian Gonzalez situation
-----------------------------------------------------------------------
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
Diet NSA
In article <004baf42.360c0b25@usw-
ex0102-014.remarq.com>, Diet NSA <
Sorry, I meant to say that the article is
near the bottom of the initial hyperlinked
entries, i.e., in the "offsite" section.
Douglas A. Gwyn
> Y'all might want to take a look at this
> recent & brief news article entitled
> "Gates and Gerstner Helped NSA Snoop"
> which discusses the _NSAKEY, etc.
We already thoroughly discussed and debunked that.
Diet NSA
In article <38FD157C...@null.net>,
"Douglas A. Gwyn" <DAG...@null.net>
wrote:
Actually, this forum has *never*
discussed the comments made by
Congressman Curt Weldon. You seem to be
in an awful hurry to "debunk" certain
kinds of claims. *If* you are helping the
Feds or Military as some type of
disinformer (even voluntarily on your own
time) you might not want to be too
obvious about it.
"Weldon disclosed that high level deal-
making on access to encrypted data had
taken place between the NSA and IBM and
Microsoft".
(Like the above string in dvwssr.dll, I
personally don't see any important
evidence that the NSAKEY is any kind of a
significant backdoor.)
There are some Europeans who want to
form a committee to investigate these
type of claims and also how Echelon may
have been used. The CIA and NSA are
opposed to the formation of this
committee and the Europeans involved
seem naive to believe that they can
uncover anything significant
through official channels. Anyways, the
above article I mentioned is now
available at:
http://www.theregister.co.uk/000412-
000020.html
Tim Tyler
: Can buffer overflow remain today an excusable software flaw
: in security relavant software? Where are the scientific
: advances in software quality control during all these years?
Buffer over-runs are *much* harder to shoot yourself in the foot with
when using modern languages with bounds checking on array and string
access, and constraints on use of pointers, i.e. languages such as Java.
--
__________ Lotus Artificial Life http://alife.co.uk/ t...@cryogen.com
|im |yler The Mandala Centre http://mandala.co.uk/ Be good, do good.
Douglas A. Gwyn
> Buffer over-runs are *much* harder to shoot yourself in the foot with
> when using modern languages with bounds checking on array and string
> access, and constraints on use of pointers, i.e. languages such as Java.
Relying on the language itself to solve quality problems has proven
to be foolish. Sloppy programming in Java can produce the same kinds
of security holes as sloppy programming in C or any other language.
For example, consider a UTF-8 input acceptor, such as might be used
on text streams sent over the Internet. A naive implementation
might check for / path delimiters and 0-byte terminators directly in
the UTF-8 encoding, which in theory works fine, but if conversion to
internal (e.g. Unicode) values is done the "obvious" way, /s and 0s
can be snuck into the stream by a malicious transmitter, using a
subset of UTF-8 codes that were intended only for values outside the
ASCII range. Hackers think of these things and know how to exploit
such oversights to perform unauthorized actions.
Reliability and security have to be built into software by *thinking*
carefully about the issues *as the software is designed and written*.
Automation plays a relatively small role in this.