Backdoor In Microsoft Web Software? 445
Here are the basic details from the article (expensive reg. req.), because I can't find this story anywhere else. Strange that the WSJ should have the scoop on a security issue.
Microsoft Acknowledges Its Engineers Placed Security Flaw in Some Software
By TED BRIDIS
Staff Reporter of THE WALL STREET JOURNALMicrosoft Corp. acknowledged Thursday that its engineers included in some of its Internet software a secret password -- a phrase deriding their rivals at Netscape as "weenies" -- that could be used to gain illicit access to hundreds of thousands of Internet sites world-wide. [...]
The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft urged customers to delete the computer file-called "dvwssr.dll"-containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions.
While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files [...]
Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider." [...]
And, Black Parrot passed along this link to a CBS Marketwatch story, which is free but short on detail.
Re:Actual report - not as bad as it looked (Score:2)
Much better to go have a look at RFP's post to BugTraq [securityfocus.com].
One other comment is that M$ products frequently have reports of security holes at least as serious as this, and sometimes a lot more so. I guess this just gets the attention because it was engineered in. But, it is certainly not the only backdoor found in software. Here is a nice one here [securityfocus.com].
Parting thought, is anyone going to read this?
Re:haha.. (Score:2)
The crap you omitted was "XWebScope Source Retriever". Maybe it is a string which a client needs to send to microsoft's server to be able to retrieve files? Maybe in combination with the Netscape-weenies string?
I have a feeling that the entire dll is just a tiny "webserver plugin".
The system functions the dll uses are stuff like strcmp, ReadFile, CloseHandle, strlen and so on. Just enough to check for the secret passphrase and send some files. :-)
Re:So what does the file do then? (Score:2)
On the other hand, knowing Microsoft I wouldn't be surprised if the manner in which Visual Interdev support is broken is by the server crashing when a Visual Interdev 1.0 client makes a request for ASP info. This would replace the security hole with a denial of service attack.
----
Re:Don't any of us check these things? (Score:2)
I'm astonished at how big of a deal this seems (Score:2)
This is why I am NOT SURPRISED that Microsoft would put in a really _dumb_ and arrogant backdoor key to their software and maintain it through ALL LEVELS of code checking, on purpose- presumably not because they were really actively planning to be able to break into their own customers' computers anytime they wanted, but 'just in case' they might want or need to do that sometime! I fail to see any other possible reason for this. Conceding that they are not the Illuminati or competing with the NSA- the only possible conclusion is that right to the highest levels, Microsoft wanted to leave their options open about someday _becoming_ like that, and so hubris leads them to stick really _stupid_ backdoors in, correctly assuming that their customers would not figure even this out (it's been how many years to figure this one out?)
The thing is, I am not surprised, so I am startled and astonished when this is suddenly getting so much attention. To me it's just another Bugtraq 'issue' because I already _thought_ Microsoft wanted to supplant the government and lay the groundwork for surveilllance and remote control of its own customers. It's old news to me- though this feeling of mine was based on intuition, as I'll happily admit, so there was no real evidence, as I would also admit.
Now there is- it's a 'smoking gun' type of revelation- and while for me it's an 'Ah, I thought so', for many people it's like waking up and realising their mother is not their mother, like she is a bloodsucking Arcturan weasel in a cheap mask. I can sympathise with their shock to some extent even though I never had much patience with their pathetic trustingness in the first place. Sorry guys. New rules.
Re:If it were open source ... (Score:2)
...phil
Re:What took so long? (Score:2)
...phil
Re:Backdoors in "secure software" (Score:2)
If you want to create a second way in, man, go ahead. Write a CGI script to exec sshd or something. But you don't need the maintainers of Apache to do that for you; you don't need that capability hidden from you; and you sure as hell don't need that capability being discovered in someone else's system on the other side of the globe and then exploited in yours while you are taking your first holiday in 2 years...
Backdoors, done properly, have their place. That place is not implemented unknowingly in thousands and thousands of installations worldwide where such a backdoor would be wholly unsuitable anyway.
Make no mistake. Whatever this is, it's not a feature.
Dave
(Still using mozilla 2000041316)
--
"affects almost every web-hosting provider" (Score:2)
Re:Heaven's Gift? -- Nope (Score:2)
Re:Heaven's Gift? (Score:2)
I run Linux at home, several co workers do, the head of ops runs it. I have personally seen linux boxes cracked in 3 seconds. Net BSD seems quite possible though.
Any box that isn't set up properly can be cracked in 3 seconds. Unfortunatly, many distros are not set up correctly. NetBSD is a good choice though.
Re:Backdoors in "secure software" (Score:2)
If, for some reason, the ssh daemon dies, I'm fucked.
If at all possable, I would set the web server up with a serial console to a second system on the site. The second system should also have a relay to trigger the reset line on the server. Nearly all problems that don't require a hardware ficx can then be handled remotely.
There's also the Weasel card that was a story here a while back.
As far as a backdoor goes, A private one that you put there yourself may be a good thing, but a global one that many people know how to access, the odds that you'll have to take a trip to the server increase rather than decrease.
Re:Heaven's Gift? (Score:2)
Which one is going to be cheaper in the long run?
I'd say that Linux/*BSD with Apache is cheaper in the long run. Once set up, Apache is not at all difficult or time intensive to maintain. The same is true of Linux and *BSD. In the real world, I have found that with the same hardware, a Linux system will handle at least 1.5 times the load of an NT system. I don't have much experiance with *BSD, but I understand that it will similarly outperform NT.
The real issue is Frontpage. It is possable to set up Apache with Frontpage, but you are then open to any security flaws it may introduce in it's binary only parts.
As for justifying the money spent on MS licensing: To put it plainly, I cannot think of a justification for that unless some of your customers insist on an NT based server or on features unique to the MS 'solution'.
No, Apache _not_ affected. (Score:2)
Re:Heaven's Gift? -- Nope (Score:2)
I am not assuming this. I specifically stated that people assume this. I have a very good idea how QA general software goes through, but the mass market does not (since they still believe that the product they get is the final, highest quality version). You can mouth off all you want about how much you know, but the fact that Microsoft sells so much product and that everyone uses it tells people in general that they make a good product that everyone can use, thus when they have a screwup, it raises doubts on all of software in general
Re:What took so long? (Score:2)
Unless they're claiming they wrote IIS from scratch now too.
Re:So what does the file do then? (Score:2)
Anyone wanna try strings on FrontPage 2000? (Score:2)
5.01 128 bit english - doesn't work (Score:2)
--
Associated Press (AP) article on this (Score:2)
http:// wire.ap.org/APnews/main.html?FRONTID=TECHNOLOGY&S
Sorry to weasel into a reply to the first comment here...
--
WSJ: Microsoft Acknowledges Security Flaw (Score:2)
Microsoft Corp. acknowledged yesterday that its engineers included in some of its Internet software a secret password ... that could be used to gain illicit access to hundreds of thousands of Internet sites world-wide.
The manager of Microsoft's security-response center, Steve Lipner ... described such a backdoor password as "absolutely against our policy" and a firing offense for the as yet unidentified employees.
Re: (Score:2)
Whoops, forgot some (Score:2)
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
----------
ironic (Score:2)
Re:Actual report - not as bad as it looked (Score:2)
http://www.wiretrip.net/rfp/p/doc.asp?id=45&ifa
Try it yourself....
See link below -- explanation of the vulnerability (Score:2)
This post (http://slashdot.org/comments.pl?sid=00/04/14/0619 206&cid=540) [slashdot.org] has the information on the vulnerability for those curious to know what the deal is. I shoulda posted it as a reply here to begin with, but am posting this link to it because there probably aren't too many people who will make it down to the 540th post where it got buried. Sorry!
Cheers,
ZicoKnows@hotmail.com
Re:Looks like there never was a backdoor (read bel (Score:2)
"This is a vulnerability because it allows an author on one Web site on a shared server to see anything on another server," said Steve Lipner, manager of Microsoft's Security Response Center. "That's the extent of the vulnerability."
Skepticism is always a healthy thing, but I don't think it's unreasonable to believe that a security hole exists in a Microsoft product when Microsoft says that there is a hole! I mean, do we all have to go install IIS and verify the existence of the hole ourselves to avoid acting "foolish"?
Re:Backdoors in "secure software" as MARKETING (Score:2)
Say due to some "bug" in the software, you get locked out of your mission critical system...
Yup, and if your users don't upgrade as quickly as your marketing plan demands (They lose an entire cycle of revenue and a chink of marketing numbers if you skip from v.1 to v.3)...
and in a couple of year the backdoor might be leaked^h^h^h^h^h^h^h discovered, and many users of your existing products will upgrade. After all, it is the fastest and simplest way to quick-fix this problem (and others that may come later)
Pretty soon, you'll have them trained: BUY THE NEW VERSION ON RELEASE. True, they may not want to install it yet (until the 'gamma testing' is over -- v2.1 or 2.2), but at least they'll have it on hand when v1.x goes up in smoke.
In this case, InterDev 1.0 *requires* the affected DLL (so the MS official fix won't work for InterDev users) and a lot of people will move to Frontpage 2000, when FP 98 (or 97) met their needs quite well until now.
If a licit and deliberate 'front door' password and verification scheme were compromised, MS would clearly be legally liable for failing to protect the password (just as you are liable if you let your corporate password get into the wrong hands) -- but if a "back door" is discovered, then they can blame it on 'evil hackers', even if their own service engineers use it routinely.
BTW, a legal front door would demand that they do more work -- e.g. verify EngineerID by modem to MS HQ or time-varying encryption -- while a back door can be a simple password, since it is never acknowledged. Any company that deliberately uses a password backdoor is guilty of negligence in today's corporate/legal environment. Do they think no service engineer will ever quit or be fired?.
__________
It's in more than one dll (Score:2)
Does anyone know how to exploit it yet, though?
WTF??? (Score:2)
--Shoeboy
Re:Now that's professional... (Score:2)
All code should have code reviews. Where were their code reviews? Who missed this? Did somebody let it go buy?
I'm not surprised so many IIS sites have been hacked. I'm wondering what other gems are in their web server.
Before you think that this problem dosen't effect you, consider the web sites you frequent and buy from.
Re:Down right criminal... (Score:2)
Some fast and lose numbers...
Data from the Netcraft Web Server Survey [netcraft.com]. Of a total of 13,106,190 servers surveyed about 21% are Microsoft based, or 2,742,931 servers (actual March count). Figuring an average of 2 minutes to login and delete each file at an average pay+overhead rate of $50 an hour for the web admins deleting the .dll you get a cost of about $4,571,552 just to delete the files.
Down right criminal... (Score:2)
The more I think about this the more I feel it is down right criminal to stick a backdoor like this into code. This can lead to massive problems for both individuals and businesses that have data stollen. Look at the trouble that was caused to the credit card companies with the stollen credit card number lists from web servers. Add on top of that the fraudlent charges to peoples credit cards. Deliberate backdoors like this and others make it all that much easier for a cracker or script kiddy to break into a system. Who knows if this was the exploit used in any of the previous security breaches. I'd bet that some used it. maby not all, but some.
Ponder this: Would you accept a security system for your house if you knew it could be bypassed by anybody with a standard code?
And here's the rest (Score:2)
skunk:~$
skunk:~$
skunk:~$ wget http://www.sivertsen.com/_vti_bin/_vti_aut/dvwssr
--12:06:28-- http://www.sivertsen.com:80/_vti_bin/_vti_aut/dvw
=> `dvwssr.dll'
Connecting to www.sivertsen.com:80... connected!
HTTP request sent, fetching headers... done.
Length: 6,416 [text/html]
0K ->
12:06:28 (59.11 KB/s) - `dvwssr.dll' saved [6416/6416]
skunk:~$ file dvwssr.dll
dvwssr.dll: MS Windows PE 32-bit Intel 80386 GUI DLL
skunk:~$ strings dvwssr.dll
!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.idata
.rsrc
@.reloc
>%u:
D$4h
D$4j
]_^[
t*;5
D$4j
D$<"
DVWSSR.DLL
DllMain
GetExtensionVersion
HttpExtensionProc
/global.asa
.asp
!seineew era sreenigne epacsteN
HTTP/1.0 404 Object Not Found
XWebScope Source Retriever
_refresh_acls_
Content-type: text/html
KERNEL32.dll
lstrcmpiA
lstrcpynA
CloseHandle
ReadFile
CreateFileA
lstrlenA
lstrcpyA
GetModuleFileNameA
lstrcmpA
1!1-141H1O1
2q2}2
`0d0
dvwssr.dbg
ssr.dll
skunk:~$
Re:Taking a bomb on a plane (Score:2)
Pope
Re:What took so long? (Score:2)
there is a difference. MS portrays itself as professsional, and Linux is seen as a grand experiment. No one expects Linux not to have some rough edges. Being a work in progress is what Linux is all about. But when you pay several hundred dollars for software, it better work. If a Disc from some guy making Linux copies is a flaky, no big thing, but if some MS bug factory software turns your computer into a paper weight, it is a big thing.
It is expectations.
Backdoors go *way* back. (Score:2)
Heck, I used that same sentence as the backdoor into a system I wrote -- but the customers got source and new it was there. (Further and more, you had to be already logged in at a certain privilege level before it'd be recognized.)
There are some occasions where a system needs to provide some way for a "maintenance worker" (or sysadmin) to expose certain inner workings to manipulation -- that's what the root password is all about, right?
Mind, in this case it doesn't apply: you don't keep such a hook secret from the customer, you do give them the option of changing it (with suitable warnings), and Front Page is hardly anything mission critical enough as to require that sort of access to a running system. (Plenty of other ways to access it if so.)
Running 'strings' on that DLL (buried deep within the FrontPage directories) did indeed turn up "!seineew era sreenigne epacsteN". I've found other interesting strings in MS software (eg, a copyright notice from the Regents at UCB in 'ftp.exe'). Might be interesting to run strings on all the W2K stuff, although perhaps they're more careful now about hiding such things (may they rot13'd it.)
Re:Ye gods. (Score:2)
Best case it's just a tease and not really a password at all.
But with MS's recent PR track record, who is going to believe there's not a backdoor even if there isn't? The "NSA key" has been in the news again lately. There's a long flamewar going on in the newsgroups right now.
This could hardly come at a worse time for Microsoft.
--
Re:Heaven's Gift? -- Nope (Score:2)
But no, time and time again they seek to buy something just because it's produced by another company with a facade of competency (and it's not just Microsoft we are talking about here).
Re:Related: A Bug in IIS exposes ASP Source-Code! (Score:2)
I'll try pasting in the fixed URL:
http://www.yoursite.com/null.htw?CiWebHitsFile=/y
Nope,
Spelling.... (Score:2)
There was a space in the URL given - the end should read CiHiliteType=Full
Not "Fill"!!!
Yeah, but... (Score:2)
Ok, sure there's a backdoor in this dll, but what can you do with it? Is it something that can only be accessed from the console? From a webpage somehow? and what rights does the backdoor give you? As funny as I think this is (come on, the fix is "delete the file"?), it remains to be seen just how dangerous the hole really is.
Most persuasive argument for open source (Score:2)
And that's why I'd never trust a piece of Microsoft server software over Apache [apache.org] or Qmail [qmail.org] for example. A lot of Microsoft software is relatively stable now (my win2k install hasnt needed rebooting in a month), but so closed and opaque that there's no way whatsoever to audit or confirm that a million backdoors aren't present. One has been found, how many others?!
Interesting - I wonder if there's more. (Score:2)
No wonder MS doesn't want DOJ to open-source Windows. It would take them years to clear out all the inside-jokes, bad hacks, broken code, and cleartext backdoors. Yeesh.
My thoughts on what I've seen... (Score:2)
Er. Yeah, right. Next?
~Tim
--
You forgot to read the next paragraph (Score:2)
FrontPage does not change ACLs on content files to manage design-time security; it only changes ACLs on the directories that contain the gatekeeper files admin.dll, author.dll, and dvwssr.dll. FrontPage manipulates content file ACLs to manage run-time security, which is the topic of the next section.
This file can only be reached and executed if you have -AUTHOR- rights to the web. If you are a smart admin, you would be hosting your sites on NTFS partitions and therefore this is not the big risk that they say it is.
The 'password' is probably visible in a sniff, or even encoded in the HTTP POST request to the extensions however you CANNOT execute the dll call it without the permissions.
Re:So what does the file do then? (Score:2)
In this case, you could probably make as many changes as you wanted. Just don't change the length of the string unless you're really really good at changing offsets and entry points. :)
Re:haha.. (Score:2)
Wow. Thankfully, I didn't find the same in the Linux Frontpage extensions. I looked in both version 3.0 for Frontpage 98 and version 4.0 for Frontpage 2000.
I can't tell you how much it drives me nuts to have to load Microsoft software on my Linux web servers. So much so that I don't even trust their setuid wrapper. Each site runs as a dummy user, which owns their files.
Closed code sux. Now, how were DES S boxes picked? (Score:3)
Re:Heaven's Gift? -- Nope (Score:3)
There are scary implications here. When you cannot trust software made by one of the world's largest software companies, what do you do when if[sic] comes to all the little homebrew progams that are available?
This is exactly the mentality that keeps open-source from advancing. As strange as it may seem, the corporate world does not see open-source software go through the same sort of rigorous QA that (they assume) corporate products go through. An event such as this is only going to serve to make people doubt more software in general and that has a negative effect on open-source software which already has to face the FUD about its quality.
No, this isn't Heaven's Gift, it's Satan's Blessing. Too many people see Microsoft as the sort of God of software and when your God fails you, where do you turn? Certainly not to the meek.
AP article on this (Score:3)
http:// wire.ap.org/APnews/main.html?FRONTID=TECHNOLOGY&S
Sorry to weasel into a reply to the first comment here with this...
--
Audio Interview with Rain Forest Puppy (Score:3)
has an audio interview (April 14, 2000) with Rain Forest Puppy who discovered and was able to exploit the backdoor.
Note: Available as an MP3!
Re:actually... (Score:3)
Absolutely. And don't forget to further fortify it by XOR'ing it a few times with a long string of zeroes.
Security through marketing (Score:3)
One of the biggest endightments of proprietary commercial software is the fact that when a problem is doscovered the first people to move into action from the the company concerned are the marketing department, usually in full denial mode.
What users need is an immediate alert that a problem exists, followed by a fulfilled promise to get a technical team on it until its resolved, after which a release will be made ASAP. What they get is 'There is no problem' then 'Ok, theres a problem, but its not that bad' followed belatedly by 'Alright, it was a major issue, but look the fix is here now. Just pay for the upgrade'
With open source the answer might be 'We'll work on it as soon as we can' but at least theres no denial phase.
Usually there are all sorts of get out clauses in software licenses to excuse a company from any liability for problems that bugs might cause, but what about the case where a problem is discovered by the company that could be potentially fincancially damaging to its clients but it refuses to issue notice of the problem in a timely fashion?
ZamZ
Re:Backdoors in "secure software" (Score:3)
Secrets get leaked at a rate proportional to both the number of people who know it and the value of the secret. In the MS case, the secret is potentially known by several thousand MS employees with source code access, and the value of the secret is incredible, since it allows access to thousands if not millions of Web servers. In contrast, passwords rarely leak because they are known by only one person and can only be used to attack one site.
To handle the case of getting locked out of your own system, you use a well-documented, well-protected service entrance. A perfect example is the OS itself, be it NT, Unix, or whatever.
If you lock yourself out of your OS (lost the root password or something), the service entrance is to boot from CD or floppy, which gives you superuser priveleges and allows you to change the superuser password(s). The security of the service entrance is due to teh fact that said devices are physically connected to the machine. That is, you need physical control of the machine, the ability to touch the case, before you can exploit this. And if such a machine needs to be secure, the competent admin will put it under lock and key. We can't protect you against incompetent admins.
If the system you are locked out of is an application rather than an OS, you can build a service entrance that requires superuser priveleges. Since you can always gain superuser priveleges with physical access (see above), no back door is needed.
Don't be too complacent. (Score:3)
On the other hand, I don't think open source is completely immune to this either -- after all, don't they have code reviews at Microsoft? Nothing really prevents a Red Hat engineer from doing something equally stupid. For that matter, the backdoor in question is not necessarily in the official source, is it? It could have been slipped in in binary form.
You can't be absolutely complacent, unless you both compile everything on your system from source and review all the source code before compiling. Even then you can't really be sure without dumping the object code (remember the old Unix password hack built into the C compiler?).
If you consider most root exploits such as the one that came out in bind last year, most of them are bugs. It wouldn't be too hard to deliberately introduce such bugs so they would pass casual inspection. Another proof that whoever did this was an idiot.
Open source's advantages over closed source for security are relative, not absolute. As in bug fixes, things can be disocvered faster and fixed faster.
Just found another story... (Score:3)
Odd? (Score:3)
Questions arise: 1) Why was it there? 2) What will removing it break? and 3) What the heck kind of bugfix is deleting a file in the first place?
"My kernel is panicking on boot!" "Delete
I will never fully understand Microsoft Corp., its methods, or its software.
Microsoft: bringing you yesterday's technology tomorrow.
Could this "discovery" be deliberate? (Score:3)
According to the stories [theregister.co.uk], Frontpage 2000 on Windows 2000 isn't affected.
As The Register puts it, per the link above:
The problem isn't there in Win2k servers with FrontPage 2000 extensions, so an upgrade might be a good idea. But not necessarily to Win2k.
Hrm.
Ok, Windows 2000 isn't jumping off the shelves. Problems are grounding it. So... maybe its time to "leak" a old backdoor, so that people would upgrade to 2000 ASAP?
Granted, those who thought would be saying "What problems will we have there" - but by and large - the people who think aren't running NT (especially for webserving).
(Not an NT bash, BTW. I'm talking about the vast majority of tossed-up NT servers who fill needs, and then massive effort is spent _fixing_ problems, performance, etc, rather than sitting down, building a good solution, and doing it right. (Personal opinion, NT shouldn't be there, but in those cases, some valid cases can be made for NT).
I just... Surely not. Surely this is just a coincidence. But... I've *got* to wonder..
Addison
Uh ... (Score:3)
Not MS policy (Score:3)
Okay, this is a truly bad hole in Microsoft's server software, and one which should never have been there in the first place. And while many people here may scream conspiracy, I don't think that it was. Rather I think this was a case of coders doing something without the knowledge of the designers / policy makers or whatever.
Think about it. Why would Microsoft want this put into their software, when if it was found out, which would be likely, would lead to a massive publicity scandal, and possible legal action? This wouldn't be in their best interests at all, especially given the current events.
Rather, this sounds like the sort of thing coders would do, especially the part about Netscape employees being "weenies". Given that MS employees are loyal to MS, this kind of thing sounds like something they would choose on their own, just because they thought no-one would notice it.
spectacular (Score:3)
!seineew era sreenigne epacsteN
You think they could've, I dunno, ENCRYPTED IT? I mean, its one thing (unscrupulous as it is) to put a backdoor in software, but its just plain stupid to store the p/w in cleartext on every machine that runs frontpage in the world.
Re:If it were open source ... (Score:3)
Re:Down right criminal... (Score:3)
I see stories like this, the NSA scandal, and reading bugtraq, and I just shake my head as to why these people use MS products and smile, feeling all warm and gooshy inside, when they pay enormous amounts of money for something that is proven not to work and is insecure. WTF is going on?
Re:What took so long? (Score:3)
Why was it discovered now? Maybe the recent release of Win 2000 has something to do with it. If I ran a business with NT or '98 this would sure be an incentive for me to buy their new backdoor-free software! Yessire Bob!
What I find odd is that the article says the perpetrator is as yet unknown. Does MS allow anonymous submissions to its core products? That is truely astonishing.
First time for nothing. (Score:3)
Re:Affects "almost every Web-hosting provider." (Score:3)
It is, in fact, this blindness that makes corporatism (a) so evil and (b) so futile in the long run. There are values that are not economic values, and they do have the strength to compete.
If it were open source ... (Score:3)
Can we get a backdoor for Apache? (Score:3)
When the user types "Bill Gates is a fungus covering the streets of the cyber village" to a logged site, the server immediately spawns new processes which scour the Web looking for vulnerable IIS servers.
Upon finding these sites, it does nothing. Why would you need to do anything to a machine that runs (Af)front Page Extensions?! It already suffers from enough code-bloat to make any amount of bandwidth nearly useless.
-L
Actual report - not as bad as it looked (Score:4)
Russ Cooper just posted a more educated summary of the problem to NTBUGTRAQ. It's in the archives at this location [ntbugtraq.com].
It's NOT as bad as first reported. Russ says that his comment that it affects "almost every web hosting provider" was based on the info that it was some sort of Front Page issue. It's not that simple, and it seems that it's only exploitable by users who have already been granted web authoring permissions on the box.
Have fun,
Dave
--
Re:Backdoors in "secure software" (Score:4)
You send a tech to let you back in through a well known and documented procedure that allows full access from the console, a feature you knew about and chose not to disable.
The fact that backdoors can be useful does not excuse one being placed silently in a piece of software that is then marketed as secure. You may approve of having a remote back door; you may believe that the risk is sufficiently small to justify the potential cost savings. That's great. But that is a decision for each customer to make, and not every customer will agree.
Separately, it's my opinion that a common remote backdoor, no matter how well hidden, will turn round and bite you on the arse eventually. This software is too well deployed; too many people are auditing it and probing it. If an engineer puts 100 hours of work into hiding it, it only takes 100 people 1 hour of searching to equal that effort. How before someone makes that discovery? And how long after that before it is widely reported anywhere other than IRC?
Dave
(posted with Mozilla 2000041316 [mozilla.org])
--
Russ Cooper says "NO VULNERABILITY" (Score:4)
From: Windows NTBugtraq Mailing List [NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]
on behalf of Russ [Russ.Cooper@RC.ON.CA]
Sent: Friday, April 14, 2000 12:33 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: DVWSSR.dll Vulnerability in Microsoft IIS 4.0 Web Servers
Ok, here's a breaking update.
Latest reports say that there is
NO VULNERABILITY IN DVWSSR.DLL
Yup, that's right, different again from what I said earlier, and even more
different than what I said yesterday to WSJ.
Please accept that I have followed the story published elsewhere and tried
to keep you abreast of everything I knew. Also appreciate that the amount of
time given to verify and research the claims made by others has been
extremely short. I've had probably 30 interviews today by orgs pressing for
information on the story as the feeding frenzy occurs after the first one
goes to press (WSJ in this case).
MS have had people working on this thing like madmen, trying to verify the
claims and investigate all of the possible pieces of code that may be
affected. As that research progressed, different observations were made and
so the story came out in various stages (with varying levels of
"correctness"). Had they been given a reasonable amount of time to respond,
nobody would have been in a tizzy about anything (i.e. the press would not
have cared to run this story anywhere).
Decide for yourself whether we were better served by (more) immediate
disclosure or not. I've stood where I stand for a reason, despite the
loathing of others for my stance...
In the end, it turns out that unless you actually have permissions for the
file you are requesting, you'll get an error message when you follow the
procedures outlined by RFP in his RFP2K02 advisory.
That said, understand that sites that allow connections by Front Page may
very well provide you with source asp if you request it. BUT THAT WILL
HAPPEN with or without the
across virtual servers on a given box, site leakage or manipulation by
others will always be possible in myriad ways.
>From what I've heard/seen/been told, permissions on the test servers must
have either been non-existent, incorrectly applied, or permissioned the user
across multiple virtual sites (i.e. incorrectly applied).
I had someone claim that they could get into an FP98 site using
"Netscapeengineersareweenies!" as a userID and no password...making them
think it was a backdoor userID. Fact is they could get into the same sites
using "TomDickandHarry" as a userID too. If the permissions aren't set
correctly, anything is possible.
This info may change again before its finalized. It may well be that there
is some way to use this
appear to be this one. On a box where multiple sites have not been
individually permissions, or permissions are lax or non-existent...anyone
permissioned to execute the
to simply open the other sites and manipulate them directly (i.e. no need to
do this junk with the dvwssr.dll)
Finally, to my point out the string not being a password. Elias Levy of
SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly
pointed out that using the term password to apply to that string is not
beyond the realm of understanding. The client component mtd2lv.dll and the
server component dvwssr.dll both need to know this value, and use it
correctly, for communications to work. If you try and talk directly to
dvwssr.dll and don't obfuscate your communication with the correct "key", it
won't understand you. Of course if you don't already have permissions,
knowing this value gets you nothing...hence my observation that its not a
password. Whatever it is, it appears to be meaningless junk text used as
data.
Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)
--
Here's the dealio. (Score:4)
Microsoft has a Security Bulletin [microsoft.com] and a FAQ [microsoft.com] about the problem. Although it's limited, there is a vulnerability -- nothing like those password scenerios that have been bandied about, however.
Quick summary: If multiple web sites are hosted on a NT4/IIS4 server with FrontPage 98 extensions installed, then webmaster A with web authoring permissions on his own site could potentially inappropriately read the .asp (and possibly the global.asa, but no others) files of webmaster B's web site if he knew where they existed on the same server. Note that to be able to do this, user B would have had to have granted user A read permissions (explicitly, or by giving read access to "Everyone") on those files -- otherwise, user A would be unable to read the files.
Soooo, this looks like a tremendously smaller problem than everyone originally thought, although there definitely is a vulnerability for the scenario I mentioned above. Corrections welcomed if I munged any of that explanation.
Cheers,
ZicoKnows@hotmail.com
Looks like there never was a backdoor (read below) (Score:4)
This was posted to the NTbugtraq list by Russ, the owner. If true, there are a whole damn lot of Slashdotters who made fools of themselves jumping to conclusions today. That's all I'll say about that, so, on with the post (sorry for the bold, and the entire repost, but it needs to be seen):
======= BEGIN MESSAGE =========
Ok, here's a breaking update.
Latest reports say that there is
NO VULNERABILITY IN DVWSSR.DLL
Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ.
Please accept that I have followed the story published elsewhere and tried to keep you abreast of everything I knew. Also appreciate that the amount of time given to verify and research the claims made by others has been extremely short. I've had probably 30 interviews today by orgs pressing for information on the story as the feeding frenzy occurs after the first one goes to press (WSJ in this case).
MS have had people working on this thing like madmen, trying to verify the claims and investigate all of the possible pieces of code that may be affected. As that research progressed, different observations were made and so the story came out in various stages (with varying levels of "correctness"). Had they been given a reasonable amount of time to respond, nobody would have been in a tizzy about anything (i.e. the press would not have cared to run this story anywhere).
Decide for yourself whether we were better served by (more) immediate disclosure or not. I've stood where I stand for a reason, despite the loathing of others for my stance...
In the end, it turns out that unless you actually have permissions for the file you are requesting, you'll get an error message when you follow the procedures outlined by RFP in his RFP2K02 advisory.
That said, understand that sites that allow connections by Front Page may very well provide you with source asp if you request it. BUT THAT WILL HAPPEN with or without the .dll. Without proper and full permissions applied across virtual servers on a given box, site leakage or manipulation by others will always be possible in myriad ways.
From what I've heard/seen/been told, permissions on the test servers must have either been non-existent, incorrectly applied, or permissioned the user across multiple virtual sites (i.e. incorrectly applied).
I had someone claim that they could get into an FP98 site using "Netscapeengineersareweenies!" as a userID and no password...making them think it was a backdoor userID. Fact is they could get into the same sites using "TomDickandHarry" as a userID too. If the permissions aren't set correctly, anything is possible.
This info may change again before its finalized. It may well be that there is some way to use this .dll in a way that's not intended...it just doesn't appear to be this one. On a box where multiple sites have not been individually permissions, or permissions are lax or non-existent...anyone permissioned to execute the .dll in the first place would have the ability to simply open the other sites and manipulate them directly (i.e. no need to do this junk with the dvwssr.dll)
Finally, to my point out the string not being a password. Elias Levy of SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly pointed out that using the term password to apply to that string is not beyond the realm of understanding. The client component mtd2lv.dll and the server component dvwssr.dll both need to know this value, and use it correctly, for communications to work. If you try and talk directly to dvwssr.dll and don't obfuscate your communication with the correct "key", it won't understand you. Of course if you don't already have permissions, knowing this value gets you nothing...hence my observation that its not a password. Whatever it is, it appears to be meaningless junk text used as data.
===== END MESSAGE ======
Cheers,
ZicoKnows@hotmail.com
Re:haha.. (Score:4)
Microsoft Design Tool - Link View
It's installed by Front Page Server Extensions 3.0. 'The FrontPage Extensions manage design-time Web permissions using the underlying security model of the host operating system on the server.'
From MSDN [microsoft.com]
Presumably the magic phrase can override permissions to expose the source code. It's
actually... (Score:4)
And really, it wasn't JUST encrypted backwards, it had a full double-ROT13 encryption applied before that, so even after de-backwardsing it, you still would have to take it through two rounds of ROT13 before it was readable.
Re:actually... (Score:4)
Two rounds of ROT13 is still incredibly weak, though. All the crypto experts recommend at least 16 rounds, and with processors being so fast these says, I usually do 64 rounds.
---
Two Points... (Score:4)
I think this discovery may have much farther-reaching implications that anybody presently realizes.
__________________________________________________ ___
Thus proving... (Score:4)
--
Re:So what does the file do then? (Score:4)
dvwssr.dll is described as a "gatekeeper" for browsing, which would make sense if it is where the backdoor code lies. It is apparently part of the "FrontPage Server Extensions". The table at the link gives the
Oh, and I can't resist this quote from the linked page: One more level and one more way than it was supposed to, eh?
--
(OT) how were DES S boxes picked? (Score:4)
"Not cracked yet" happens to be the acid test for cryptosystems. Anything which has been open to public scrutiny and attack for years without being cracked is more trustworthy than something which has not. DES is losing usefulness because hardware is now fast enough to do brute-force attacks at reasonable cost, but that's something we knew would happen. If you have secrets you need to protect for the ages, you don't use DES anyway. The tradtional way of protecting these things is to use bullets, though the US government is a little bit more sophisticated; to protect some secrets known by a dying CIA director, he was scheduled for neurosurgery which destroyed his speech centers before his scheduled Congressional subcommittee appearance. Not exactly subtle, but clever.
(Is there anyone who doesn't shiver when they think of the stuff like this that spooks do?)
--
Re:Jkatzman (Score:4)
Update: here's another re-run, this time from The Register [theregister.co.uk].
They include an attribution of identification to .rain.forest.puppy, who has, as they state, successfully indentified other NT hacks (most recently problems with RDS). So it seems this problem is probably real.
Shit.
However the code got there... if this didn't get spotted my QA, I am flabbergasted at the incompetence. If this did get spotted and was let through, I am flabbergasted at the unprofessionalism. Either way, MS are going to receive a whole bowlful of flabbergast.
I'd just like to make this point again: what I want from a web server is the ability to read HTTP requests and either read a file or call a CGI script. It should support SSL, and chunked transfer-encoding, and be fast. That is all I need.
I do not want a web server to:
Bloat begets bugs. I just want a simple web server.
--
This comment was brought to you by And Clover.
Heaven's Gift? (Score:4)
This seems as a heaven's gift to me for all those "security through obscurity doesn't work" advocates. We know they're right, but this event - if it is entirely true, and gets headlined in many media - would certainly help management understand that something might be wrong with their perception of how to handle security.
Surely, this event won't mean that suddenly every company will switch to an open source solution, but i firmly believe that this event is one of the many steps that happen in the evolution of perception of software and its uses.
This won't result in a sudden increase in the usage of Linux, FreeBSD or any other open source solution... It's just all matter of evolution...
... If it is solid... I mean, this sounds too good to be true, not?
Anyway, i'm on my way telling my manager "told you so!" :)
So what does the file do then? (Score:4)
Re:First time for nothing. (Score:4)
No way, we'd catch on once we see a Linux box with a blue screen!
Well done (Score:4)
Here's my theory: Not everyone at MS is happy working there, and some may even be friendly to Open Source. Instead of (or just before) leaving the Evil Empire they decide to leave a small present. Once safely out, they tip off a journalist in one of the papers that can hurt MS the most.
If nothing else, this shows a clear hole in MS quality control procedures. If this sort of feelings are common inside MS, they may well be running into more serious problems than anything DOJ can give them...
Re:Backdoors in "secure software" (Score:4)
Re:Now that's professional... (Score:4)
Believe it or not, using Visual Interdev is a pretty standard thing with not UNIX web-dev shops... and to come along and say - "oh yeah, we screwed this up because it was funny" is just insane. I cannot fathom what the programmers at MS are thinking.
And to say that "well, it doesn't affect 2000" is no better. I have to ask at that point, "Why? Did you come up with something even funnier for 2000?"
Eric S. Raymond said just this week that the open source model has one strength that closed source truly lacks, and can never have - peer review. All other "professional" endeavours of this magnitude have it (civil engineering was his example) and those professions are all the better for it.
If there was even one iota of external peer review, this "feature" (and you can't call something that was placed there on purpose a bug) would never have seen the light of day.
Re:I know the phrase... (Score:5)
Risk, Accountability, and Interstate Commerce (Score:5)
Looks like Microsoft solved *that* problem for me, eh?
They'll try to spin it, but there's really no good way to announce that there's a mission critical backdoor distributed in what appears to be an otherwise useless file. Assume the normal best case scenario: Some temp checked in the code on a lark.
So, that basically means some temp that checks in code on a lark can insert a mission critical security hole that will affect hundreds of thousands of businesses and millions of consumers.
Move up the chain. If it was a low grade employee who did it...if it was a small group of humorists angry about their easter egg being quelled...if Bill Gates himself did it and only he knew...worst case scenario, if Microsoft itself has no idea where this came from, but it got there...
Then anyone sufficiently powerful can insert a globally available backdoor.
The only defense? Microsoft was merely building in functionality allowing it to exercise its rights under UCITA to deny service to EULA violating customers(like websites that provide benchmarking statistics!).
Now, I'm no Congressman, but when a company in Washington State is backing state bills that let it shut down a company in New York State, that sure sounds to me like a rather inappropriate regulation of Interstate Commerce. Say what you will about the abuse of federal powers vs. state rights; UCITA's one scheme that would have been used to hold Microsoft's portion of the Internet Economy hostage to a humorously named but cryptographically bare passphrase that any 14 year old with half a brain could find.
If they've got a right to shut down software remotely, they've got a right to put in the backdoor that does it. That's how they were planning to get out of this disaster, which I'm sure they've known about for quite some time.
We need federal protection against those who would sell us malicious code by pushing corrupt state laws through the legislatures. UCITA was born when it failed to pass congressional muster; it failed to pass for a very good reason. In an age when the Interstate Commerce clause has been abused to no end, millions of Americans must now worry about billions of dollars of their money being stolen by anyone running a Microsoft server. The company will put on a valiant show, but while one face is talking customer protection, the other is lobbying as hard as it can to eliminate any rights customers might have against such attacks.
Microsoft is no longer invincible; fighting its legislative agenda is no death sentence. This intentionally released security hole clearly illustrates just what kinds of dangers UCITA opens up to the American consumer, for beyond even the simple analysis that Microsoft could claim this to be their legally protected implementation of a granted right...UCITA also bolsters Microsoft's right to sue whoever even looks for such a security hole, on the basis of a signed away right to reverse engineer.
You can't find the bugs. You can't demand the bugs be removed. You can't even tell anyone about the bugs. If this isn't a restriction of Interstate Commerce--among several other well cherished rights--I don't know what is.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
haha.. (Score:5)
... bunch of crap..
/global.asa
.asp
!seineew era sreenigne epacsteN
HTTP/1.0 404 Object Not Found
.. more crap
see the hidden message? hint.. its backwards.
Re:Windows 98 (Score:5)
"You think that's bad, if you play it forwards it installs Windows NT!"
orlando...
Re:So what does the file do then? (Score:5)
The FrontPage Extensions manage design-time web permissions using the underlying security model of the host operating system on the server. Here we consider only the case where this operating system is Windows NT 4.0 with the NTFS file system.
FP manages administer and author access to a web using the same technique. In the web's root directory, FP creates a directory named _vti_bin. Within this directory it creates two sub-directories, _vti_adm and _vti_aut. Within _vti_adm FP places a file, admin.dll, and within _vti_aut it places two files, author.dll and dvwssr.dll. These DLLs are ISAPI extensions. During design-time, client requests arrive over HTTP at the server and are routed to one of these ISAPI DLLs.
A request to perform an administrative function, for example, change permissions on a web, is handled by that web's admin.dll.
A request to perform an authoring function, for example, open a web, is handled by that web's author.dll.
A request to fetch the source code for an ASP file without processing, for example, to view the links in that file, is handled by that web's dvwssr.dll.
In the request, the client provides credentials that identify the user who is logged in to the client workstation. This user must have read permission (equivalent to read and execute individual permissions) for the DLL handling the request, otherwise the request is denied. Thus FP restricts who may perform a given request by controlling read permission on the directories in _vti_bin. Whenever a change is made to a web's permissions via the Web Permissions dialog box, the FP Extensions on the server modify the ACLs on the directories _vti_adm and _vti_aut in that web's _vti_bin directory accordingly. Note: FP does not change ACLs on content files to manage design-time security; it only changes ACLs on the directories which contain the gatekeeper files admin.dll, author.dll, and dvwssr.dll. FP manipulates content file ACLs to manage run-time security.
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
----------
Re:Not MS policy (Score:5)
Perhaps so. But does that make MS look better, or worse?
The MS web documentation (see link in my top-level post) indicates that this file is the "gateway" that decides what incoming HTTP connects are allowed to look at. If a rogue programmer can slip a backdoor into a security module, what else is going on in other parts of the system?
With this landing in the middle of the investigations/accusations of spyware that are now going on in France, the EU, and elsewhere, I suspect that history will refer to this as the Easter Revelation that killed closed source software.
To a French diplomat, it does not matter whether a backdoor was planted by the NSA, Microsoft, or a rogue employee. What matters is whether there are any backdoors in his software at all.
--
Affects "almost every Web-hosting provider." (Score:5)
--
ESR is wrong?? (Score:5)
Closed source development where quality is a focus does have quite a lot of review, by peers, and others. And the whole process (architecture, design, code and test) is fully reviewed in a structured method that ensures that everything is covered, not just the 'gee wizz' bits.
HOWEVER, this is not how Micro$oft and most other 'software houses' work.. It is used by places that truely care about software quality (NASA for instance). I used to work for Motorola developing for safety-critical systems, and peer review was very strong. I was a sysadmin and I was subject to review!
Check out the CMM [cmu.edu] (Capability Maturity Model) from the SEI [cmu.edu]. Compare it with the list of things that most of us consider open source strengths, you might be surprised. If done right, it allows bug free (and I do mean free, as in no signifigent bugs at all!) development.
Just because the likes of Micro$oft cannot be bothered to use this stuff, does not mean that closed source can -never- deliver quality or security. It just costs more.
EZ
-'Press Ctrl + Alt + Delete to log on..'
Windows 98 (Score:5)
--
Ye gods. (Score:5)
The CBS article makes this clearer: it is the IIS FrontPage extensions.
I'm really, really having trouble believeing this.
That Microsoft's developers could be so recklessly dumb as to add a backdoor that will surely be discovered eventually (unencoded plaintext in a DLL, FFS!!), thus playing right into the hands of the open-source-is-good-for-security argument, and no-one at MS noticed it... the mind boggles.
There's nothing up on microsoft.com about it yet either, which also strikes me as strange. Is this really true? If so, it must be the security howler of the year.
I personally can't check if it works as a backdoor, since on the NT web server here I deliberately de-installed all the crap IIS wants you to have (unnecessary script mappings, example sites, web admin, FrontPage extensions...). Contrary to what some sysadmins seem to think, security does not lie in keeping all the Microsoft default settings.
Jesus wept. Prepare for a lot of defaced web sites.
--
This comment was brought to you by And Clover.
Put down the mouse and step away from the keyboard (Score:5)
The plaintext is encrypted by writing it backwards in the
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Heres the offending dll (Score:5)