Date: Wed, 12 Aug 98 12:46:42 -0500 From: Pat Parrinello <pparri@crossfields.com> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: UDP port 31337 Message-ID: <199808121753.MAA01337@anne.crossfields.com>
next in thread | raw e-mail | index | archive | help
Larry Kink Live!
Good morning Mr. Gates.
Bill: "Microsoft takes security seriously!"
Larry Kink: Is that why you rip off every programmer you can?
Bill: Of course, once I've... uh.. we, Microsoft has control
of every piece of software in the universe our only
concern will be package design.
Larry Kink: You did see Elvis then. I knew he was alive,
but why did he change his name to Steve Jobs?
(Commercial): Your network is safe with NT servers.
====================================================
On July 21, a self-described hacker group known as the Cult of
the Dead Cow released a tool called BackOrifice, and suggested that
Windows users were at risk from unauthorized attacks.
Actually, we released it on August 3rd.
Incidentally, it's been downloaded at least 35,000 times as of
11:55pm, August 7th.
Microsoft takes security seriously, and has issued this bulletin to
advise
customers that Windows95 and Windows98 users following safe computing
practices are not at risk...
This is simply false. Our view is no degree of "safe computing
practices" can compensate for the security bugs and lack of functionality
in Windows95 98....and WindowsNT users are not threatened in any
way by this tool.
The Claims About BackOrifice
For the present.
But remember that the tool has been around for less than a week.
According to its creators, BackOrifice is "a self-contained,
self-installing utility which allows the user to control and
monitor computers running the Windows operating system over a network".
The authors claim that the program can be used to remotely control a
Windows computer, read everything that the user types at the
keyboard, capture images that are displayed on the monitor, upload and
download files remotely, and redirect information to a remote internet
site. Back Orifice does not do anything that the Windows95/98 operating
system was not intended to do. It does not take advantage of any
bugs in the operating system or use any undocumented or internal APIs.
It uses documented calls built into Windows to do such things
as:Reveal all cached passwords. This includes passwords for web
sites, dialup connections, network drives and printers, and the
passwords of any application that stores user passwords in the
operating system.
(This Windows feature was implemented apparently so the user
won't be inconvenienced by having to remember his
passwords every time he uses his computer.)
Create shares hidden to the user and list the passwords of existing
shares.
Make itself mostly invisible. Back Orifice does not appear in
the control-alt-delete list of running programs, and can only be
killed by a low level process viewer which Windows95 does not ship with.
To their credit, Windows98 does ship with a process viewer, but it
is not installed by default.
The Truth About BackOrifice
BackOrifice does not expose or exploit any security issue with
the Windows platform or the BackOffice suite of products.
Back Orifice has nothing to do, at all, with the Back Office
suite. In fact, the Back Office suite only runs on NT, which isn't even
supported by Back Orifice yet. Apples and Oranges.
BackOrifice does not compromise the security of a Windows
network.
cDc would like to know where exactly Microsoft is getting its
definition of 'compromise the security'.Instead, it relies on the user to
install it...
Back Orifice does not rely on the user in install it. To install
it, it simply needs to be run. Thanks to some actual exploits, there
are several ways a program could be run on a windows computer, not
only without the user's approval, but without the user's
knowledge....and, once installed, has only the rights and
privileges that the user has on the computer.
This is correct. Once installed, Back Orifice can only do what
the user sitting at the computer could do, if he has programs that do
everything that Back Orifice does.
This includes:seeing what's on the screen
seeing what's typed into the keyboard
installing software
uninstalling software
rebooting the computer
viewing stored passwords
viewing and editing the system registry
connecting and disconnecting the machine to other network hosts
using anyone's username password
running arbitrary plugins or programs, which of course could
employ any manner of exploit or attack
For a BackOrifice attack to succeed, a chain of very specific
events must happen:The user must deliberately install, or be tricked
into installing the program
Not at all.Thanks to various security bugs and common
system misconfigurations, there are often ways
to deliver and execute arbitrary code on a Windows machine.
Even lacking such an exploit, it's easy enough to provide the average
Windows users a reason for downloading installing programs
from untrusted sources. It happens all the time.
The attacker must know the user's IP address.
Untrue. Back Orifice
can sweep a range of IP addresses and network blocks
to hunt for installations of its server software.
The attacker must be able to directly address the user's
computer; e.g., there must not be a firewall between the attacker
and the user.
Incorrect.The mere presence of a firewall or proxy
server is not in itself a
complete solution.
For good, reliable protection for Windows machines on the
internet, the cDc
can recommend nothing better than a good, properly configured
firewall. However, a firewall that permits ANY traffic is still a
potential risk.
Back Orifice can communicate over any available port. Therefore,
if
the firewall lets through any UDP packets at all, two-way
communication
can be established.
As for file transfers originating at the remote machine, Back
Orifice can
use TCP to send data out through the firewall.
Not to mention the hundreds of thousands of Windows95
and 98 boxes connected to the internet via a dialed connection
through
their local or national isp. For mass ip vendors like those, a
firewall simply isn't reasonable. Most of the internet simply
wouldn't
be accessible anymore.
What Does This Mean for Customers Running Windows95 and
Windows98?BackOrifice is unlikely to pose a threat to the vast
majority of
Windows95 or Windows98 users, especially those who follow safe
internet computing practices. Windows95 and Windows98 offer a set
of
security features that will in general allow users to safely use
their computers at home or on the Internet. Like any other
program,
BackOrifice must be installed before it can run.
Clearly, users
should prevent this installation by following good practices like
not
downloading unsigned executables, and by insulating themselves
from
direct connection to the Internet with Proxy Servers and/or
firewalls
wherever possible.
cDc remembers a day when PC software was written by anyone who
had a
creative idea for a cute, useful, interesting, or even just plain
silly program and being able to share that program with friends
who
might also enjoy the program. It is unfortunate that the only
software
we're allowed to run now is written by large companies. It's a
good
thing we can still trust them not to do something unwanted to our
computer!
Generally, computers running Windows95 and Windows98 are not
vulnerable if:The computer is not connected to the outside
worldUnless someone on the inside wants control of your machine.
Perhaps your employer is using B.O. to keep track of its human
resources.
(As a matter of fact, in most states this would be entirely
legal.)
Or suppose one of your coworkers is just plain nosy.
In these circumstances, it doesn't matter if your computer is on
the
internet.
The computer is connected to the Internet through an Internet
service provider that dynamically assigns IP addresses - as the
vast
majority of ISPs already do.Unless the dynamic address assigned
is always in the same subnet, (as
the vast majority of ISPs do). In which case, B.O. can scan a
range of
IP addresses to find your machine at its new address.
The computer is on a network with a firewall or proxy server
between
it and the attacker.See above ("firewalls").
What Does This Mean For Customers Running WindowsNT?There is no
threat to WindowsNT Workstation or WindowsNT Server
customers; the program does not run on the WindowsNT platform.
BackOrifice's authors don't claim that their product poses any
threat
to WindowsNT. WindowsNT Workstation and Server offer a
comprehensive set of security features that make it the best
choice for
business users' mission-critical applications.
Don't go upgrade to WindowsNT just yet.
We will be releasing a WindowsNT version as soon as we
get around to installing that OS.
What Customers Should doCustomers do not need to take any special
precautions against this
program. However, all of the normal precautions regarding safe
computing apply:
Customers should keep their software up to date and should never
install or run software from unknown sources -- this applies to
both software available on the Internet and sent via e-mail.
Reputable
software vendors digitally sign their software to verify its
authenticity and safety. Companies should use the security
features provided by Microsoft products, to prevent the
introduction of
this and other malicious software, and should monitor network
usage to prevent insider attacks.
Rather than having to abstain from using non-big company
"Reputable
Vendor" software, how about providing some protection?
How about the ability to monitor and even prevent disk and
registry
access so people can run software with confidence, so that even
if the
author has malicious intent, the software has become infected
with an unknown
virus or trojan, or there is a bug or malfunction, there is no
damage it
can do.
Incidentally, Microsoft is also falsely claiming that they
tried to contact us regarding BO. On the contrary, Microsoft
has repeatedly shown little interest when contacted about
security
holes in their products in the past. In general, they have
needed
to have their noses rubbed in it before acknowledging any
problems.
cDc issued a preliminary press release about Back Orifice more
than a
month before releasing the software. A wider-distribution Press
Release was issued on July 21st, more than a week before the
demonstration at DefCon VI... and again, nothing from Microsoft.
Other than issuing silly statements to the press, among other
things calling
us irresponsible and comparing BO to Satan (again, apples and
oranges),
they have never contacted us. For over 3 days at Defcon, no one
from
Microsoft introduced or identified themselves to us. Immediately
following our presentation, we were swarmed by the media and the
curious...
but no one from Microsoft.
It wasn't until August 4 that Scott Culp, Security Product
Manager
for WindowsNT Server contacted us in e-mail:
Date: Tue, 4 Aug 1998 11:41:53 -0700
From: Scott Culp <scottcu@microsoft.com>
To: "'veggie@cultdeadcow.com'" <veggie@cultdeadcow.com>
Subject: BackOrifice
I recently received report of your BackOrifice tool, and would
welcome an
opportunity to talk with you about the tool and the security
vulnerabilities you believe it exploits. Microsoft is interested
in
making our products as secure as possible for our customers, and
I'd look
forward to talking with you about this issue.
We immediately called him back. He was interested in learning
about
every vulnerability we knew of. "The biggest one we know of is
Windows95/98 itself," to which he agreed.
Later that same day, Microsoft issued another statement -- this
time mentioning that they had tried to contact us and had gotten
no response.
The goliath doth protest too much, methinks.The fact remains that
Back Orifice is only as dangerous as Microsoft's
security is deficient.
How about a for-instance?
Win95/98 caches frequently-used passwords in clear-text, which BO
has access to. This often includes passwords users use for their
ISPs.
But if one is to believe the missives which issue from the
Microsoft
Marketing Department, ISPs have nothing to worry about. Either
that
or ISPs across the globe should encourage all their customers to
upgrade to NT?
Is Windows95/98 the platform on which you perform 'secure'
transactions?
Is a Windows95/98 platform an endpoint of your corporate VPN? If
so,
maybe you should be worried.
Back Orifice is a Rorschach for Microsoft credibility.
Microsoft's own official response to us was issued as a marketing
bulletin!
Does anybody
else besides cDc find it disturbing that the Marketing Department
is running the show over there?
Oh, never mind. Forget we ever mentioned it. Listen to
Microsoft; don't worry, be happy. Everything will be all right.
Move along, there's nothing to see here.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808121753.MAA01337>