Slashdot Mirror
Red Hat 'Piranha' Security Risk - And Fix
patrixmyth writes "A default password of "Q" in the standard Red Hat 6.2 installation of the Piranha module opens a Web server to intrusion, according to Internet Security Systems. The problem was discovered during a review of Open Source code, and the fix is already available. Another victory for Open Source!
The MSNBC article is here.
The fix is here, or you could just reset the password yourself for the Piranha module."
Everyone who knows the least bit about computer security knows that default passwords are very bad ideas. They are simply dangerous. I'd like to think that software authors would take that into account and avoid using them. I think it says a lot about how security conscious the folks who wrote Piranha are that they left one in their software (although I know absolutely nothing about these people, so this is not a fair judgement on my part).
I have no idea how Piranha is installed, never having done it myself, but I'd be willing to bet that it's either done with RPM or you compile it from scratch. Either way, I think it would be a much better idea if the program had an actual installation program. It would be nice to have an actual program that asks the users what the password should be and forces them to choose one. RPM is great and all, but it's not the most user friendly of beasts and it encourages people to do stupid things like leave default passwords in their software and assume that the user will change them at a later date. Why don't we address the larger problem and do something to improve program installation under Linux?
People were bashing MS for their so-called security hole. Gee, I wonder why you can't apply the same standard here? Oh, that's right, some /. posters are hypocrites. These same people weren't smart enough to read the various bugtraq and MS alerts about the "peacsteN" hole to realize how minor it was. Heck most machines didn't even have the .dll installed.
/. is stating that a default password issue is a "victory" for Open Source due to how fast it was fixed? HAH! Double-standard. How about fixing the problem, which is having EXPERIENCED AUDITORS check the code, something both MS and Redhat FAILED to do sufficiently. Heck, MS had a fix out just as fast.
Now
Forget Perens and the OSS folks who are simply a bunch of spin doctors and FUD generators as bad as MS is. They aren't doing you favors. Ignore stock prices, because they aren't indicators of quality code. Forget the hype, because it's hurting you, overlooking or making you indifferent to obvious weaknesses in your OS's quality.
Oh, and thank you for supporting security through obscurity Redhat through your lack of auditing abilities. MS's product has been out far longer than yours, yet was discovered later. Both shouldn't have happened, but open source makes it easier to spot and exploit.
Take a clue factor from the BSDs, esp. Open and Free, and review your code, train your coders, and keep your nose clean.
Commercial code is usually tested by the programmer then peer reviewed then formally tested by internal testers and then opened for a beta test to catch hardware specific bugs.
Open source is supposed to make up for the lack of formal internal testing by a really, really good peer review. Looks like that only happens sometimes if at all.
MAN, I wish I had moderator points today.
+1, Insightful-intelligent-well-spoken.
It's nice to see more and more people realizing (and speaking up) that Open Source itself is just a better means to an end, but not itself the better end -- just because code is Open Source doesn't mean it IS superior (except arguably in the political/philosophical sense), just that it's easier to get there.
--
I don't see how a large vulnerability in a very popular piece of software that gets fixed counts as a victory for OSS. A victory is when the problem never arises, and is fixed before the source code is released. "Found during a review of Open Source code"? Security auditing should come as the code is being written - not as an afterthought. It's easier to secure a system up front than to have to duct tape barbed wire all over the outside of it later and hope no one figures out how to get in.
If you want *real* security, check out OpenBSD. OpenBSD's code is always being audited and problems are fixed before the code makes it out the door. If I remember correctly, OpenBSD has not had a security vulnerability posted to BUGTRAQ in over 2 years -- but every day I see a new eMail for a security problem in some GNU software or OS. OpenBSD, as with most of the other free BSD's, has a combined code-base -- all the software for the base system is integrated into one big release, so that it can all be checked for proper interoperability and security. GNU/Linux, however, seems to spread farther apart every day. The kernel, each piece of software, each driver, everything - all of them are 'Open Source' but none of them play nicely with eachother. The distribution vendors then download the software and try to wedge it all into the software box without anything getting out...
Another victory for Open Source?
Try 'Another stumbling block for Open Source'
(note - I've got nothing against GNU/Linux systems. but I know that this will be moderated and I'll have linux lovers eMailing me for a week because the views in here are not those shared by most Slashdot readers...)
-- jason
Don't give them this info - comment out the line in rc.local that reads "cp -f /etc/issue /etc/issue.net" and put some uninformative welcome text into /etc/issue.net.
After reading the su manpage (again!) it does make sense. My apologies for the dumb post.
However, This is the actual output on my slack 3.4 box:
# su -c "/usr/bin/id" nobodyuid=65534(nobody) gid=100(users) groups=100(users)
And on my slack7 box:
# su -c "/usr/bin/id" nobodyuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(d
So it appears that the older versions of su worked a little different. And again, after comparing the two man pages, they are indeed different. *grumble*
# su --versionsu (GNU sh-utils) 1.16
... allows the su -c "command" username, and
# su --versionGNU bash, version 2.03.0(1)-release (i386-slackware-linux-gnu)
Copyright 1998 Free Software Foundation, Inc.
... doesn't. Seems like it is part of bash now, even though it is running as /bin/su. Curious. Thank you for the reply though, at least now I know why I'm an idiot. :-)
Slackware 7 does something even weirder. As root, do this on a slack version (anything but 7):
# su -c "/usr/bin/id" nobodyYou should get an id string for nobody. On slack7, you get root's. No man page explains why, only that the -c should work as shown. And it does on other systems.
For some reason, you must use the shell:
# su - nobody -c "/usr/bin/id"Can anyone explain this??
Wouldn't it be easier to have each of the boxes just use NFS? It seems like an enourmous waste to give them a hard drive anyway, since they're all going to have presumably the same data on them. NFS does have client-side caching you know (well maybe not on Linux, but no one uses Linux for anything serious anyway).
From the MSNBC.com artice - "Rouland said "X-force" researcher Wilson discovered the backdoor during a standard review of Red Hat's Linux source code, which is freely available. The user name and password were embedded in the code."
It appears from this article that having the source was most definitely relevant in this case.
Moderators don't have to browse at any particular level, but they aren't doing the job properly unless they browse at -1.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Anyone running a dictionary attack would probably not be expecting the password to be left as default, but when the attack revealed that it had been, they would no doubt consider the installer of the software clue-impaired and assume that they were attacking a site with almost no security whatsoever and hit it with everything they've got.
I'd think that even worse than being cracked would be being cracked by somebody who stays to do as much damage as possible.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Don't know if anything worthwhile was said in the thread, but the duplicate of this story is here.
/. crew could both be a little more aware of each others' postings AND admit to their mistakes whenever they do mess up (and perhaps express a desire to avoid doing it again, but this would purely be PR to me).
I do think that the
...nobody trusts their security to RedHat.
I'm sure you'll go far with an attitude like that...
BTW, how do you know they "took it aprat"? A thorough security audit of a large application is not something that Redhat does regularly (join the Linux Security mailing list for that sort of thing), so I suspect that someone doing a quick check found it. I mean, anything like a default password is going to scream "security hole!!!!" to even the most cursory examination, while buffer overruns can be much more subtle (many of which are fencepost errors - very hard to catch unless you're looking for them).
Hello? Did you read my post? I was talking about how if the password check section of Piranha has a similar buffer overrun, then it doesn't matter whether or not you've changed the default password - the very act of authentification (whether successful or not) could be a security hole.
Companies do charge for bug fixes on occasion.
DOS 6.2->6.21 $10 (for an upgrade that removed disk compression) (or was it 6.2->6.22?) (I think this update might have been made freely available at one point)
OS/2 2.1 Service Pack $20 (granted very few people actually needed it). I think with this one you could download it (even though at the time you would probably pay more for the time online downloading it)
Win98 -> Win98SE $80 IIRC (and it seemed to cause more bugs than it fixed).
-matt
Up until recently most software had a default superuser password (or even no password...)
Anyone that does not set administrator and superuser passwords is a security risk himself, not the software itself. Now, recognizing that a majority of users are inept at best it is a smart thing if the software forces setting passwords.
Lemme see... the fact that people are not setting a administrator or superuser password is a software problem???
No, it is not a software problem. The problem is that the default password was left in place.
I agree that it is a nice feature when the software will not let me go on without setting a new password. However, far from every software does that so the security risk is in fact the user.
The day that all and every program requires password setting on install it becomes a software problem.
Out of those 5 bazillion software packages approximately 1.88495556 bazillion are installed with default passwords and 0.31415926 bazillion are installed with no password at all the rest require you to set a password.
I agree that the day when most programs require setting of passwords, one not doing so is a software defect. Until that day, it is a nice feature if the package requires password setting, but not doing so is not a bug.
What? Not ship beta with a distro?
But then you would be with out Linux wouldnt you?
Definition of Distro: Unstable beta software bundled in a package.
www.atacomm.com - The Leader in VoIP Product Distributi
The person who put the bug in the code in the first place... shame on you...
The person who made the call to include a prototype in a distrobution.... ohhh bad call dude..
Thies two people will not hear the end of it for a very long time to come...
While Slashdot IS spinning the positive with "Everything is ok we found the bugs" the people who made thies mistakes will be suffering for a long time to come...
"Oh yeah your the Piranha bug person..."
I don't actually exist.
RedHat missed it and someone else cought it.
Dangerous defaults are insidous bugs. For one they don't look like bugs at all. There is no accual defect of code the program preforms exactly as expected. The danger is the default setting not the code and most people don't even consider this when writing code as they think the user will change it for his/her own benifit.
This isn't automaticly the case. Any given user isn't going to be aware of all the options and may not be aware of a default set to "Let the crackers storm the gates.. send out a becon pulse to let them know your open and even post how valuable your information is"
How can it be a bug? I mean you can change it with out recompiling the code.. what bug?
Thats the addatude of many...
Thats why a bug like this is very likely to go unchecked. But in open source that's not a problem for very long.
RedHat made a mistake that is very easy to make.
So lets blame RedHat for doing what happends every day at every software company and software project.
In fact.. now that I think about it..... ohhh $#!+... I think I may have this bug in ZenToe...
Bugs happen... we can reduce them to a very small amount but they still exist. In the mean time we are fixing them with breakneck speed....
Why make a fuss over this? With closed source companys trying to clame open source is buggy they themselfs have known issues that have yet to be addressed.. Defects that will be with us for years to come. With open source even the insidiosly deceptive dangerous defaults are cought and fixed.
Yes there is very good reason to prase open source for catching a bug that would otherwise be an issue for our childrens children...
I don't actually exist.
If this were a closed source project eventually the bug would be found published become known and remain cement.
This means the bug will be know to cracker and admin alike.
This being a default setting could be fixed just by changing the default. However that dose not remove the bug...
Many closed source companys wouldn't see a need to issue a bugfix...
I don't actually exist.
Well known commercial software has them too, I know for sure many companies are running Oracle servers with the SYS/CHANGE_ON_INSTALL user/passwd duo...
core dumped.
Oy!
/password combos like "system/manager","sys/change_on_install" and "scott/tiger". Of course, it's not networked or attached to the Internet in any way ( though I should probably change it anyway) so for me it doesn't matter. But If I were running a production system, there is NO WAY any of these would be on my system!
For the hundreth time this morning:
This IS a victory in a sense for OSS because:
1) The hole/bug/problem was found, publicized and a fix/patch for it was put out immediately. Elapse time - a few hours to a few days. The MS bug was around for 4 years! 4 YEARS! Conclusion - software isn't perfect but OSS flaws are found and fixed much quicker than CSS, often before the "Black Hats" find out about it. How many other MS/CSS exploits are out there have we NOT heard of that have been known by the Black Hats for 4 years?
2) This was mainly a problem of adminstration and configuration rather than a deliberate, secret backdoor or bug. The installation left a modules password at a default. Technically, this is not a problem if you are a good sys admin and secure your box properly by changing all the default passwords when you set software up. If you don't, why are you hooked up to the Internet (or any other network for that matter since most "cracking" is an inside job)? Why are you employed as or acting as a sys admin? My Oracle has username
Is this bad PR? Sure it is but not nearly as bad as having a security hole around for 4 years!
My guess is that you and the other negative posters have not read the story, work fro MS or both.
Try thinking before you post..
Never by hatred has hatred been appeased, only by kindness - the Buddha
Software isn't perfect. If you say you can program and make no bugs, you've got to be some kind of God. I've programmed many years, and the more lines of code that go into a program, the more bugs you'll end up having. Sometimes you lose perspective on some aspects of your program. But in a closed-source environment, the only peer-review is that -- your peers. And they don't always have more insight on what the program's doing.
OSS shines. Let the world review the code (I do look at the source, not exactly everything, but I do look for the obvious buffer problems and other bug-prone parts of code). This way everyone wins. and patches get released much faster.
I always thought of a backdoor as something that was intentionally left there by the developers to get in--as was the case with the "netscape engineers are weenies" backdoor that Microsoft developers put into their software.
Damn this ticks me off.
You didn't even follow the IIS security issue did you? The phrase you use is NOT A FREAKING BACKDOOR. It's a keyphrase used to encode file names as they are transferred betwen client and server.
I thought you meant checking the password to see if it's a dictionary word, or long enough, that type of thing... (not the authentication)
But anyway. In this case, I retract my last comment, and reply with 'duh'. You can "what if" every application in existence and say the same thing as you did (and not bring a whole lot to the conversation). Presumably the same people that took piranha apart to find any issues, only found the hard coded default.
... You can't GET to the tool unless you can log into Piranha - which you can't unless you know the password.
This is exactly like the "Hack Linux box" contest that was run a while ago. Everyone blamed Linux for it (an exploit in bind or named or one of those was exploited). Never mind the fact that the ONLY way the exploiter was able to get to it was to use a POORLY written THIRD PARTY/COMMERCIAL perl cgi script the people that run the contest had installed.
That being said, this is no excuse for this RedHat blunder. Just when everyone was giving microsoft a hard time for hard coding a password in one of their dlls, someone at RedHat did the same...
That "buffer overrun" should be fixed too, but RedHat's reply was correct: you should have changed the password on install and the problem would not even exist. That's a basic of sys admin (for any application! including oracle, etc.)
Honestly I think even the PHBs can see through this one unless the sysadmins are mis-leading them.
"Hrm, our massive e-commerce system has been taken down because the password is 'Q'? You never thought to change it from the default that everyone else knows? Here's a slip of paper, although it's white, think of it as pink."
As I understand it, the 'overrun' bug doesn't show until you've breached the password. In light of that, this isn't a case against Open Source, it a case against lax security measures. MS has the same type of problem with defaut passwords in SQL.
"MSNBC: Red Hat open to backdoor password"
From a technical perspective, Linux is great. Many programmers, many distro makers, all (mostly) independent. This mean much "natural selection" at both levels.
From a marketing perspective, though, this sucks (for us). Sure, only the Piranha package of the RedHat distro was broken. But what does the public hear: "Linux has security problems". Doh! (we got half-lucky with the above headline--only but all of RedHat is implicated
Two possible solutions:
1) Make the public understand how Linux development/distros work. This is unlikely to happen in the short term, especially while only Linux works this way. We properly blame "Microsoft" for FrontPage security problems and wonder about NT. This doesn't translate to blaming RedHat for Piranha, yet it will inevitably happen.
2) Have all the major Linux vendors get a security audit project started and keep it going (many have started, few have kept it up). Create this list as a public list anyone can consult. Then each distro maker can choose only from this list OR create a separate "server" or "secure server" distro chosen only from the list. Then (and this step, as ugly and painful as it is, is absolutely necessary) when a claimed-secure distro is found to have a security problem because it didn't follow the list denounce that distro in a very public way. They did a bad thing and they need to be punished.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Win98 -> Win98SE $80 IIRC (and it seemed to cause more bugs than it fixed).
That's not a bug patch. You could have downloaded the Windows 98 Service Pack which would have given you all of the fixes in Win98SE and none of the new features. FOR FREE.
Simon
Coming soon - pyrogyra
Incidentally, this also means that the remarks in the system(3) manpage are not visible enough (there is a warning about security issues), and that some explicit advice has to be put in the libc info page (there is none). Volunteers?
My 0.02 Euro.
There once was a poster name AC
This kinda rhymes with hack
Racist poetry he'd write
For which we all wish him blight
I hope someone give him a smack.
What the hell? What frickin' victory? MS has a bug, and they are shit....someone finds a bug in Linux and...."its a victory?!?!"
What a joke. You Linux fanatics are nothing but propaganda lovers.
The second reason is the reason why a company such as Microsoft isn't sued for security. It's not open-source so someone could not review the code themselves. It also doesn't have the kind of warning that distros have. It is especially such that Microsoft has been shown to know about such problems in their software and not done anything, sometimes before the software is even released. Consequently, from a legal standpoint (as opposed to how much money the sides have) Microsoft is much more vulnerable to a lawsuit than any little distro- or package-maker.
Chris Hagar
"The price of freedom is eternal vigilance." - Thomas Jefferson
This isn't a backdoor. It's a default password that people should change anyway. It was not attempted to be hidden. It also has a fix, a quick fix, as opposed to saying "delete this random file." Oh, and it wasn't even existant for a month.
Chris Hagar
"The price of freedom is eternal vigilance." - Thomas Jefferson
How dare you say my mushrooms are insecure! I've applied all the latest patches.
Chris Hagar
"The price of freedom is eternal vigilance." - Thomas Jefferson
Default passwords are always easier to remember. That's why I keep my root account passwd as "root" :-)
-
Ekapshi.
>How do they get away with this disclaimer?
Errr...nobody actually reads the disclaimer ya know:-)
-
Ekapshi
No. It's a defeat. To call this a victory is as disingenous as calling a shot-down pilot a hero solely for surviving being shot down, or to claim to be lucky for *surviving* a lightning strike. The pilot lived, but others did a better job by *not* getting shot down; being struck by lightning in the first place is hardly "lucky" unless you're a movie-monster zombie needing some energy to re-animate.
Frankly, RHAT dropped the ball. If one of the virtues of OSS is that more eyeballs can view the code, they _should have had more eyeballs_ viewing it before it was released. Clearly, they did not; their QA has failed before, failed this time, and will no doubt fail again. That other companies fail as well does NOT make this a victory, regardless of how many others there
If you really want to point at OSS security, think more about:
a) HAVING ongoing, rigorous code audits
b) NOT sacrificing security for usability, such as NOT making random programs SUID
c) NOT taking the attitude that security is unimportant enough to really even *mention* to the end user
d) NOT having such a rabid release cycle, but instead taking some time....
Only the dead have seen the end of war.
From what I've read on Slashdot here, the issue is whether their "default password" is a bug. A lot of software/OS have default passwords, and if you're concerned about the security of your system, you make sure you change it before you go live.
/. and it's nice to get kudos once in awhile.
There's things like that, and then there is the fact, that on my Win98 boxes you can boot it up and hit cancel on the password dialogue box, and do whatever you want.
Redhat is a good company... I have limited Linux experience, and Linux is NOT an easy install, especially if you run into some documented errors. I was having the problem where if it goes into the graphical install, the screen shows 1/4 of the actual screen you're supposed to get. You can't scroll the sides to see the rest, so it's pretty much worthless in terms of utility. Then, if you do a custom install (the default server install will boot directly into GNOME - which has the same problem as above) it gives the documented "anaconda" error. And on top of that, I can't get the IDE CD-ROM to be detected for the install (the CD-ROM I bought to permanently put in the box... I had to take my SCSI CD-RW from my other box).
So, I tore my house apart looking for the little card that comes in the box (to register for phone support), found everything BUT that little card. I called them at 8:30 PM EST, and talked to a technician almost immediately. He said that if I call the sales people the next day during 9-5 business hours, they'll be able to help me with the serial # problem.
So I called them today, and they managed to get me a serial # based on one of the numbers in one of the books that come in the package. No waiting on the phone for that. They then were supposed to transfer me to the tech support, but transferred me to a pre-sales guy instead.
This guy explained that I had to register online, and then offered/proceeded to do it for me. Then I called back a bit later as instructed (so my registration gets propogated in their system) and again with very little waiting (like 1 minute) talked to a foreign-sounding tech support guy. He gave me some instructions on solving some of the install problems, I've yet to test them and will find out later if I have to call them back for help again.
Now when you encounter a company where the people are friendly, there's no waiting to talk to someone, and they don't give you canned responses to questions... that's a good company. I know this is kind of off topic but I'm sure there are Redhat people who read
"[. . .]a good distro should protect users from themselves."
If you want to be protected from yourself, use round tipped sisors to cut, crayons to write, and NT as a server OS.
REAL tools are DANGEROUS. The operator must be an expert, and protect himself and those around him with this skill.
You can't make power saws, machine guns, or server OSes that are idiot proof.
That is not to say that this is not a bad mistake, but should Red Hat demand a note from your mommy before you can install beta software (bugs, holes and all) on your system?
Also, I would like to comment that this is NOT a backdoor, it is a wide open front door.
--
The shareholder is always right.
Too bad this was posted by an AC, but, rotflmdo!!!
Linux rocks!!! www.dedserius.com
www.dedserius.com
VB != VisualBasic
Would you even recognise a security hole if one got up and bit you? Don't kid yourself...
--
Cheers
Cheers
Jon
I disagree.
If I change the password then how can an external user use Pirhanna and change the password with the exploit code attached. Malicious users can only exploit this on an install of Pirhanna where the password wasn't changed. Any sysadmin who doesn't change a password to a tool like Pirhanna is being negligent.
Changing the password is something you need to do on install before anyone exploits it, once you do that you should be safe.
As I understand it, you can't use the exploi code unless you know the password.
Phil
I think the real question here is, did ISS, and others, start looking for security holes in bigname OpenSource packages in response to Elias Levy's recent article? I know ISS is continually looking into things like this but the timing is pretty good ;)
If this was an embedded password then I would tend to agree with you. Since this is just a lame default password I think we can attribute this more to a lazy user than a real backdoor in RedHat's code.
RedHat definitely should have had a better default password, or perhaps even force the user to change the password during install.
I'm glad to see that the Linux community doesn't pull any punches even when the best and brightest members screw up. Gives me a little more faith in the public stances that they take.
Fsck cluebie moderators. I'll say what I want, offtopic or not. And fsck having to qualify every bloody statement just
Oh well, not that it really matters, this whole thing is MS FUD trying to make up for their holes in IIS
Shine on, you crazy diamond.
Not only did Red Hat screw up, but the media's interpretation of this is "Linux has a back door". This is how MSNBC reports it via their headline. Red Hat is not Linux, it is a distribution of linux*. How do we keep the media (who in turn influences investors and the general business community) from making blanket statements like this which are irresponsible.
Uh.. sorry, but before i'd ever start a dictionary attack, i'd check the default password. Just like you try "password" and "" before you start a dictionary attack.
True that. However, if it wasnt open source -- would the problem have been found and made public? Or would it have been another bug never found, never abused? Oh talk amungst yourselves.
The ultimate network admin tool needs HELP!
This is silly. Why would anyone just accept the default password on a networked machine? If you don't change the defaults you deserve what you get.
"Gee, we didn't lock our car doors. But be a security flaw with the car!"
G.H.
"....Ok what now?"
Just wait till some crappy band steals your nic.
I would bet that it would be relativly easy to put a backdoor in almost any large project. If the project in question were coded in the right language it wouldn't matter that the code was open source or not. Can you imagine looking for a backdoor in a huge c project with no comments and little documentation. Or worse yet an assembly language program. A few lines of code in thousands of lines makes it like looking for a needle in a haystack. The trick would be to put it in a program that has little hack value but is used often. A program that most people would not be interested in programming. Who knows there may already be a few around.
Open source makes this kind of thing less likely but not impossible. It would be even easier to include an intentional buffer overflow or an intentional hole in the security that would look like it was supposed to be there.
BTW did anyone think that the MSNBC article was a little gloating or was that my guilty conscience.
Environmentalists are their own worst enemy. ~tricklenews.com
In reply to your second paragraph..
info libc, File System Interface, Temporary Files: tmpfile(), mkstemp().
The docs for all the older, unsafe temp file functions all carry strong warnings. There's no good reason people should still be making mistakes with temp files.
It doesn't take a security expert to know that any default password is a bad idea. So it might be a victory for open source that it was fixed, but it's a big defeat for RedHat's quality control that the problem ever existed.
I use 'Q' as password really often, it is a FAR better password that 'E' or 'W'. Trust me, with 'Q' you are secure, don't be afraid.
Actually, the password is not 'Q' -- it's written backwards, like the MS back door, so it's really 'Q'.
I'm amazed most people didn't perceive this...
This space left intentionally blank.
The recent Microsoft hole generated a fair amount of vitriol. There is a distinct lack of it in this discussion. Perhaps some AC's would like to add some vicious slurs in the interests of fairness? /irony
/. community, Linux and OSS credibility. Unbalanced views do exactly the opposite.
I think that this highlights an important point. Balanced views and comments give the
I personally favour restraint when critisizing, and encourage others to think carefully about the tone of their posts before hitting the button. I think that this sends a much better message - that the community, Linux and OSS is reasonable - than hurling abuse does.
In the interests of transparency - I am a Windows user. I am a Linux user. I develop for Windows. I expect to develop for Linux. But I really don't care much about the platform so long as it provides the services and audience that I require.
Jeff
...is it truly impossible for OSS?
Sure is. Have a simple script that has to be run first. Ask the user for the new password, encrypt it, and set it in a relevent header file, along with a magic number. Make it so the code won't compile without the encrypted password and the magic number set; that way, the user _has_ to run the script first.
This doesn't stop the code being any less open source, although if the user really wants they can extract the magic number and bypass the setup script. But then, what benfit to the user is there in doing that?
Syllable : It's an Operating System
There is one very good reason: automated installation. If your install script prompts for a password for anything and everything that comes up, that's fine for installing the software on one machine. But if you're creating a web farm with 100 machines, entering "J0eB0b15c00L" 100 times can get a little annoying.
It brings up the question of who is ultimately responsible for the security of a system. I would hope it would be the system administrator, not the vendor who supplied the software, except in cases of an error in the actual code. Configuration issues such as a default password should be the responsibility of the sysadmin to make sure everything is good before deploying a system.
--
47% of all statistics are made up on the spot.
Just in case anyone here wants to write A Operating System Bug report to a News Agency, I figured This Post would help them out on the Proper Format to use
If It's a Linux operating System
--------------------------------
1) State the bug
2) State What The bug Does
3) State the Fix
4) Praise Linux and all it's Distro's
5) State how beneficial the OSS Community is because the Bug was Fixed in two Hours.
If it's a Microsoft Operating System
------------------------------------
1) State the bug
2) State What The bug Does
3) State the Seriouness of the bug, usually by some Security Firm.
4) State Why Microsoft Included the Bug in Their Operating System
5) Talk About the Microsoft Trial and an up to date record on how many people are suing them.
6) Talk about how they are competing with linux.
7) Have Interviews with Microsoft Competitors on how Crappy Windows is and How they destroyed our companies Profits
8) Call Microsoft to get a no comment or "we're working on it" Response.
9) State how Bad Microsoft Technicial Support is because the Bug took 2 Hours to fix.
10) State The fix
11) State how the Fix will not work, or will make another part of the Operating System not work.
12) Praise Linux and all it's Distro's
Hope this helps all of you news guys out there write better bug reports and report news objectively.
In Soviet Russia, Trojan exploits YOU!
Anyway, this behavior is perfectly understandable if you know how 'su' works. You're giving su the arguments in the wrong order. Let's look at it step-by-step...
su I want to become another user (root, by default)...
-c and run a command...
"/usr/bin/id" which is "/usr/bin/id"...
nobody and this is an extra argument.
So you just said that you want to run 'id' as root. And you got root's id string. Why are you surprised by this? You can't stick the username after the command string and expect it to work - this is documented in the 'su' manpage - so the only thing I can see as a problem here is that su doesn't gripe if you give it too many arguments.
I hate to agree with Black Parrot on anything, but he's right. There's no such thing as a safe default password.
However, I'd do a little further. Safety lies in writing the original code so that the password is guaranteed to be user-dependent. True security lies in requiring the password be set on install. You can blame the user for not changing the password, but systems administrators are busy people, and they aren't generally going to do so unless they're forced to. That being the case, a developer who merely says "do this" when it's important, and doesn't mandate that it happen, is acting negligently.
That, however, requires a genuine installation routine, so that the source can't be installed without the defaults being changed. That, in turn, makes it impossible to have a truly secure open source solution.
- That, however, requires a genuine installation routine, so that the source can't be installed without the defaults being changed. That, in turn, makes it impossible to have a truly secure open source solution.
Depends. Under the GPL, it is technically impossible. That portion of my code which enforces the user-defined password is subject to modification by any user, and the license gives people free rein to do just that. Since anything like that is considered a hassle by most developers, how long do you think it would remain in the code? Under BSD? Of course; the limits there are even lighter. Under some kind of Artistic license? (E.g. You may view the contents of this file, but the license is void if you modify them, or attempt to subvert their interface with the balance of this package...etc.) maybe -- but how would *you* personally feel if *I* tried to ship software with such a restriction, keeping in mind that I work for MS?I don't think that follows. Clearly, RH didn't do it here, but is it truly impossible for OSS?
I am not aware of any users who have modified the Red Hat installer to take out the offensive code requiring entry of a root password. I haven't even heard any complaints about it.
What about people who make a single image of their default install and then blast it out onto many computers in their installation? That's not quite the same thing, but everyone that I've ever asked about it says "Of course I don't change the root password after I install a new box. If I did, I'd have to enter it by hand!" (Let's have a moment of silence for these future victims of accelerated evolution, shall we?)
Every package the distro installs should default to being extremely secure and offer me options on how to make it less secure.
As a minimum a newly installed service should (a) not start until configured and (b) run a configure script (maybe on next reboot). Fiddling the RPM to make this happen is up to the distro maker (and will - hopefully - be adopted by the package producer).
This isn't rocket science.
Of course, you may feel the real burden here is on the application RPM-maker, not the distro maker... But (again), it's up to the distro maker to make up for deficiencies...
sigh
-- Peter
"At the end of the journey, all men think that their youth was Arcadia..." -Goethe
"Pick an A.C. sailor!.. We're cheaper than Karma Wh*res!" - A.C.
$HOME is where the
-- silver_p
man 3 tmpfile
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
The reason it was found within four years is because someone went through the source and checked it. This will never happen to M$ source.
Grtz, Jeroen
Secure messaging: http://quickmsg.vreeken.net/
The main thing that I haven't heard mentioned here is the benefit that holes like this have to other developers. Now I as Joe Developer am at least conscious of these holes so that in my next product, I can make sure no such holes exist. I read people discussing the common "; command" thing with system commands as though it were just common knowledge.
The truth is that this is common knowledge due to the open source process. How many such exploits have you heard for DOS-based developers? For every bug that M$ finds and "fixes" in its crap, how many countless other developers have created the same holes and are totally unaware of how to fix them?
People who use Windows just expect programs to crash occasionally and not ask questions. Not only is the OS buggy, but so is every application written for it because everyone is trying to reinvent the wheel on security issues. And according to M$, 100 different buggy incompatible security models are better than one solid one because people know how the solid one works.
Please.
A choice of masters is not freedom
The tone of the article is very biased. For those of you who didn't read it, the article's tone seemed to be accusing Red Hat in particular and Linux in general of having "serious security holes". They make it seem not as a triumph of the Open Source community, but a fatal flaw of the community that was luckily discovered before it could be horribly abused...but Red Hat is "downplaying" the impact of it. Maybe this is just me being a paranoid here, but I don't think you have to go much farther than this article for a great example of media bias against the open source community. Of course, it could just be the tendency for journalists to try to make everything sound like it's going to bring society to a screeching halt (Y2K anyone?). Of course, that's just my opinion, I could be wrong. -Loki Trickster
what new features? ie 5? it is a service pack, patch, whatever you want to call it, it isn't worth 80 bucks. that's why i have a pirated copy. god bless software piracy.
-----BEGIN GEEK CODE BLOCK-----
v.3.12
GCS d-(--) s+: a-- C+++$>++++$$ UL++$>++++$$ P+>++++$ L++>++++$ E--- W++$>++
Errors will be made. Coders are human too. The point is, this one was discovered, made public, and fixed quickly and for free. Closed-source denies the problem exists until there is so much bad publicity that they lose 10% in stock prices, then they release a service pack for 80 bucks that fixes one problem and causes 20 more.
-----BEGIN GEEK CODE BLOCK-----
v.3.12
GCS d-(--) s+: a-- C+++$>++++$$ UL++$>++++$$ P+>++++$ L++>++++$ E--- W++$>++
1) Q
2) password
3) xyzzy
4) supercalifragilisticexpialidocious
5) MS software engineers are weenies!
6) CowboyNeil
The slashdot review mammals did not call the fix a victory for Open Source. In fact, I did, me, namely Patrixmyth, of Patrixmyth writes "blah" fame. I own no stock in Red Hat, don't program for a living. I am a website developer, but then who isn't these days. I have also never criticized Microsoft, and am the first to admit to being nearly clueless about programming effective secure code. I use and enjoy many Microsoft products. I read the article, and considered it a good thing that the problem was found easily, and corrected without major damage. I submitted the article, thinking the /. masses had a right to know, and because I enjoy seeing Patrixmyth writes "blah", much more than I care about /.'s karma system for comments. As evidence of my lack of a clue and utterly unbiased opinion, the last article I submitted involved WinCE based "J.E.D.I." tools, being developed by the U.S. military, which I did not criticize a bit. Five words of opinion, added to a summary of a news article, and for this, over 200 posts! Seriously folks, slow down on the Caffeine!
Now back to your regularly scheduled madness...
"Don't you know you're going to shock the monkey?"- Peter Gabriel
After reading most of the messages there is a lot of great information as always... but I think I'm missing something about the whole thing. The Distributions thing has me confused ok m$ sells us there (wannabe)OS with apps that they steal/buy/claim to code. RH, Suse etc.. gather up OOS compile some/most of it and write an installer for them... how can any one expect them to completely review all the software that they include for BUGS/Security etc... they are just creating a "DISTRIBUTION" OOS programs for those people unable/unwilling to collect them from the net on there own... it's a convenience thing... (rant) I love it.. personally I use suse then I go online and download more current source for apps I play with X, Samba etc... I'm not at the skill level yet to install the base OS and add all the shells and apps that I want to use... (I'm working on it) my biggest complaint so far with the "distributions" is that they install two many apps I don't need three shells five mail readers etc ...(/rant)
As of 9:40 AM CDT, with netscape 4.7 on HPUX, the article's gone - the page containd the big header paragraph, a couple banner ads, then /html.
Anyone else (not) seeing this? Site issue? or browser issue?
A default password in a Linux distrobution found during an Open Source review? Horray for Open Source!
A default in Windows 2000 found? Shame on closed source?
You guys are hypocrites.
---------------------------------
---------------------------------
Visit
Ha-ha-ha-ha-ha. Agreed. They also don't understand anything about blackdoors and backeyes. (N@#$%! if I only could remember my own password to post here now ... bah, I have to post as Geronimo's Cowherd.)
Not everybody is or wants to be a security expert.
Gee.. I think my modem has more instructions per sec. than youll ever have... idiot..
"Theres alotta savages in this town.."
After I upgraded rh6.2 a few weeks ago, I didn't even bother looking in the apache directory. I was working on redoing my LAN at that point. Then I noticed it by addicedent. What really got me was the fact the password was addversied right there that it needs to be changed and it was still the default. I don't know why rh put it in there, I did not say to put anything with clusters in it. If you are going to it in there, fine, make the default password a random number or something.
until (succeed) try { again(); }
If you don't know how to keep a box secure (change the fscking default passwords), then
DON'T RUN A WEBSITE.
If you admin your box like a mushroom, expect to be owned by some packet monkey or script kiddie.
hmmm, but it's not the password for your slashdot account
For one very important Reason:
Homogeneity in the field leads to a _very_ large damage radius if anyone ever discovers the slightest hole in the "secure" way of doing things. If everyone implements it slightly differently, no single problem can expose the widest audience to risk. Remember the Windows "Ping of Death" problem? Homogeneity in the field made it worse than it might otherwise have been...
Although it seems like co-ordinated anarchy, it's important that there is no single point of failure.
Just ask the Death Star... =-)
Check my Go-related blog for beginners: DGD
Maybe large vendors/distributions should start some sort of certification/verification protocol to provide standard quality of at least part of the products.
Jeroen
Writing about music is like dancing about words - FZ
I don't anticipate many lawsuits against companies like Red Hat (at least not in response to things like this), and any lawsuits that do occur are not going to go very far.
The reasonably-sized print on a Mandrake 6.0 package:
Other distributors also tend to include disclaimers such as this.
How do they get away with this disclaimer? Why is this alright, but it'd be horrendous for Microsoft to disclaim any liability on their software, and put a back door in it?
Well, even if there is a back door put into a piece of free or open-source software, you can take it out.
-rozzin.
Don't bet on it. Buffer overflows are insidious lttle beasts, and they generally pop up because of bad coding habits, which means a program that has one buffer overflow found almost never has only one buffer overflow.
FOr example, in the case of Piranha, what if there's a buffer overflow not only in the password change portion of the code, but also the password check part? You then have a hole that anyone can utilize. Just think of the number of buffer overflows found in programs like Sendmail, and even ssh, and you get an idea of the scale of the problem.
Well, I'm cheering for Open Source for two reasons.
One, the bug was found within weeks of the release of the software in question, not years.
Two, the bug was nearly instantly fixed and a patch available that doesn't involve deleting things to reduce the functionality of Pirahna.
So yeah, Hurray for Open Source in both instances.
Yes, RedHat should've caught this one before it made it out the door, but they didn't. Stuff like that shouldn't happen, and you should do what you can to prevent it, but no matter what you do, it always will. It's very easy to prove software has a bug, very hard to prove that it doesn't.
Need a Python, C++, Unix, Linux develop
Gosh, a whole two months. Nothing like the four year old bugs in M$ products. We have the source, we use the source, we fix the source, we don't charge $80 for a lame service pack full of new "features".
Eric
> True security lies in requiring the password be set on install.
Good point.
> That, however, requires a genuine installation routine, so that the source can't be installed without the defaults being changed. That, in turn, makes it impossible to have a truly secure open source solution.
I don't think that follows. Clearly, RH didn't do it here, but is it truly impossible for OSS?
--
Sheesh, evil *and* a jerk. -- Jade
> how would *you* personally feel if *I* tried to ship software with such a restriction, keeping in mind that I work for MS?
If the restriction you have in mind is that privileged software that uses a password must be given a new password during the installation process, I would think it was only good sense, and appreciate you for looking after my interests.
VMS used to do this with system or application installations that create accounts. Even Red Hat does it for root, during a new installation. The only disappointment is that they did not also do it in this case.
As for your assertions about users hacking on offensive code, I am not aware of any users who have modified the Red Hat installer to take out the offensive code requiring entry of a root password. I haven't even heard any complaints about it.
--
Sheesh, evil *and* a jerk. -- Jade
> if the user really wants they can extract the magic number and bypass the setup script
I like to think of such cases as evolution in action.
--
Sheesh, evil *and* a jerk. -- Jade
> So how come this "good news" when it is Open Source software, but had it been a closed source application for which the vendor made a release we'd all be badmouthing them?
Like we've been saying all along... with OSS a white hat finds it pretty quickly; with CSS the black hats potentially know about it for years before the white hats stumble across it. This is an illustration of the first half of that claim.
--
Sheesh, evil *and* a jerk. -- Jade
Oh, come on, be realistic. We're talking about default passwords. Things that are mentioned in an installation guide. Some people manage to read English instead of C.
I used to be a Sybase DBA. When you install Sybase, by default there's no password for the SA. That isn't an obscure fact only known to black hats because Sybase is closed source. Anyone with the ability to read simple English words knows. And I've yet to hear someone argueing it's a backdoor.
-- Abigail
And no, this is not redundant, as this has not been posted on the Red Hat errata web site, or elsewhere on the web, yet as of this writing. I couldn't find it at least.
Begin letter. ;
----------------------------------------
Subject: SECURITY: [RHSA-2000:014-10] Updated piranha packages available
Resent-Date: 24 Apr 2000 20:33:43 -0000
Resent-From: redhat-watch-list@redhat.com
Resent-CC: recipient list not shown:
Date: Mon, 24 Apr 2000 16:33:32 -0400 (EDT)
From: Cristian Gafton (gafton@redhat.com)
Reply-To: redhat-watch-list@redhat.com
To: redhat-watch-list@redhat.com
CC: Linux Security , BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE----- - -------------------------------------------------- -------------------
Red Hat, Inc. Security Advisory
Synopsis: Piranha web GUI exposure
Advisory ID: RHSA-2000:014-10
Issue date: 2000-04-18
Updated on: 2000-04-24
Product: Red Hat Linux
Keywords: piranha remote CGI command
Cross references: php
-------------------------------------------------- -------------------
1. Topic:
The GUI portion of Piranha may allow any remote attacker to execute commands on the server. This may lead to remote compromise of the server, as well as exposure or defacement of the website.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - i386 alpha sparc
3. Problem description:
Piranha when it is installed generates a 'secure' web interface ID using the HTML .htaccess method. The information for the account is placed in /home/httpd/html/piranha/secure/passwords which was supposed to be
released with a blank password. In fact the password that is actually on
the CD is either 'q' or 'piranha'. It was intended that when the
administrator loaded the piranha package onto their box, that it was their
resonsibility to change that password. This is not a hidden account. It is
meerly used to protect the web pages from unauthorized access. The
security problem arises from the /home/httpd/html/piranha/secure/passwd.php3 file from which it is possible
to execute commands by inserting them into the change password option eg
entering 'blah;/bin/command to execute' into the field, and again to
verify, everything after the semicolon is executed with the same privilege
as the webserver. It is possible at this point to compromise the webserver
or do serious damage to the site.
4. Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
Temporarily, you should set a password on the web pages as should be done when you first install the package for the sake of speed you can issue the following command htpasswd -c -b /home/httpd/html/piranha/secure/passwords
piranha 'password of choice' In theory, this means only you have access to
that area and you are hardly likely to try and exploit the problem
yourself.
When you install the update for the piranha-gui, please take a moment to login into the gui frontend and set a password on the account (http://localhost/piranha)
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
N/A
6. Obsoleted by:
N/A
7. Conflicts with:
N/A
8. RPMs required:
Red Hat Linux 6.2:
intel:1 .i386.rpm4 .13-1.i386.rpm. 13-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/piranha-0.4.13-
ftp://updates.redhat.com/6.2/i386/piranha-docs-0.
ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4
alpha:
GNU/Linux. The Freshmaker.
The guys who uncovered the "Q" password are way off base in calling this a "back door".
It's really more of a badly thought out installation procedure. However discovering a "back door" is a bit more of a PR feather in the cap of a would be security honcho than discovering a way that brain dead admins can shoot themselves in the foot.
That said, it also appears that there is a buffer overrun problem, which is very serious, but again really a garden variety bug, serious, but common enough.
All in all this is nothing compared to the named bind hole that is still being exploited.
Red Hat needs to get their act together. Why do all these servers have to run as root? Of course, you end up with a proliferation of pseudouser accounts, but so what?
Aren't they going to add capabilities in ext3? Wouldn't this clear up a lot of the root access mess ups?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Firstly there is the issue of Red Hat's mistake in leaving a potential security hole in something that goes out to users. Ok, so it may well be the users fault if they install piranah by accident or install it on purpose and don't change the password, but a good distro should protect users from themselves.
Secondly, there is the way that the MSNBC article is worded. Basically seems to be saying, "forget about the IIS problem, look, look, Red Hat has it too! See! Red Hat has a huge, I mean really really really huge, big security hole!! And they don't care! They're downplaying it!"
That was what the big bold bit before the rest of the story said. Of course, the actual story with real facts in it makes a little more sense.
So how come this "good news" when it is Open Source software, but had it been a closed source application for which the vendor made a release we'd all be badmouthing them? I don't see how recovering from a stupid mistake is such "good news" or even that open-source specific.
It's 10 PM. Do you know if you're un-American?
Rouland said "X-force" researcher Wilson discovered the backdoor during a standard review of Red Hat's Linux source code, which is freely available. The user name and password were embedded in the code. "Anybody else who's viewed the source code could have found the vulnerability and been exploiting it all along," he said. "This one was so easy to find I would think people would have found it and exploited it.... I think people will figure it out very quickly."
I always thought of a backdoor as something that was intentionally left there by the developers to get in--as was the case with the "netscape engineers are weenies" backdoor that Microsoft developers put into their software.
It seems that there may have been a buffer overrun on piranha, but they make it sound like having a default password of 'Q' is Redhat's fault--It doesn't really matter what the default password is for something if the user doesn't set their own. That's pretty obvious.
And that last part sounds a bit like they are trying to make open source sound like an inherent flaw. Not like I'd expect them to compare and contrast with Microsoft's intentional backdoor that was there for months or years which no one except a few select Microsoft developers and friends knew about. That compared to a buffer overrun in a Redhat product discovered weeks later and quickly fixed doesn't make open source look like a security risk to me. Who'd be running an e-commerce site on a product that's only a couple weeks old anyway (earlier in the article the author alludes to the fact that the so-called backdoor would have allowed an intruder to "access customer databases.")
I wouldn't get too upset over this though. The spin gets more obvious everytime. Anyone with a clue about security won't be fooled. It'll just make Microsoft and the author of the article look more like idiots than they did last week.
numb
OK, good point, I guess, but I would say, "not very long". Malicious exploits found a a cracker dude are quickly shared.... Like I said, you have a point. I was really going off on the "$80 for a service pack" win98/SE thing. The fact is, if you're stupid enough to actually pay for it, that's your problem. The company is there to make money. If they can get you to fork over $80 for it, fine.
---
DO NOT DISTURB THE SE
Brave words: the commercial damage may well have been done already or, failing that, be done in the interlude between the news becoming available and sysadmins fixing their RH installations. The damage to RH and, by extension, open source is inestimable: even when closed-source companies have embedded backdoor passwords in their executables, they haven't concurrently published the source with the passwords embedded. This isn't going to play well with the PHBs for whom Open Source == Linux == Red Hat.
--
Cheers
Cheers
Jon
And Microsoft thought Netscape engineers were weenies... coming next, the Red Hat Shoot Yourself In The Foot awards
--
Cheers
Cheers
Jon
Piranha is a good name for this module.
I've yet to find a Linux distribution that doesn't just slap in any setuid program whose author felt it needed root privs without so much as a raised eyebrow. Of the ones I've tried, Debian seems to be the most secure right out of the box. I'd be surprised if the more expensive "Server" distributions of Linux were any better than most other distributions, security-wise.
Security is going to become more and more important as more people get connected. I expect that eventually some lawsuits will be filed. I wonder how long that will take and what the outcomes will be...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Thanks for pointing that out how, just a few days ago the backwards text about Netscape was called a backdoor.
(Its looking like the 'password' was not really a backdoor password in a classic sense. It is used, but not as orignally reported.)
And yes, declaring this black-eye for Red Hat a victory IS a total biasing. But remember this forum is Linux-biased.
If it was said on slashdot, it MUST be true!
No, you're wrong. "Netscape programmers are weenies!" is simply used to encrypt certain data travelling back and forth between two Microsoft components. Clearly, Microsoft did not intend for this security method to be foolproof; they simply wanted to keep the casual observer from seeing certain data. Here's what Russ cooper said:
While reports focused on a phrase -- "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!" -- which was present in the DLL, that's a red herring, said Cooper, adding that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users..
Sig goes here
A 'security' company that blasts that password around rather than saying 'there is a default password that can be cracked' is even more foolish.
Of course in general you are right, it would be best for ISS or any other company not to publish such passwords. But in this case, anyone who had enough knowledge to exploit the password could easily install Piranha and get the default password (considering that it's standard with RH6.2). Publishing the password didn't really put anyone at risk in this case.
-rt-
-rt-
** Evil Canadians are taking over the world. Learn about the conspiracy
I don't think this is such a glowing testimony to open source as it is a lukewarm observation of fact. They staple-gunned themselves in the foot and someone bandaged them. *applause*
/. and post "CmdrTaco and Hemos are a bunch of corporate shills!" then you're to blame when the masses flame you. But if you say it in the privacy of your home and a journalist puts it on the main page of the New York Times (and suspends mandatory login for the day), you'd be justified in blaming your infamy on the journalist.
You have a point. Open Source created the bug as well as fixed it. How much damage OSS itself deserves for the potential damage depends, to my mind, on where the backdoor was and how long it's been around.
I confess ignorance with respect to this. If the backdoor was part of some relatively new and experimental software, RedHat is to blame for putting it in a box and distributing it worldwide. If the it was in some code that's been around a long time and could also have propagated "naturally," then it is a problem for Open Sourcce that the insecurity was able to survive.
As an analogy, consider the difference between private and public speech. If you go on
I hope someone can clarify which situation pertains regarding this security hole.
- Michael Cohn
The bad do bad because the bad is rewarded. The good do good because the good is rewarded.
-----
Go ahead, blame me... I voted for Nader!
Very much agree.
... if you install it, be prepared to administer it. If you don't know how to administer it, then ... anyone installing an unknown application on a production machine is begging for trouble.
The MSNBC article starts off with in gonzo-type with the words:
A team of Internet security researchers say they've found a serious security hole in the most popular distribution of the Linux operating system. According to Internet Security Systems Inc., there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files on some computers running Red Hat's most recent version of Linux. But a spokesperson for Red Hat downplayed the flaw, saying few Red Hat users had been exposed to it.
This is absolutely sensationalist spin.
I agree with the views expressed elsewhere
The little guy just ain't getting it, is he?
blah!
portman grits ninja
Default passwords are a security hole. Users will forget to change them and when you are installing a system with 5 bazillion different software packages on them (not a good idea in it'self but people will do that) you'll never find all of the default passwords lieing around.
Blaming the user won't help. Like it or not not everyone using Linux is a expert. And the experts will still make mistakes anyway, why tempt fate?
Read the MSNBC artical. If want a look at MS spin-doctoring this is a perfect example of it! Many of MS's apps have default passwords too. Recently a bunch of ecommerce sites were found to have not reset the default passwords on all of their MS software. If a default password is called a backdoor then MS has 5 times as many!
Look at the source maybe?
Molog
So Linus, what are we doing tonight?
So Linus, what are we going to do tonight?
The same thing we do every night Tux. Try to take over the world!
Given that setting up MS SQL server 7.0 comes with a whole raft of default passwords for system administrator and related positions, I don't think that MS could even come close to complaining about the Piranha system having a default password. Like this excerpt from http://www.microsoft.com/t echnet/SQL/Technote/secure.asp
If the sa password is blank (as per a default installation), an intruder (or the Windows NT Administrator) would be able to gain access to the server. For information on ways to reduce the chance of such an attack, see "Registry."
I mean, it's not as if the database is an essential part of the Web E-commerce revolution... :-)
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
The default password issue is unimportant, although if people aren't informed that there is a default password and what that password is (in documentation), then there's something wrong. Also, anything with a default password should really change that password on installation (if it has an interactive install, great, change it then, otherwise there definitely should be something about it in the readme). Any good sysadmin should know what's on his machine, and change the default passwords, but that's no excuse for a lackadaisical attitude wrt security on the coder's part.
Nevertheless, I don't think this is an important aspect of the story. What worries me is that it is possible to run code at the webserver user level from the web. This is very NOT good. Even if you set the password, someone could still potentially guess it using a program.
Also, it is somewhat interesting how MSNBC has handled this story.
See, they should have picked a harder to guess default password, like "JSD3$@KJ". These people don't know anything about security.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I browse at 0 because some very relevant and interesting points are made by AC (and sometimes some items are moderated down for bizarre reasons). I am however very glad that moderators are removing the particularly poor items. I do not browse at -1 to avoid what is down there. In fact it is interesting to reflect that the only people who can see your post are those who do browse at 0 and so defeat your argument as to why AC comments should not be moderated down.
I would be interested to know what the percentages are for the various default browsing levels. After that comment that most people browse at at least 1.
As I understand it the moderators themselves don't have to moderate at 0 (I've never moderated so don't know for sure). So only logged in users who normally browse at 0 (unless they set their browse level specifically down to 0 when moderating) are seeing these posts to moderate them.
I would say that your comment about how you meta moderate shows that you have a poor grasp of the function of the 0 and the -1 levels. After all if -1 weren't there to collect the dross it would always appear. Do you maybe not approve of the -1 level at all?
It's interesting that you posted this as AC because if you are posting at 0 simply to make a visiblity point then why didn't you include your ID?
Gamma Testing - Where testing is extended to the full user community (AKA Shipping the Program)
One of the biggest selling points of OSS is that "with enough eyes, all bugs are shallow". This strength is also a pretty big flaw in the OSS model.
As more and more software is released as Open Source, the ratio of eyes to SLOC will decrease.
Also, as the software that is released as Open Source becomes more complex and specialized, the odds of the eyes looking at the source code being knowledgable enough to identify bugs decreases as well.
What does this mean? At some point, for certain software packages, it will make more sense for a company to keep it closed source as the cons of releasing it as Open Source (basically, giving it away) will outway the pros (find bugs).
Please insert random Microsoft flame here. After all, we all know Redhat isn't a company buying every related company in sight to make their army grow... errr wait, they are. This isn't a troll, but people- come on. This kind of incident should be used to learn from for the Open Source community- not another chance to thumb our noses at yet another closed source company. Pardon all the cliches, but making fun of MS here is like shooting fish in a barrel and preaching to the choir at the same time. Is there a 'best way' to set up default passwords?
Pray tell, what default password would have been safe?
Even if it had been 2048 characters of line noise, the fact that it was the default password means that anyone else using the same software knows what it is.
Safety does not lie in more difficult default passwords; safety lies in changing default passwords after you install the software.
--
Sheesh, evil *and* a jerk. -- Jade
As far as I can understand that, "Piranha" is not installed by default and you have it only if you *want* it; and once you took the pain to install it, the least thing would be to change the default password.. is it really a backdoor or a lazy user? If s/he's got enough insight to install the thing in the first place, that seems quite unprobable to me that s/he would leave it at that.
God did not appoint us to suffer wrath but to receive salvation through our Lord Jesus Christ --1Thes5:9
There have been a few responses to this, which I'd like to draw together:
1) The victory is that the problem was found. It was found quickly, before any damage was done, and it was found expressly because a member of the community had free and easy access to the code.
The gentleman who found the flaw frets that "Anybody else who's viewed the source code could have found the vulnerability and been exploiting it all along," but this ignores the community-spiritedness of opensource as well as the loose lips of most crackers. Things like this go public. And. . .
2) The problem can be fixed, in a variety of ways, by anyone. No waiting for patches from The Source.
3) This reflects very well on open source. But it is a blow to Redhat.
If a Linux for serious hackers shipped with a few holes, the make-rs might reasonably claim that their product wasn't meant to be polished and perfect (they'd be asses not to abase themselves and offer a fix, though).
But Redhat,, which even more than other distros claims to make Linux easy and user-friendly, desperately needs to be just that. They're the ones who should be allowing users to trade up-to-the-minute kewlness for reliability and security. There's no shame in that, but there is shame in doing it badly.
Summary:
Redhat screwed up. Open source fixed it.
- Michael Cohn
The bad do bad because the bad is rewarded. The good do good because the good is rewarded.
-----
Go ahead, blame me... I voted for Nader!
Would any good sysadmin allow beta (0.4) code on a production box? ...
Which brings up another point ... If RedHat or any of the other distros want to avoid this type of hype, include only production-quality code in the distro.
Porco RossoSilpon Designs
Scented Paper Products
!seineew era sreenigne erawkcalS
Another victory maybe... but what stupid arse done that in the first place? Yes, I know, people make mistakes all the time. However, if we want open source to be taken seriously, we at least need to try. Look at how many people laughed at the Microsoft Web Server backdoor not long ago. Isn't this error just as idiotic?
Now weary traveller, rest your head. For just like me, you're utterly dead.
So what do we have now?
Instead of kicking Rhat's but for slack in Quality Control we sing praises to open source. This is getting fscking out of hand. Slashdot has to get some bias control after all.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Microsoft "backdoor": Hurray for open source!
Redhat backdoor: Hurray for open source!
Now the question is, will ESR write an article about the dangers of Open Source? Or will the open source community set another wonderful hypocritical example?
A great example of this is if an application needs to create a temporary file. Temp directories are publically accessible, they need to be. But this means more than one user has access to them (if your OS can handle multiple users :) and this provides a place where malicious users can interfere. There's a lot of bending over backwards you can do to detect or avoid the problem, but the so-called experts seem to think that everybody should learn every trick and apply it manually. Why not provide API calls that allow a programmer to SecureFileOpen() and get a secure open file?
So, I haven't read the source for this Piranha web admin package to see why the default password Q was in there, but I suspect the coder working on it put it in as a convenience to herself for development purposes, so she could test things without having to create accounts every time. But, every app with passwords needs to do this because it is just as tedious as for every programmer. So why not build pseudo test accounts into the platform just for this purpose, rather than into the app?
Anyone that doesnt change a non-unique, default password, that is documented 8 ways from sunday, deserves whatever he gets.
-=Bob
Okay, hands up anyone that's never used software that creates an account with a dumb password when it's intsalled?
:-)
:-)
Two notable examples are Oracle's database (I've been told that it's set to change_this by default - my apologies if that is no longer the case), and MS SQL Server (the admin account has no password set by default - we were using it like that for at least the first 6 months that I was at the company before someone thought to change it...)
There is absolutely no reason whatsoever for creating an account with either no password or a default one. To not prompt the user to enter a password smacks of laziness and/or thoughtlessness. Someone at RedHat needs to have a good, long talk to whoever there is responsible about good security practice. Unfortunately, the same can be said of a good few other companies, too.
As for the second flaw, that you can cause arbitrary commands to be executed by the user running the web server when using piranha to change the password, that is utterly inexcusable. Assuming that the server is not running as root, then it is not too serious, (as long as you don't mind your website being deleted/defaced), but it displays an almost breathtaking lack of thought on the part of the person responsible.
I assume that the password is changed by way of a call to passwd, and that the "hack" is to append a "; arbitrary commands go here" to the end of the password field. If this is the case, then why on earth isn't the string checked for that sort of thing?
This has to be the oldest way of attacking a web site in the book; ever since the concept of CGIs was invented, people have been trying to get arbitrary commands run on servers in this way. (Another common first attack is to do a similar thing to any input field that looks like it'll be used to construct an SQL query - just end the field with '; (single-quote semi-colon) and insert your own commands. A coleague and I very nearly had one of our SQL servers play ball when we did it to one of the sites that he'd developed using SiteServer Commerce edition - the code being executed was in a SiteServer module, not something that he'd written. IIRC it was only the max length being set on the field that stopped us, and we couldn't be bothered to write a perl script to bypass the html page...)
I know that everyone makes mistakes, but this really is very basic stuff indeed. I'm no security expert, and even I know about it
In this day and age of entire businesses depending on the security of machines that are open to attack 24/7 (and have to be up 24/7, too), people really do need to be more security conscious.
Okay, rant over - I just needed to get that off my chest
Cheers,
Tim
It's official. Most of you are morons.
Quote from the story: A second flaw, also discovered by Internet Security Systems, could then allow a user to gain full control of the computer. In this second flaw, an intruder working inside the Piranha console can select the "change password" option, then tack a line of computer instructions on the end of the new password. The code, which can do anything the Web server itself can do, will then be executed by the computer, according to researcher Allen Wilson, who discovered both flaws.
This is the serious part of the security issue, obviously. Just resetting the password, as is suggested above, is not going to solve the problem.
========
<sig>Guvf vf abg n frperg zrffntr
I just read the article on ZDNN, and knew that something like that would come up here at Slashdot. Oh man, this is a victory for open source??!?! Just a few days ago tons of people were bashing Microsoft for a very minor security hole. And I mean really bashing Microsoft.
So this "backdoor" comes up, minor also, but it would apppear quite a bit more serious then MS's. And what do we get? That's a victory! We found the bug! That's why open source is king! Jeez people, that's one big way of making open source look bad, and I mean really bad. Is it all just the hype and total biasing?
If we want to bring more respect to the Open Source initiative, then we have to treat these things the same way another OS is treated. If we don't, then it just helps to convince the world that it's just all hype.
You know, there should be a contest. I'd love to stick in a mischievious backdoor and see if people could find it in thousands/millions of lines of code.
I do not understand where the security hole is.
I use 'Q' as password really often, it is a FAR better password that 'E' or 'W'. Trust me, with 'Q' you are secure, don't be afraid.
Fetchez la vache !