Slashdot Mirror
Red Hat 'Piranha' Security Risk - And Fix
patrixmyth writes "A default password of "Q" in the standard Red Hat 6.2 installation of the Piranha module opens a Web server to intrusion, according to Internet Security Systems. The problem was discovered during a review of Open Source code, and the fix is already available. Another victory for Open Source!
The MSNBC article is here.
The fix is here, or you could just reset the password yourself for the Piranha module."
If you don't know how to keep a box secure (change the fscking default passwords), then
DON'T RUN A WEBSITE.
If you admin your box like a mushroom, expect to be owned by some packet monkey or script kiddie.
hmmm, but it's not the password for your slashdot account
--
For one very important Reason:
Homogeneity in the field leads to a _very_ large damage radius if anyone ever discovers the slightest hole in the "secure" way of doing things. If everyone implements it slightly differently, no single problem can expose the widest audience to risk. Remember the Windows "Ping of Death" problem? Homogeneity in the field made it worse than it might otherwise have been...
Although it seems like co-ordinated anarchy, it's important that there is no single point of failure.
Just ask the Death Star... =-)
Check my Go-related blog for beginners: DGD
Maybe large vendors/distributions should start some sort of certification/verification protocol to provide standard quality of at least part of the products.
Jeroen
Writing about music is like dancing about words - FZ
I don't anticipate many lawsuits against companies like Red Hat (at least not in response to things like this), and any lawsuits that do occur are not going to go very far.
The reasonably-sized print on a Mandrake 6.0 package:
Other distributors also tend to include disclaimers such as this.
How do they get away with this disclaimer? Why is this alright, but it'd be horrendous for Microsoft to disclaim any liability on their software, and put a back door in it?
Well, even if there is a back door put into a piece of free or open-source software, you can take it out.
-rozzin.
Don't bet on it. Buffer overflows are insidious lttle beasts, and they generally pop up because of bad coding habits, which means a program that has one buffer overflow found almost never has only one buffer overflow.
FOr example, in the case of Piranha, what if there's a buffer overflow not only in the password change portion of the code, but also the password check part? You then have a hole that anyone can utilize. Just think of the number of buffer overflows found in programs like Sendmail, and even ssh, and you get an idea of the scale of the problem.
Well, I'm cheering for Open Source for two reasons.
One, the bug was found within weeks of the release of the software in question, not years.
Two, the bug was nearly instantly fixed and a patch available that doesn't involve deleting things to reduce the functionality of Pirahna.
So yeah, Hurray for Open Source in both instances.
Yes, RedHat should've caught this one before it made it out the door, but they didn't. Stuff like that shouldn't happen, and you should do what you can to prevent it, but no matter what you do, it always will. It's very easy to prove software has a bug, very hard to prove that it doesn't.
Need a Python, C++, Unix, Linux develop
Only it's not a backdoor, it's a default password. Therefore the source code is not at all relevant in this case. Anyone with a copy of the manual could find out that you must change the default password.
The security problem is not the software but the administrator of a WEB site that installs software without setting administrator passwords that only he knows.
Gosh, a whole two months. Nothing like the four year old bugs in M$ products. We have the source, we use the source, we fix the source, we don't charge $80 for a lame service pack full of new "features".
Eric
> True security lies in requiring the password be set on install.
Good point.
> That, however, requires a genuine installation routine, so that the source can't be installed without the defaults being changed. That, in turn, makes it impossible to have a truly secure open source solution.
I don't think that follows. Clearly, RH didn't do it here, but is it truly impossible for OSS?
--
Sheesh, evil *and* a jerk. -- Jade
> how would *you* personally feel if *I* tried to ship software with such a restriction, keeping in mind that I work for MS?
If the restriction you have in mind is that privileged software that uses a password must be given a new password during the installation process, I would think it was only good sense, and appreciate you for looking after my interests.
VMS used to do this with system or application installations that create accounts. Even Red Hat does it for root, during a new installation. The only disappointment is that they did not also do it in this case.
As for your assertions about users hacking on offensive code, I am not aware of any users who have modified the Red Hat installer to take out the offensive code requiring entry of a root password. I haven't even heard any complaints about it.
--
Sheesh, evil *and* a jerk. -- Jade
> if the user really wants they can extract the magic number and bypass the setup script
I like to think of such cases as evolution in action.
--
Sheesh, evil *and* a jerk. -- Jade
> So how come this "good news" when it is Open Source software, but had it been a closed source application for which the vendor made a release we'd all be badmouthing them?
Like we've been saying all along... with OSS a white hat finds it pretty quickly; with CSS the black hats potentially know about it for years before the white hats stumble across it. This is an illustration of the first half of that claim.
--
Sheesh, evil *and* a jerk. -- Jade
Try reading some comments below, pin head. This has been addressed ..oh, about 1000 times already.
All this proves to me that the "Open Source review" worked. How long was the RedHat bug around for? Now How long for the MS bug?
Now how many independant code reviews has MS had? Did their bug show up because of a careful QA review by peers? No, It was discovered through reverse engineering 4 years after the fact...
Could the MS bug be changed simply by having the admin alter the coniguation? Now how about the RedHat "bug"?
Try answering these questions before you post silly, insulting commnets.
No code is perfect, but OSS is much faster in the bug discovery bug fix patch cycle than any CSS could hope to be.
Never by hatred has hatred been appeased, only by kindness - the Buddha
Oh, come on, be realistic. We're talking about default passwords. Things that are mentioned in an installation guide. Some people manage to read English instead of C.
I used to be a Sybase DBA. When you install Sybase, by default there's no password for the SA. That isn't an obscure fact only known to black hats because Sybase is closed source. Anyone with the ability to read simple English words knows. And I've yet to hear someone argueing it's a backdoor.
-- Abigail
And no, this is not redundant, as this has not been posted on the Red Hat errata web site, or elsewhere on the web, yet as of this writing. I couldn't find it at least.
Begin letter. ;
----------------------------------------
Subject: SECURITY: [RHSA-2000:014-10] Updated piranha packages available
Resent-Date: 24 Apr 2000 20:33:43 -0000
Resent-From: redhat-watch-list@redhat.com
Resent-CC: recipient list not shown:
Date: Mon, 24 Apr 2000 16:33:32 -0400 (EDT)
From: Cristian Gafton (gafton@redhat.com)
Reply-To: redhat-watch-list@redhat.com
To: redhat-watch-list@redhat.com
CC: Linux Security , BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE----- - -------------------------------------------------- -------------------
Red Hat, Inc. Security Advisory
Synopsis: Piranha web GUI exposure
Advisory ID: RHSA-2000:014-10
Issue date: 2000-04-18
Updated on: 2000-04-24
Product: Red Hat Linux
Keywords: piranha remote CGI command
Cross references: php
-------------------------------------------------- -------------------
1. Topic:
The GUI portion of Piranha may allow any remote attacker to execute commands on the server. This may lead to remote compromise of the server, as well as exposure or defacement of the website.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - i386 alpha sparc
3. Problem description:
Piranha when it is installed generates a 'secure' web interface ID using the HTML .htaccess method. The information for the account is placed in /home/httpd/html/piranha/secure/passwords which was supposed to be
released with a blank password. In fact the password that is actually on
the CD is either 'q' or 'piranha'. It was intended that when the
administrator loaded the piranha package onto their box, that it was their
resonsibility to change that password. This is not a hidden account. It is
meerly used to protect the web pages from unauthorized access. The
security problem arises from the /home/httpd/html/piranha/secure/passwd.php3 file from which it is possible
to execute commands by inserting them into the change password option eg
entering 'blah;/bin/command to execute' into the field, and again to
verify, everything after the semicolon is executed with the same privilege
as the webserver. It is possible at this point to compromise the webserver
or do serious damage to the site.
4. Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
Temporarily, you should set a password on the web pages as should be done when you first install the package for the sake of speed you can issue the following command htpasswd -c -b /home/httpd/html/piranha/secure/passwords
piranha 'password of choice' In theory, this means only you have access to
that area and you are hardly likely to try and exploit the problem
yourself.
When you install the update for the piranha-gui, please take a moment to login into the gui frontend and set a password on the account (http://localhost/piranha)
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
N/A
6. Obsoleted by:
N/A
7. Conflicts with:
N/A
8. RPMs required:
Red Hat Linux 6.2:
intel:1 .i386.rpm4 .13-1.i386.rpm. 13-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/piranha-0.4.13-
ftp://updates.redhat.com/6.2/i386/piranha-docs-0.
ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4
alpha:
GNU/Linux. The Freshmaker.
The guys who uncovered the "Q" password are way off base in calling this a "back door".
It's really more of a badly thought out installation procedure. However discovering a "back door" is a bit more of a PR feather in the cap of a would be security honcho than discovering a way that brain dead admins can shoot themselves in the foot.
That said, it also appears that there is a buffer overrun problem, which is very serious, but again really a garden variety bug, serious, but common enough.
All in all this is nothing compared to the named bind hole that is still being exploited.
Red Hat needs to get their act together. Why do all these servers have to run as root? Of course, you end up with a proliferation of pseudouser accounts, but so what?
Aren't they going to add capabilities in ext3? Wouldn't this clear up a lot of the root access mess ups?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Firstly there is the issue of Red Hat's mistake in leaving a potential security hole in something that goes out to users. Ok, so it may well be the users fault if they install piranah by accident or install it on purpose and don't change the password, but a good distro should protect users from themselves.
Secondly, there is the way that the MSNBC article is worded. Basically seems to be saying, "forget about the IIS problem, look, look, Red Hat has it too! See! Red Hat has a huge, I mean really really really huge, big security hole!! And they don't care! They're downplaying it!"
That was what the big bold bit before the rest of the story said. Of course, the actual story with real facts in it makes a little more sense.
So how come this "good news" when it is Open Source software, but had it been a closed source application for which the vendor made a release we'd all be badmouthing them? I don't see how recovering from a stupid mistake is such "good news" or even that open-source specific.
It's 10 PM. Do you know if you're un-American?
Rouland said "X-force" researcher Wilson discovered the backdoor during a standard review of Red Hat's Linux source code, which is freely available. The user name and password were embedded in the code. "Anybody else who's viewed the source code could have found the vulnerability and been exploiting it all along," he said. "This one was so easy to find I would think people would have found it and exploited it.... I think people will figure it out very quickly."
I always thought of a backdoor as something that was intentionally left there by the developers to get in--as was the case with the "netscape engineers are weenies" backdoor that Microsoft developers put into their software.
It seems that there may have been a buffer overrun on piranha, but they make it sound like having a default password of 'Q' is Redhat's fault--It doesn't really matter what the default password is for something if the user doesn't set their own. That's pretty obvious.
And that last part sounds a bit like they are trying to make open source sound like an inherent flaw. Not like I'd expect them to compare and contrast with Microsoft's intentional backdoor that was there for months or years which no one except a few select Microsoft developers and friends knew about. That compared to a buffer overrun in a Redhat product discovered weeks later and quickly fixed doesn't make open source look like a security risk to me. Who'd be running an e-commerce site on a product that's only a couple weeks old anyway (earlier in the article the author alludes to the fact that the so-called backdoor would have allowed an intruder to "access customer databases.")
I wouldn't get too upset over this though. The spin gets more obvious everytime. Anyone with a clue about security won't be fooled. It'll just make Microsoft and the author of the article look more like idiots than they did last week.
numb
OK, good point, I guess, but I would say, "not very long". Malicious exploits found a a cracker dude are quickly shared.... Like I said, you have a point. I was really going off on the "$80 for a service pack" win98/SE thing. The fact is, if you're stupid enough to actually pay for it, that's your problem. The company is there to make money. If they can get you to fork over $80 for it, fine.
---
DO NOT DISTURB THE SE
Brave words: the commercial damage may well have been done already or, failing that, be done in the interlude between the news becoming available and sysadmins fixing their RH installations. The damage to RH and, by extension, open source is inestimable: even when closed-source companies have embedded backdoor passwords in their executables, they haven't concurrently published the source with the passwords embedded. This isn't going to play well with the PHBs for whom Open Source == Linux == Red Hat.
--
Cheers
Cheers
Jon
And Microsoft thought Netscape engineers were weenies... coming next, the Red Hat Shoot Yourself In The Foot awards
--
Cheers
Cheers
Jon
Piranha is a good name for this module.
I've yet to find a Linux distribution that doesn't just slap in any setuid program whose author felt it needed root privs without so much as a raised eyebrow. Of the ones I've tried, Debian seems to be the most secure right out of the box. I'd be surprised if the more expensive "Server" distributions of Linux were any better than most other distributions, security-wise.
Security is going to become more and more important as more people get connected. I expect that eventually some lawsuits will be filed. I wonder how long that will take and what the outcomes will be...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Thanks for pointing that out how, just a few days ago the backwards text about Netscape was called a backdoor.
(Its looking like the 'password' was not really a backdoor password in a classic sense. It is used, but not as orignally reported.)
And yes, declaring this black-eye for Red Hat a victory IS a total biasing. But remember this forum is Linux-biased.
If it was said on slashdot, it MUST be true!
No, you're wrong. "Netscape programmers are weenies!" is simply used to encrypt certain data travelling back and forth between two Microsoft components. Clearly, Microsoft did not intend for this security method to be foolproof; they simply wanted to keep the casual observer from seeing certain data. Here's what Russ cooper said:
While reports focused on a phrase -- "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!" -- which was present in the DLL, that's a red herring, said Cooper, adding that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users..
Sig goes here
A 'security' company that blasts that password around rather than saying 'there is a default password that can be cracked' is even more foolish.
Of course in general you are right, it would be best for ISS or any other company not to publish such passwords. But in this case, anyone who had enough knowledge to exploit the password could easily install Piranha and get the default password (considering that it's standard with RH6.2). Publishing the password didn't really put anyone at risk in this case.
-rt-
-rt-
** Evil Canadians are taking over the world. Learn about the conspiracy
I don't think this is such a glowing testimony to open source as it is a lukewarm observation of fact. They staple-gunned themselves in the foot and someone bandaged them. *applause*
/. and post "CmdrTaco and Hemos are a bunch of corporate shills!" then you're to blame when the masses flame you. But if you say it in the privacy of your home and a journalist puts it on the main page of the New York Times (and suspends mandatory login for the day), you'd be justified in blaming your infamy on the journalist.
You have a point. Open Source created the bug as well as fixed it. How much damage OSS itself deserves for the potential damage depends, to my mind, on where the backdoor was and how long it's been around.
I confess ignorance with respect to this. If the backdoor was part of some relatively new and experimental software, RedHat is to blame for putting it in a box and distributing it worldwide. If the it was in some code that's been around a long time and could also have propagated "naturally," then it is a problem for Open Sourcce that the insecurity was able to survive.
As an analogy, consider the difference between private and public speech. If you go on
I hope someone can clarify which situation pertains regarding this security hole.
- Michael Cohn
The bad do bad because the bad is rewarded. The good do good because the good is rewarded.
-----
Go ahead, blame me... I voted for Nader!
Very much agree.
... if you install it, be prepared to administer it. If you don't know how to administer it, then ... anyone installing an unknown application on a production machine is begging for trouble.
The MSNBC article starts off with in gonzo-type with the words:
A team of Internet security researchers say they've found a serious security hole in the most popular distribution of the Linux operating system. According to Internet Security Systems Inc., there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files on some computers running Red Hat's most recent version of Linux. But a spokesperson for Red Hat downplayed the flaw, saying few Red Hat users had been exposed to it.
This is absolutely sensationalist spin.
I agree with the views expressed elsewhere
The little guy just ain't getting it, is he?
The spin I picked up from the M$NBC article seemed to suggest that because the source was freely available, anyone could have exploited this hole. It smelled to me like they were trying to make this out to be a bad thing. Oh well. Only a fool would use the default password anyways.
Never forget what the MS in MSNBC means.
Gah
blah!
portman grits ninja
Default passwords are a security hole. Users will forget to change them and when you are installing a system with 5 bazillion different software packages on them (not a good idea in it'self but people will do that) you'll never find all of the default passwords lieing around.
Blaming the user won't help. Like it or not not everyone using Linux is a expert. And the experts will still make mistakes anyway, why tempt fate?
Read the MSNBC artical. If want a look at MS spin-doctoring this is a perfect example of it! Many of MS's apps have default passwords too. Recently a bunch of ecommerce sites were found to have not reset the default passwords on all of their MS software. If a default password is called a backdoor then MS has 5 times as many!
Look at the source maybe?
Molog
So Linus, what are we doing tonight?
So Linus, what are we going to do tonight?
The same thing we do every night Tux. Try to take over the world!
Given that setting up MS SQL server 7.0 comes with a whole raft of default passwords for system administrator and related positions, I don't think that MS could even come close to complaining about the Piranha system having a default password. Like this excerpt from http://www.microsoft.com/t echnet/SQL/Technote/secure.asp
If the sa password is blank (as per a default installation), an intruder (or the Windows NT Administrator) would be able to gain access to the server. For information on ways to reduce the chance of such an attack, see "Registry."
I mean, it's not as if the database is an essential part of the Web E-commerce revolution... :-)
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
The default password issue is unimportant, although if people aren't informed that there is a default password and what that password is (in documentation), then there's something wrong. Also, anything with a default password should really change that password on installation (if it has an interactive install, great, change it then, otherwise there definitely should be something about it in the readme). Any good sysadmin should know what's on his machine, and change the default passwords, but that's no excuse for a lackadaisical attitude wrt security on the coder's part.
Nevertheless, I don't think this is an important aspect of the story. What worries me is that it is possible to run code at the webserver user level from the web. This is very NOT good. Even if you set the password, someone could still potentially guess it using a program.
Also, it is somewhat interesting how MSNBC has handled this story.
See, they should have picked a harder to guess default password, like "JSD3$@KJ". These people don't know anything about security.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I browse at 0 because some very relevant and interesting points are made by AC (and sometimes some items are moderated down for bizarre reasons). I am however very glad that moderators are removing the particularly poor items. I do not browse at -1 to avoid what is down there. In fact it is interesting to reflect that the only people who can see your post are those who do browse at 0 and so defeat your argument as to why AC comments should not be moderated down.
I would be interested to know what the percentages are for the various default browsing levels. After that comment that most people browse at at least 1.
As I understand it the moderators themselves don't have to moderate at 0 (I've never moderated so don't know for sure). So only logged in users who normally browse at 0 (unless they set their browse level specifically down to 0 when moderating) are seeing these posts to moderate them.
I would say that your comment about how you meta moderate shows that you have a poor grasp of the function of the 0 and the -1 levels. After all if -1 weren't there to collect the dross it would always appear. Do you maybe not approve of the -1 level at all?
It's interesting that you posted this as AC because if you are posting at 0 simply to make a visiblity point then why didn't you include your ID?
Gamma Testing - Where testing is extended to the full user community (AKA Shipping the Program)
One of the biggest selling points of OSS is that "with enough eyes, all bugs are shallow". This strength is also a pretty big flaw in the OSS model.
As more and more software is released as Open Source, the ratio of eyes to SLOC will decrease.
Also, as the software that is released as Open Source becomes more complex and specialized, the odds of the eyes looking at the source code being knowledgable enough to identify bugs decreases as well.
What does this mean? At some point, for certain software packages, it will make more sense for a company to keep it closed source as the cons of releasing it as Open Source (basically, giving it away) will outway the pros (find bugs).
Please insert random Microsoft flame here. After all, we all know Redhat isn't a company buying every related company in sight to make their army grow... errr wait, they are. This isn't a troll, but people- come on. This kind of incident should be used to learn from for the Open Source community- not another chance to thumb our noses at yet another closed source company. Pardon all the cliches, but making fun of MS here is like shooting fish in a barrel and preaching to the choir at the same time. Is there a 'best way' to set up default passwords?
It is a software problem. The software was not written well. Shouldn't the software be design to not work unless a new password is issued first? Shouldn't the documentation say that "the module [blah] will not work unless a new password is entered"? I've had lots of accounts that required me to change the password upon first usage. Why should this be any different?
Pray tell, what default password would have been safe?
Even if it had been 2048 characters of line noise, the fact that it was the default password means that anyone else using the same software knows what it is.
Safety does not lie in more difficult default passwords; safety lies in changing default passwords after you install the software.
--
Sheesh, evil *and* a jerk. -- Jade
As far as I can understand that, "Piranha" is not installed by default and you have it only if you *want* it; and once you took the pain to install it, the least thing would be to change the default password.. is it really a backdoor or a lazy user? If s/he's got enough insight to install the thing in the first place, that seems quite unprobable to me that s/he would leave it at that.
God did not appoint us to suffer wrath but to receive salvation through our Lord Jesus Christ --1Thes5:9
There have been a few responses to this, which I'd like to draw together:
1) The victory is that the problem was found. It was found quickly, before any damage was done, and it was found expressly because a member of the community had free and easy access to the code.
The gentleman who found the flaw frets that "Anybody else who's viewed the source code could have found the vulnerability and been exploiting it all along," but this ignores the community-spiritedness of opensource as well as the loose lips of most crackers. Things like this go public. And. . .
2) The problem can be fixed, in a variety of ways, by anyone. No waiting for patches from The Source.
3) This reflects very well on open source. But it is a blow to Redhat.
If a Linux for serious hackers shipped with a few holes, the make-rs might reasonably claim that their product wasn't meant to be polished and perfect (they'd be asses not to abase themselves and offer a fix, though).
But Redhat,, which even more than other distros claims to make Linux easy and user-friendly, desperately needs to be just that. They're the ones who should be allowing users to trade up-to-the-minute kewlness for reliability and security. There's no shame in that, but there is shame in doing it badly.
Summary:
Redhat screwed up. Open source fixed it.
- Michael Cohn
The bad do bad because the bad is rewarded. The good do good because the good is rewarded.
-----
Go ahead, blame me... I voted for Nader!
Would any good sysadmin allow beta (0.4) code on a production box? ...
Which brings up another point ... If RedHat or any of the other distros want to avoid this type of hype, include only production-quality code in the distro.
Porco RossoSilpon Designs
Scented Paper Products
!seineew era sreenigne erawkcalS
Another victory maybe... but what stupid arse done that in the first place? Yes, I know, people make mistakes all the time. However, if we want open source to be taken seriously, we at least need to try. Look at how many people laughed at the Microsoft Web Server backdoor not long ago. Isn't this error just as idiotic?
Now weary traveller, rest your head. For just like me, you're utterly dead.
So what do we have now?
Instead of kicking Rhat's but for slack in Quality Control we sing praises to open source. This is getting fscking out of hand. Slashdot has to get some bias control after all.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Microsoft "backdoor": Hurray for open source!
Redhat backdoor: Hurray for open source!
Now the question is, will ESR write an article about the dangers of Open Source? Or will the open source community set another wonderful hypocritical example?
A great example of this is if an application needs to create a temporary file. Temp directories are publically accessible, they need to be. But this means more than one user has access to them (if your OS can handle multiple users :) and this provides a place where malicious users can interfere. There's a lot of bending over backwards you can do to detect or avoid the problem, but the so-called experts seem to think that everybody should learn every trick and apply it manually. Why not provide API calls that allow a programmer to SecureFileOpen() and get a secure open file?
So, I haven't read the source for this Piranha web admin package to see why the default password Q was in there, but I suspect the coder working on it put it in as a convenience to herself for development purposes, so she could test things without having to create accounts every time. But, every app with passwords needs to do this because it is just as tedious as for every programmer. So why not build pseudo test accounts into the platform just for this purpose, rather than into the app?
Anyone that doesnt change a non-unique, default password, that is documented 8 ways from sunday, deserves whatever he gets.
-=Bob
Okay, hands up anyone that's never used software that creates an account with a dumb password when it's intsalled?
:-)
:-)
Two notable examples are Oracle's database (I've been told that it's set to change_this by default - my apologies if that is no longer the case), and MS SQL Server (the admin account has no password set by default - we were using it like that for at least the first 6 months that I was at the company before someone thought to change it...)
There is absolutely no reason whatsoever for creating an account with either no password or a default one. To not prompt the user to enter a password smacks of laziness and/or thoughtlessness. Someone at RedHat needs to have a good, long talk to whoever there is responsible about good security practice. Unfortunately, the same can be said of a good few other companies, too.
As for the second flaw, that you can cause arbitrary commands to be executed by the user running the web server when using piranha to change the password, that is utterly inexcusable. Assuming that the server is not running as root, then it is not too serious, (as long as you don't mind your website being deleted/defaced), but it displays an almost breathtaking lack of thought on the part of the person responsible.
I assume that the password is changed by way of a call to passwd, and that the "hack" is to append a "; arbitrary commands go here" to the end of the password field. If this is the case, then why on earth isn't the string checked for that sort of thing?
This has to be the oldest way of attacking a web site in the book; ever since the concept of CGIs was invented, people have been trying to get arbitrary commands run on servers in this way. (Another common first attack is to do a similar thing to any input field that looks like it'll be used to construct an SQL query - just end the field with '; (single-quote semi-colon) and insert your own commands. A coleague and I very nearly had one of our SQL servers play ball when we did it to one of the sites that he'd developed using SiteServer Commerce edition - the code being executed was in a SiteServer module, not something that he'd written. IIRC it was only the max length being set on the field that stopped us, and we couldn't be bothered to write a perl script to bypass the html page...)
I know that everyone makes mistakes, but this really is very basic stuff indeed. I'm no security expert, and even I know about it
In this day and age of entire businesses depending on the security of machines that are open to attack 24/7 (and have to be up 24/7, too), people really do need to be more security conscious.
Okay, rant over - I just needed to get that off my chest
Cheers,
Tim
It's official. Most of you are morons.
Quote from the story: A second flaw, also discovered by Internet Security Systems, could then allow a user to gain full control of the computer. In this second flaw, an intruder working inside the Piranha console can select the "change password" option, then tack a line of computer instructions on the end of the new password. The code, which can do anything the Web server itself can do, will then be executed by the computer, according to researcher Allen Wilson, who discovered both flaws.
This is the serious part of the security issue, obviously. Just resetting the password, as is suggested above, is not going to solve the problem.
========
<sig>Guvf vf abg n frperg zrffntr
I just read the article on ZDNN, and knew that something like that would come up here at Slashdot. Oh man, this is a victory for open source??!?! Just a few days ago tons of people were bashing Microsoft for a very minor security hole. And I mean really bashing Microsoft.
So this "backdoor" comes up, minor also, but it would apppear quite a bit more serious then MS's. And what do we get? That's a victory! We found the bug! That's why open source is king! Jeez people, that's one big way of making open source look bad, and I mean really bad. Is it all just the hype and total biasing?
If we want to bring more respect to the Open Source initiative, then we have to treat these things the same way another OS is treated. If we don't, then it just helps to convince the world that it's just all hype.
You know, there should be a contest. I'd love to stick in a mischievious backdoor and see if people could find it in thousands/millions of lines of code.
I do not understand where the security hole is.
I use 'Q' as password really often, it is a FAR better password that 'E' or 'W'. Trust me, with 'Q' you are secure, don't be afraid.
Fetchez la vache !