Slashdot Mirror
White Hats Take NASDAQ Through MS IIS Hole
stomv writes: "A hacker found exploits in NASDAQ server, could have changed market info and admin passwds. Server: IIS. Hacker did ethical job of providing info to fix. Also, mentions BugTraq and how MS didn't fix the hole when it was posted July 17.
"
iPlanet administrative server must run on a different port from the user server. There is almost no access to Web app level configuration from this menu. (just servlet properties, which you'd have to restart the server to take effect, which requires a password)
iPlanet runs as an app in user space. When installing iPlanet, it warns you that the server should run under an id that has extremely limited permissions at the OS level. "nobody:nobody" is the default setting for this userid.
Because of this partition between Solaris and the Web server, it is nearly impossible for code attacking the webserver to root the box. Even getting a shell as nobody is not too useful.
On the web app side, servlets run in a security sandbox that can be custom tailored to limit access to outside resources. The default settings in iPlanet do not allow file or OS level access from servlets. In fact, the setting to turn this on isn't even in the default config file or admin interface. You have to look it up, know what it is and how and where to add the parameter by hand.
Automatic memory management and array bounds checking in Java prevent the most common form of attacks from being effective. (the app may crash, but it won't compromise your server)
There is still room (there's always room) for poor configuration and insecure apps to cause havoc, but in comparision to the Microsoft toolset, there is much more attention paid to security, segregation of control, and default settings that put security above ease of use.
While the average end user may prefer the ease of use to security, critical civilian sites like NASDAQ and other financial institutions just shouldn't be using products with that philosophy. To market and sell these products to these types of end users (even a company as huge as MS knows when somebody like NASDAQ is using their software) is irresponsible. To allow an application configuration like that is even more irresponsible. (you can bet that NASDAQ had MSCE's or an MSCSP build this, not somebody's 16 year old nephew) Sun, in contrast, sends auditors/admins to important customer sites like eBay to make sure they're using the software correctly.
I agree that the folks who built this must shoulder a lot of responsibility, but I cannot absolve Microsoft of culpability. Security is an afterthought in their products, rather than a fundamental design principle, and it shows.
Read the article!
It mentions(veracity aside) that the hacker did not use the July 17th exploit. Regardless of M$ or IIS, the hole was something the hacker had found and exploited.
The article also mentions that the hole was fixed and patched promptly; it never mentions if M$ fixed it, if M$ knew about it, or if M$ tried to hide it. All you are doing is spreading misinformation.
This is not about a crack reported in July. M$'s track record is not at issue, regardless of it's purity or lack therof, and M$'s press tactics are not the issue.
Hate M$, but this article is *not* about M$!
If you like the details... read the article.
The nick is a joke! Really!
GPL Deconstructed
Non-Dutch readers might be interested in the fact that the person Gerrie Mansur is not taken seriously in The Netherlands. He's a 'media hacker', despised both by hackers, crackers and security people.
-- unix is for people without a social life - Patrick van Eijk
A followup article on Technology Evaluation at (Slash may mangle this URL) http://www.technologyevaluation.com/research/resea rch highlights/security/2000/06/news_analysis/na_st_lp t_06_21_00_1.asp explains some of the implications of weaknesses in stock data services.
What is ignored are the secondary effects- when these weaknessses are exploited to manipulate the market, the long term result will be loss of trust in news feeds and stock information services.
It seems that all of the major financial news services have had serious security problems this year- Comstock, Bloomberg, etc.
Who can you trust to supply good data?
I do not deploy Linux. Ever.
Insightful would perhaps talk about what the merits and demerits the M$ OS has, and the alternative OSes have. Or perhaps about their fitness for purpose, rather than vaguely commenting on their fitness.
My own comment is supposed to be insightful. It's supposed to engender insight in people reading on what an insightful comment is supposed to be. Moderate it up, if you moderators want people to read it and note "Gee, he's right. An insightful comment would make me stop and consider something I would not ordinarily consider. Bashing groupthink or M$ is not insightful, because everyone already does that... This is really overrated, or something."
Oh well. That's my rant ^^
The nick is a joke! Really!
GPL Deconstructed
Guess online trading is buggy.
Microsoft trades on the Dow, right?
There is no Light Side without a Dark Side.
Face it, people are stupid, and the internet is the place where they all meet.
Why doesn't anybody realize that for a Web application, the following things shouldn't be the case:
1) Database passwords, admin passwords, ANY passwords shouldn't be stored on the Web server in plaintext.
2) If an application management interface exists at all on the Web server (which I have some problems with), it should always run on a different port than the application itself and that port should be firewalled such that it can only be accessed from trusted (internal) IPs. The content directory structures for the application and application management should also be segregated.
An architecture that stores permissions and passwords and allows access to change these things and modify the application through the same channels that the application is provided is INHERENTLY INSECURE BY DESIGN.
Sorry if I'm ranting here, but as a professional developer working on a financial site this really tweaks my sense of professional ethics. Who designed this crap? Who audited it and said it was OK? Why do people think that Microsoft's architecture aimed at Joe Idiot who wants to put up a web page about his schnauzer fan club without having to learn anything is suitable for use by NASDAQ for cripessake!?!?
The company uses all Microsoft applications. I used to work at the above company that hosts nasdaq/amex/nasdaq-amex/americanstocks/etc... Financial Insight Systems. They were a Microsoft Certified Solutions Provider, and trying hard to become an MS Partner. Nasdaq had a good dozen-plus IIS Webservers, and we were discouraged from using anything BUT Microsoft software, because of the company's position with MS.
Had it not been for the fact that we were trying so hard to become an MS Partner (by getting all employees certified at least to MCP, and getting sponsors), maybe there would have been some choice as to what software to install on what boxes. But there wasn't, so it was Microsoft all the way.
Right before I left the company, they had just hired on a security specialist, at an exhorbant salary, who had no clue how to install NT, or how to install patches. But the fact that the IT team was less than 10 people, we were all overworked, and any extra person was a working person. That plus the fact that the company hired many low-salary low-experience techies to replace high-salary high-experience techies didn't help, but that is too much of a common business practice now to complain.
The two guys in charge of the servers, getting the big bucks, were being worked to the bone, and I admire them for that. But there's only so far you can go before the IT staff has no say in the matter, and the company pushes them into roll-outs and upgrades that are beyond common sense. Then you end up with a lot of burn-outs, stuck in a job they hate, but have some unknown loyalty to.
LAI
:eof
"I did not use the Source Fragment Disclosure Vulnerability, but used an exploit I wrote myself," he said. The exploit is software tool that Mansur developed and then used to gain access to the servers.
and
Dan Schindler, director of technical client service at CBSMarketWatch.com, responded, "Many thanks for bringing this to our attention. We have installed a patch and deployed it to all our data centers.
yup, typical IIS users.
Will you stop with the damn zealotry and fud already? Go back to crying about how there are no bugs in RedHat.
the United Loan Gunmenfirst did it over a year ago: http://www.attrition.org/mirror/attrition/1999/09/ 15/www.nasdaq-amex.com/
-digitialboi
People who frown on White Hat Hacking would have you believe that keeping people blissfully ignorant of problems like this is a good thing. He allowed his target to get stuff fixed before releasing what he knew. How ethical is it to sit on this information if it can benifit other sites? What is good about having this around for someone with far less scruples to come along and exploit? What is good about having Microsoft not fixing bugs that they may not know about? What is good about customers believing the software they bought is properly configured or as secure as they believe it to be?
A simple proverb goes something like this...
"A man isn't foolish if one admits there is a problem. Instead a man is foolish when they refuse too."
This /. story and the corresponding CNN article contain some vague or incorrect statements...
-Raphaël
ht tp: //www.microsoft.com/NTWorkstation/downloads/Critic al/q267559/default.asp
or bugtraq's page on this bug and the solutions:
http: //w ww.securityfocus.com/frames/?content=/vdb/bottom.h tml%3Fvid%3D1488
Now.. slashdot.. tell me... do you have a problem with a certain company or something? because the 'news' seem to get a little shakey in the 'correctness' area. :)
--
Never underestimate the relief of true separation of Religion and State.
Having been responsible for the creation of a number of websites using IIS I can say that I have NEVER put a password in any web page or asa's source. I either use an account with proper authentication for anonymous access (i.e. configuring the database to allow access from IWEB_), or I use a database guest account. These are absolute no brainers. If using a database system that doesn't integrate with NT Authentication I use the appropriate database guest account for anonymous access (and we are talking about anonymous access here).
Additionally security, as it always should be, should be very pervasive and built in many layers of the system. There should be a firewall eliminating anything but the appropriate access (obviously) so even if someone did have the database passwords there would be nothing they can do without getting past the firewall (note that this also requires locking down or removing RDS : Look in IIS for the virtual directory "msadc". If you don't need or use RDS get rid of it. It's potentially a backdoor into your DB). However the database should be running on a completely separate machine/domain trusting only the appropriate account from the IIS machine for severely restricted "public viewing" access. The database should be configured with appropriate permissions on every table (usually zero access for anyone), stored procedure, etc. Anonymous web access doesn't need to see the whole DB, and they definitely should never have write access, etc.
It's sad seeing so many house of cards systems being put up and security is a one layer design : If you get past that one layer you own the system.
BTW: If you run an IIS system go into Application Mappings and remove anything that you don't need. In the vast majority of cases all you need are ASP and ASA (and also enable "Check that File Exists" for these). There are lots of "opt-out" esoteric parsers that IIS bundles that 99.999% of the population never ever needs, and the problem is that because they're not scrutinized they often harbour gross security holes. If you don't need it, it shouldn't be in there. If a website reads from a database it should be using an account that has appropriate permissions, etc. These are all basics and they are true regardless of the operating system or web serving software.
Anyways have a good day all.
1) According the cracker himself, he did NOT use the July 17 exploit. This indicates that another problem exists with IIS. It also makes him a non-white hat since he still has the power to crack other servers.
I'd like to give him the benefit of the doubt and assume that he's not releasing it before a patch is finished, to prevent all the kiddiez from going to town with their new 'leet trick before people can plug the holes.
Is there a chance that people have been secretly exploiting this for some time? Can it be used to gain unfair advantage in trading?
Ñ'
It doesn't really matter. People keep assuming that administration wants to know or cares if their pet server OS is secure. They don't decide on technical merits or fitness for purpose; they decide on what the salesmen tell them and what everyone is doing. They're just going to think, 'well, everyone gets hacked', and forget about it. This doesn't change any thought process at all because everyone in the server rooms knows whats going on and everyone out of it doesn't care.
A society that will trade a little liberty for a little order will lose both and deserve neither. - Thomas Jefferson
Not to say that ms is always on time with patches, but a couple of clicks through the links above lead to a patch released on 14th of July - in response to an earlier exploit using the same basic method.
This exploit allows someone to view files that would otherwise be run natively on the server, without being preprocessed. In their entirety.
Something like global.asa, which for you non-IIS types out there, is a file run on webserver startup, which contains all sorts of interesting information. It is a repository for most developers using IIS to put in information like database usernames and passwords, so the webserver can talk to it.
_This_ is where the problem is. I'm not sure that exploit as reported on Bugtraq gives write-access to anything (except by revealing another port of entry), but it does allow someone to get access to databases and any sort of thing they choose to store anywhere within the webserver space, in any file.
Evil. and credit to the white-hat for reporting that. It builds more media coverage, with the hackers looking good, the sites looking good (for patching it quickly), the only ones who look bad are Microsoft for not fixing the bug in the forst place.
Fross
"I will gladly pay you today, sir, and eat up
Sacred cows make the best burgers.
The media jumps all over the "Bad Guys" on the Internet. Defaced websites (especially high-profile ones) get plenty of coverage. I'm curious how the media is going to treat this one. If more public praise is given to these White Hats, maybe the trend can be reversed. A disobedient kid is often looking for attention. If the good guys gain as much notoriety as the bad guys... you get the idea.