Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interbase Backdoor, Secret for Six Years, Revealed in Source

Posted by michael on from the all-die-o-the-embarassment dept.

Diesel Dave writes "CERT Advisory CA-2001-01 announced today that the Interbase server database contains a compiled-in back door account. The thing is, it was not the result of a malicious code infection, but a direct addition by the original Borland/Inprise authors done before the program was released as open source." The backdoor was installed sometime between 1992 and 1994, and has been included in every version of Interbase during that time.

9 of 260 comments (clear)

  1. Re:Why the surprise? by bluGill · · Score: 5

    OpenBSD has been undergoing a security aduit for years. A couple months ago they were able to claim there had been no known root hacks in the current release for 3 years. (That is they were able to fix root hacks before they were discovered for the last 3 years). Well sometime this summer someone discovered a root hack in the released system, despite all those audits. (To be fair, they had fixed that hole in the unreleased code stream, nobody realized it was exploitable at the time though so there was no hurry to release it early).

    Audits are good, but they take time. OpenBSD has proven they take a lot of time. There is no open source project with as much work in security auditing as openBSD. (Probably no closed source project either). No open source project cares are much, yet they can't always get it right despite 5 years of work. To criticie any other project for not discovereing all secuirity holes is a mistake. Even if the openBSD audit team had decided to work on this with as much effort as went into openBSD there is no reason to belive they would have discovered this sooner.

  2. Here's a buffer overflow by QuantumG · · Score: 5

    Well it took 20 minutes but if you grab the file interbase/qli/dtr.c from the firebird cvs you will see one of the very first things it does in main is:

    SCHAR home_directory[256];
    ...
    #ifdef UNIX
    /* If a Unix system, get home directory from environment */
    startup_file = getenv("HOME");
    if (startup_file == NULL)
    {
    startup_file = ".qli_startup";
    }
    else
    {
    strcpy(home_directory, startup_file);
    strcat(home_directory, "/.qli_startup");
    startup_file = home_directory;
    }
    #endif

    That's called a "buffer overflow" and I doubt it is the only one. Just a short grep over the files gives an idea here. 642 strcpy's, 139 strcat and 945 sprintf's. The first thing to do is replace those with safe alternatives (strncpy, strncat, snprintf) and then the fun begins. And I just know that next week I'm gunna be asked to install an Interbase server :)

    --
    How we know is more important than what we know.
  3. Re:Why the surprise? by jpiterak · · Score: 5
    Hmmm... While I agree with the idea that perhaps more people should be checking out the source code of the open source apps they use, I think you missed the point.

    The backdoor was introduced in the commercial version of the software. It's only now that it is open source that we could even see the error. The people paying for the 'presumably...high-quality app' you extoll the virtue of were receiving the backdoor-enabled product. Rather than being a failure of open-source software, I'd say this one was a sucess. I only wonder what other kind of 'crap' exists in all those apps whose sources are closed.

  4. Re:More juice ... I like this part by blirp · · Score: 5
    From the webpage:
    For security reasons, the patch is available only as a binary and you will be required to register for this download.

    Nice, eh?

    M.

  5. Re:Hits on port 3050/tcp already on the increase by deusx · · Score: 5

    ...and why it existed for years in open source before being discovered.

    Correction... Note that the blurb above says "...a direct addition by the original Borland/Inprise authors done before the program was released as open source." This wasn't done after the Open Source release.

    Furthermore, Interbase has only been under an Open ource license for less than a year. Inprise was considering the move around last December, and was finally (although missing parts and amidst great controversy which eventually forked the code) released under an Open Source license around July 2000

    So, the thing is from what I can see, this is an instance where an Open Source release allowed a security hole, hidden for years as closed source, to be found finally. Which is, of course, the complete opposite of what you said.

  6. Why the surprise? by alteridem · · Score: 5

    Many people seem surprised that it took so long to find the backdoor. Their logic is that since it is opensource and has countless eyes looking at it, then it should have been noticed much sooner. What they don't realize is that a project like this is usually in the range of hundreds of thousands to millions of lines of code and when a developer goes into a project of that scale, he/she does not read everything, but only enough to learn the overall structure of the program, then zeroes in on sections that have been identified to need work or may contain known bugs.

    If anyone truly believes that things like this should be found faster, they should try reading through this amount of code. When their heads stop spinning they will probably have a change of heart.

  7. Re:Hits on port 3050/tcp already on the increase by deusx · · Score: 5

    Wow.

    Even more... If you read the saga of the backdoor here, it seems that not only was the backdoor known about by Inprise R & D engineers-- but that when the original creators of Interbase (no longer a part of Inprise, but now part of the Firebird development fork) brought the security breach to their attention engineers at Inprise were forbidden to speak to them .

    And furthermore, as they realized that not only was this in the Open Source release, this backdoor was also in the last 3 closed source versions of the database. So they fixed the Firebird source, but also-- even with the company itself forbidding its own engineers to contact these people-- they wrote a binary patch program to disable the backdoor on previous versions.

    Imagine that. Even while being slapped in the face, these guys fixed their product for them.

  8. Not surprised that it took time to be found by Outland+Traveller · · Score: 5

    Lots of people here are apparently surprised that it took so long for this backdoor to be found. I thought I'd try to present an explanation.

    1. Interbase wasn't officially released under an open source license until last summer. I at least, did not spend any serious time with it until the license was correct.

    2. The open source interbase got off to a very slow start. Here's why:

    - Borland didn't release all the tools required to build and test interbase code.
    - Many of the original developers had left Borland, meaning that there was a shortage of mentors for new developers.
    - Borland yanked startup funding at the last minute from the group that was going to take over the management of the code base, causing many to question interbase's future.
    - Documentation of the code base is still unfinished.
    - The codebase is large and complex.

    Independent interbase builds (firebird on sourceforge) didn't start happening until very recently. In my mind they found this bug faster than I would have expected.

    -OT

  9. Dogma by FallLine · · Score: 5

    Uh. First off, that doesn't mean open source products are any more secure. Second, many of them do not involve buffer overflows at all, but rather race conditions, poor checking of passwords, fundamentally flawed security architecture, terribly stupid flaws (remember phf?), etc. Third, more difficult for whom and in what way?

    It would take a hacker a significant amount of time to discover a properly hidden and hardcoded backdoor in a closed source product. Notice how many years it took ANYONE to discover this. That is "difficult", or rather time consuming for the hacker. You might say it's easy to reproduce, but that's true for literally hundreds of Open Source security flaws. Once a hacker discovers a means and releases an exploit, the work is done. It doesn't matter to the hax0r, aka script kiddy, if exploit.c sends "LET ME IN BACKDOOR" or a bunch of machine code to the target host. Furthermore, it's quite easy to test for the existence (or at least the probable existence) of a security flaw via improper bounds checking. In other words, you just send a bunch of different programs extra long strings on various inputs until something crashes, then you simply do the work to make the exploit happen. Compare this with trying to find a well hidden backdoor in a closed source product, you either try to reverse engineer the binary or you can try brute force. In either case, it's much harder to detect.

    So the question remains, easier for whom and how is that relevant? It's really not terribly relevant if you ask me. The question is how secure is YOUR product at the end of the day in YOUR environment for YOUR needs. If you start overgeneralizing by saying "Open Source is secure, Closed Source is not" then you're making a fundamental mistake. Rhetoric and dogma are not conducive to practical security.