Slashdot Mirror
Microsoft Admits To Backdoor In IIS [updated]
Ninkasi writes: "Here is a rather alarming article from Yahoo which claims that Microsoft has a backdoor password into IIS web servers running FrontPage 98 server extensions. Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet." The article says that Microsoft "plans to alert customers as soon as possible with an e-mail bulletin and advisory published on its corporate Web site." This is really just too perfect. Update: 05/14 07:48 PM by T : Actually, it is too perfect -- guess this particular possibility for built-in backdoors is old news. Sorry.
because they're experienced at going down several times a night.
All things aside, all questions of Linus, Bill, Mac, etc. aside, the Microsoft backdoor does illustrate a major advantage of Open Source:
Security.
Don't like the security? Change it. Don't trust a program? Check it then recompile it. Found a flaw in security? There's a good chance someone else did and has a fix.
Now I'll be first to admit that I feel MS products are not as bad as portrayed. I feel people bash them for the sake of bashing them. But Microsofts policies and attitudes, and now this debcale . . . that's highly bashable, that's indefensible.
Let's hope this story gets smeared all over the world news - and especially in those countries looking at Open Source as an alterative to Microsoft.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
The only date in the article or within the HTML is "Last Thursday", the same phrasing in the 2000/04/14 WSJ article. Microsoft's information is within this modified security bulletin.
I hate to say it, but what it will take is something truly vindictive. A worm on the scale of the ILOVEYOU virus, but with a truly destructive payload. The ILOVEYOU virus wasn't that destructive to most people. It targeted MP3s, and several Media files. Neat, okay. But it still left your computer usable.
Imagine a virus on this scale that does the following:
1) replicate itself through either e-mail attachment, or by forwarding a random encoded name (cut/paste algorythm from mailbox? past message with a "I'm not sure I sent you this" + Subject, replacing a link within the message for a poisened website/ftp site.
2) wipe all network attached drives
3) enter commands in the registries "RunOnce" section to remove the system files on the next reboot (these can only be done prior to their being loaded, otherwise the system tends to be persnickety about it). Don't forget things like the CMD/COMMAND shell.
4) (optional) attempt a remote access/infect of all machines within a given IP range (defined by SubnetMask?).
5) If you are using step 4 then move step 1 to here so recently hacked/poisoned web/ftp sites can be inserted into mail message preventing stagnation of link. For extra credit have the virus self-modify to include a running list of where its been (or what sites its tried to help cut down on duplicated effort. Short run log might also help trace back to source so the IP addresses should be normalized/sorted, not appended to the end. This will also help in updating the list as the worm moves).
6) You've done all the mischief you can. Now reboot the system to truly FSCK the end user.
This is just a broad outline, but seriously.
If this sort of thing happened, the results would be two-fold.
1) Definate: People would be calling for blood (most likely taken out of the cracker/script kiddie who did this, and rightly so in my opinion). The software industry/media would view this as the work of a "hacker" and not thier fault.
2) Less Likely: (but wishful) People might realize how security is iterative and valuable. It is much more tangeble than the social contract most of us assume it to be. We figure, "we're not worth it", or , "who would bother me?" and joke about security, but your average end user doesn't really care (ask the same person about 'air-bags' and see how much they do care if they feel vulnerable).
With the days of standard, High speed access in the homes, the scenario I outlined above is all to real and all too close to happening.
I guess this probably won't make much of a difference in MSFT server sales... unless the payloads are consistantly delivered via an MSFT server (or else the virus specifically targets MSFT servers by using some central warehouse of net accessable MSFT servers, like say netcraft).
P.S. I do not encourage AT ALL making the above virus. I think it would be a mallicious piece of garbage and would be the first on line to string the writer up by their anatomy. On the other hand I doubt I'm the first to think of this sort of thing so I have only slight quams about writing it down (the more who are concerned about it, the less likely it will come to pass), and there would (still) be major technical obsticles to be overcome, for a virus of this type to be created and released.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
While its nice to see MS finally admitting to this, unless this is a new vulnerability, it seems almost like someone is trolling either Yahoo and/or Slashdot (and succeeding).
On the other hand I did find out about a wonderfull and relatively new (Posted may 02, 2001 to CIAC) bug involving IIS 5.0, Windows 2000, and a buffer overflow (what else
In Microsoft's defense, more information (in easy bite size portions that were a tad too sickening for me) are available here. They also have a patch to fix the issue (assuming you wish to maintain the service and not remove it). The patch will supposedly be rolled into Win2K SP2.
One last thing, an interesting side note is that they recommend modifying group permissions instead of just unmapping the Internet Printing ISAPI extension in the Internet Services Manager. Their reason?
Group policy can override the settings in the Internet Services Manager, so disabling Internet Printing via group policy provides greater certainty.
Disabling Internet Printing via the Internet Services Manager can interfere with the operation of Outlook Web Access. Specifically, when you unmap the Internet Printing ISAPI extension via the Internet Services Manager on an Exchange 2000 server, you're prompted whether or not to apply the changes to the child folders, including Exchange, Public, and ExAdmin. If you choose to apply the setting to these child folders, Outlook Web Access will stop functioning until you restart the Exchange System Attendant.
Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature"), and if I disable the option everything else that is bundled into the OS and that relies on that package will break (makes sense, but is equally scary). Makes me happy I run Win98SE and Linux.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
The Right Thing To Do with forgotten passwords make the person who forgets them suffer. System must be brought down, set a new password, bring it back up. What happens if you lose all keys to the toolshed? You have to rip out the lock, which can and should be a lot of trouble, and then install a new one. Don't lose the keys, dumbass.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
For those of us working on closed software and not in a position to take advantage of open-sourced peer review, code reviews are a critical substitute. This backdoor illustrates what happens when dev's are "trusted" to code morally and never second-guessed. Of all the advantages of OSS, peer review is the one closed-source developers have to work hardest to replicate.
Currently I am leading my team through a series of security code reviews for a system that transacts money. We joke about finding a method called "PayTim()", but it is not entirely a joke. No matter how much we would all like to believe that our team is composed of trustworthy devs, it is important to establish the expectation that all code is reviewed. It keeps the honest honest.
Not to mention that we have found and fixed many hidden security and reliability flaws along the way, thus improving the quality of our product.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
Analysis By People We Trust II: Bruce Schneier
from: sci.crypt
subject: NSA and MS windows
A few months ago in my newsletter Crypto-Gram, I talked about Microsoft's system for digitally signing cryptography suits that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace.
Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd
expect out of Microsoft.
Suddenly there's a flurry of press activity because someone notices that the second key is called "NSAKEY" in the code. Ah ha! The NSA
can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.
I don't buy it.
First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption.
Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to
compromise security.
Third, why in the world would anyone call a secret NSA key "NSAKEY." Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone
with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.
I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.
Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.
But it's not an NSA key so they can secretly install weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.
Want Root?
Which last Thursday would that be? This last Thursday? How about this last Thursday? Nice one yahoo... post an article from April 2000 in May 2001. I bet microsoft will be angry as heck. And they deserve to be, this seems like plain libel to me.
Actually, the story's URL contains the string "articles/20010514/microsoft_ackno" which suggests that the article is from today, 2001-05-14.
I couldn't find a link to it on the main story index though.
--
Gosh, where could they have come up with a name like dvwssr.dll?
MEMORANDUM
TO: BILL GATES
FR: SECRET SERVICE COMPUTER CRIME TASKFORCE,
OPERATING SYSTEM REMOTE CONTROL TEAM
Pursuant to our back door access agreement with Microsoft, please include the following dvwssr.dll (device for virtual web secret service remote-control) in your web server system distribution.
DIR. SECRET SERVICE
p.s. Could you also have one of your database people call the folks over at the FBI? Apparently they've got a whole bunch of pages of some Oklahoma City court trial related stuff in that SQL database and can't make heads or tails out of the darn thing. They had some Chinese workers looking into it, but apparently they got reassigned to a firewall project over at Defense.
we bring you this previously secret Microsoft response to the Secret Service's request:
MEMORANDUM
TO: BRIAN STAFFORD
FR: STEVE
Brian - Got your note. No problemo on the request. BTW, please tell your folks that I'm the big man on campus now. I've got an office almost as big as Bills was, and even have one of those really cool leather chairs. So please tell them they can stop sending all that stuff to Bill. It just sits on his desk while he's out doing that foundation crap.
Speaking of Bill, tho, we talked about the little SQL problem over at the FBI and he wanted me to assure you all that he's absolutely positive there's no relation between database problems and that pesky antitrust matter.
Bill said he was sure that since Janet's long gone, we'd be glad to take a look into the problem. In fact, we'd be happy to archive all the antitrust stuff at the same time just as a way of saying thanks for the business.
Give me a call sometime!
The Big Ball
And what's worst: they don't have a single backdoor, they have a whole backoffice!
A monkey is doing the real work for me.
...but the reaction to it will surprise me. I expect it, and it will still surprise me: I predict this makes absolutely no dent in MSFT server sales.
You see, I think that most of the people who could learn from this sort of thing have already learned several times over.
I don't know what sort of catastrophe it will take for the rest of these people to learn...
God I'd like to put a bullet in the head of that particular piece of FUD once and for all...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
And now it's been slashdotted too .
What we all should _really_ be amazed about is that Microsoft is actually getting around to admitting to this. An IIS backdoor is really not that surprising of a thing on it's own. The only difference between a regular IIS bug and a IIS backdoor is that one was put there on purpose and the other was left there through carelessness.
I'm guessing that we mean before it's inserted into the cdrom drive.
This is really old news, as well as misleading. A curse on Yahoo Small Business for not including a time/date stamp on their story. See this Google search for more info.
--
-- @rjamestaylor on Ello
I looked in the usual-suspect places but didn't turn up anything. I mean, you can't really "search" for this.
Now, let's be fair. If you don't care about the open/free software philosophy (and just for the record, I do), and security is really the only thing we're arguing here, then the real questions are: when was this backdoor introduced, when was it discovered, and how soon will there be a patch?
The article mentions nothing in this regard, and doesn't warrant the comment, "Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet."
I can't see how this incident favours one side of the argument over the other, until we have more information about the circumstances.
--
Accountability on the heads of the powerful.
Power in the hands of the accountable.
Is not the security hole... we all know M$ considers security matters a complete joke. People are at their mercy as to when to release fixes, if at all.
What raises a red flag with me is that the wording of the article indicates the password backdoor was put there intentionally... and we're supposed to trust M$ with our valuable and oftentimes, priceless data?
"Against our policy"... right. To hell with them.
Humorless sig goes here.
boy, this screams for a disgusting trollish gif or jpeg, but for the life of me I can't think of one.
This is the same old "Netscape Engineers suck!" backwards-text thing that was hashed (and rehashed) quite some time ago. It turns out that the string is just junk text in the file. It isn't a password, backdoor, or anything else.
.dll. Without proper and full permissions applied across virtual servers on a given box, site leakage or manipulation by others will always be possible in myriad ways.
.dll in a way that's not intended...it just doesn't appear to be this one. On a box where multiple sites have not been individually permissions, or permissions are lax or non-existent...anyone permissioned to execute the .dll in the first place would have the ability to simply open the other sites and manipulate them directly (i.e. no need to do this junk with the dvwssr.dll)
Take a look at what Bugtraq's owner had to say at the time (Bugtraq originally reported this issue.)
It seems that someone testing the box entered the string and got into the Frontpage web w/ no password.... as it is pointed out below, that is because the security on the box wasn't set properly.... they could have typed in "MicrosoftSucks!" and gotten in.
======= BEGIN MESSAGE =========
Ok, here's a breaking update.
Latest reports say that there is
NO VULNERABILITY IN DVWSSR.DLL
Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ.
Please accept that I have followed the story published elsewhere and tried to keep you abreast of everything I knew. Also appreciate that the amount of time given to verify and research the claims made by others has been extremely short. I've had probably 30 interviews today by orgs pressing for information on the story as the feeding frenzy occurs after the first one goes to press (WSJ in this case).
MS have had people working on this thing like madmen, trying to verify the claims and investigate all of the possible pieces of code that may be affected. As that research progressed, different observations were made and so the story came out in various stages (with varying levels of "correctness"). Had they been given a reasonable amount of time to respond, nobody would have been in a tizzy about anything (i.e. the press would not have cared to run this story anywhere).
Decide for yourself whether we were better served by (more) immediate disclosure or not. I've stood where I stand for a reason, despite the loathing of others for my stance...
In the end, it turns out that unless you actually have permissions for the file you are requesting, you'll get an error message when you follow the procedures outlined by RFP in his RFP2K02 advisory.
That said, understand that sites that allow connections by Front Page may very well provide you with source asp if you request it. BUT THAT WILL HAPPEN with or without the
From what I've heard/seen/been told, permissions on the test servers must have either been non-existent, incorrectly applied, or permissioned the user across multiple virtual sites (i.e. incorrectly applied).
I had someone claim that they could get into an FP98 site using "Netscapeengineersareweenies!" as a userID and no password...making them think it was a backdoor userID. Fact is they could get into the same sites using "TomDickandHarry" as a userID too. If the permissions aren't set correctly, anything is possible.
This info may change again before its finalized. It may well be that there is some way to use this
Finally, to my point out the string not being a password. Elias Levy of SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly pointed out that using the term password to apply to that string is not beyond the realm of understanding. The client component mtd2lv.dll and the server component dvwssr.dll both need to know this value, and use it correctly, for communications to work. If you try and talk directly to dvwssr.dll and don't obfuscate your communication with the correct "key", it won't understand you. Of course if you don't already have permissions, knowing this value gets you nothing...hence my observation that its not a password. Whatever it is, it appears to be meaningless junk text used as data.
===== END MESSAGE ======
-------
-- russ
"You want people to think logically? ACK! Turn in your UID, you traitor!"
Natural != (nontoxic || beneficial)
I wouldn't be suprised if when Bill Gates clicks on his network neighborhood icon, every windows machine on the internet comes up with full access... :-)
I bet Microsoft's websites are probably running on a "Modified" version that doesn't include this backdoor.
I want my rights back. I was actually using them when our government stole them after 9/11.
With a company behind it (MS or Other), their reputation is on the line. If I do discover a backdoor in my open source product, who do I hold accountable?
# FIXME: can't test on dev server, assume works for now
return 1; # cc validation goes here...
The site was less than a week from going live when we found that.
--
Thats wierd, I saw this listed as an easter egg that when you enter the correct password, it displays a jpg of Bill Gates with his fist up my ass.
.kb
Two Wrongs Don't Make A Right-- But They Make Me Feel A Whole Lot Better
... Why is the Netscape Engineers are Weenies vulnerability/backdoor so perfect?
I didn't even have to read past the Yahoo article to realize what it was. The dynamic link library mentioned plus FrontPage 98 clicked in even my head.
Since the editors of Slashdot love bashing MS, can't they at least learn of NT's vulnerabilities before posting them? Anyone who knew something about NT would have spotted that was old before reposting it.
No offense to Slashdot and I'm not a troll. I just can't believe this.
Do you like German cars?