musings

by Rik Farrow
<[email protected]>

Rik Farrow provides UNIX and Internet security consulting and training. He is the author of UNIX System Security and System Administrator's Guide to System V.




I have gotten so focused lately that my head is getting a point at the top. That's why we are using the old photo of me, rather than the new, coneheaded version.

Although I began working with UNIX as a system administrator, and have done other things as well (such as programming), these days it is Internet security that grabs most of my attention. And I would guess quite a bit of yours as well.

So, am I going to tell you about the crack du jour? Hardly, since it will be really old news by the time you get to read this. Not that there really is much that is really new. Buffer overflows became famous with Morris's Internet Worm in 1988 and really became popular only with the splitvt Solaris hack in 1995. That hack was followed by a couple of papers, one by Mudge of the l0pht (<http://www.l0pht.com>), and another by Aleph One that appeared in Phrack (<http://www.phrack.com>; search for "Smashing the Stack").

Richard Smith did bring to light some problems with ActiveX during the USENIX Security Symposium in August. Not that this is a surprise, because we all knew that ActiveX is dangerous. But just how dangerous became evident when a confederate of Smith's, Georgi Guninski of Bulgaria <[email protected]>, published some exploits of fairly common ActiveX controls on BugTraq (<http://www.securityfocus.com>). Essentially, depending on the PC, you could execute commands, read, write, or delete files, simply by sending email to the victim! Thank you, Microsoft!

The keys to these exploits are several. ActiveX controls can be marked "Safe for scripting" (actually a method included in the control). If the control is safe for scripting, it can be invoked via email if the user agent understands HTML. Of course, Outlook in its various disguises is really a front end for Internet Explorer, so understanding HTML comes "naturally." The ActiveX control gets invoked within <object> tags, which some firewalls may filter out. For example, Cisco's PIX, today the world's best-selling firewall, can filter these out of Web or SMTP traffic if and only if the leading <object> tag and the closing </object> tag fall within the same packet. This would usually happen, unless, of course, someone is actively attacking you.

If you use IE and Outlook, you want to disable scripting from the Internet zone. This should protect you from this type of attack from those outside of your own networks. Of course, if someone within your network forwards you the email with the attack enclosed, you are hosed. I knew that sticking to UNIX was a good idea. . . . For more on this, read the ;login: Special Security Issue (November 1999), or peruse the archives of BugTraq.

Boring

Actually, among the "highlights" of last summer's Black Hat conference (<http://www.blackhat.com>) were statements from Bill Cheswick and Dominick Brezinski saying that they were getting bored. To help get you in the right mindset, just think of how many times you have had to explain the importance of passwords to your users, or explain to some vendor why making their 1-megabyte-big app set-user-id and owned by root was not a good idea. If you don't believe this last one, you haven't bought much UNIX software lately (or your vendors are really good).

Then there were the hacking challenges that came in August and September. In the first one, Microsoft hosted a Windows 2000 Web server and invited people to hack it. It was up for less than a day when it went down because of a power failure that affected only the Web server. Mystical.

Then LinuxPPC (Linux for Apple boxes, generally) put up its own server, with Apache running on top of Linux. After one week, they had posted all of the ports open on the system and also gave away the root password. Seven weeks later, and after only one reboot (and no cracks), they stopped the contest, since people were attacking the ISP in their attempts to break in. If you did crack the box, it was yours. According to their Web page (<http://crack.linuxppc.org/>), they were seeing twice the traffic that the Windows 2000 box was, all on their little 120 MHz PPC.

The second challenge occurred in September, when PC Week set up two Web servers and offered a $1,000 prize to anyone who could replace the home page and document how they did so. The contenders were NT4/SP3, with a few hot-fixes, and Red Hat 6.0 running Apache 1.3.6 but no patches. A Spanish hacker, Jfs, won by cracking Linux.

Flames

Naturally, this started a flame war against PC Week, some of it deserved. Their defense was that it was too difficult to secure the Linux box compared to the NT box. The actual exploit relied on third-party software (and some hints about exploiting problems in CGI scripts that appeared in the latest Phrack, Volume 55, article 7). You can read for yourself how the hack went at <http://hispahack.ccc.de/en/mi019en.htm>, but I'll share a summary of it here for your edification.

Jfs began by probing the server. I personally believe he chose Linux because it was more familiar to him, and he never even mentions trying anything against the NT server. One nifty but simple probe entails connecting to port 80 and sending POST X HTTP/1.0\n\n, which will always provoke a response from a compliant Web server that includes the Web-server version in the header. You can substitute GET or HEAD instead of POST if you wish. Note that Apache is more blabby than IIS. (IIS used to betray more info than it does now.)

By reading public Web pages and looking for links, Jfs discovered a directory named photoads/cgi-bin that contained Perl scripts. These scripts can be licensed for a fee of $149 from <http://www.hoffice.com>, but Jfs "found" a copy at a friend's and started looking for problems in the Perl. He found a way to sneak in a server-side include and a command that should have invoked mod-perl (if present), but neither appeared enabled (hint: HTTP_REFERER was used but never filtered for funny characters).

He looked for other variables that were used in open() calls and found several, only one of which could be controlled externally. This is where the real contortions start.

Twisting

All user input used by the scripts (except for HTTP_REFERER) gets filtered using a substitute pattern to remove harmful things (like semicolons, backquotes, newlines, and the other cruft most commonly used to subvert CGI scripts). Then there were checks to ascertain that the name of the file did not include leading ../../.., that the name ended in either .gif or .jpg, and that the header to the graphics file included height and width values that were reasonable in size. This hardly appears to be the easiest variable to abuse. But he did it.

First, the regular expression contained a flaw that does permit the use of ../.. if it does not appear at the beginning of the filename. Ooops. Then there is a really nifty trick that comes right from the Phrack article. Perl permits the use of null characters in values; for example, index.html\0.gif is a legal Perl value. When Perl goes to open a file, the UNIX open() system call gets this string, sees the null, and treats it as the end of the string. So, the Perl script sees index.html\0.gif (and passes the .gif suffix test), and the UNIX system opens index.html.

Okay, another hurdle passed. Next, the file must contain reasonable values for the height and width, and these values appear at bytes six through nine in the GIF header. Jfs deduced (by reading the script) that zeroes would pass the test, but this rules out using the file to create a shell script (because the magic #!/bin/sh has n/sh as the 6­9 bytes). But then, eureka! The Linux ELF format has zeroes in those bytes.

There is yet another obstacle. The script takes the given filename and renames it. Curses, foiled again? Nope, Jfs knew something I didn't, and that is that Linux only accepts pathname arguments shorter than 1024. By specifying a name longer than 1,024 bytes (which had to be all digits because of a test in the script), the rename fails. And the Perl script never checks the return value of rename(), so now Jfs is free to write the file of his choice.

What Jfs tries to do is to include an HTTP-style encoded executable in the URL that has the long filename. Since the long filename has already consumed over 1,024 bytes, and Apache limits URL lengths (including arguments) to 8,196 bytes, the entire string must be less than the Apache limit. As each byte of the code becomes three bytes for HTTP (for example, the byte 0 is encoded %00), Jfs needs an executable fewer than 2,400 bytes long. Even a short program that execs /bin/sh is longer than that.

Now, Jfs really hacks. After stripping the executable, he finds it is still too long, so he hacks off everything after the string GCC, and the executable still works. The result is short enough to fit in the URL. He overwrites another script in the photoads/cgi-bin directory and can execute it by referring to it in a URL.

Get root!

Jfs still doesn't have permission to overwrite index.html, the goal of this exercise. So he tries the recent (appeared about two weeks prior) Linux cron local exploit, and it works! He now has a root-owned, set-user-id shell and can overwrite the index.html file. Game over, collect $1,000.

Jfs claims that this entire exercise cost him 20 hours (probably straight through). If you read his explanation, you will spot a couple of mistakes (one in his explanation of a Perl regular expression, and when he creates a set-user-id shell instead of simply copying over the index.html file at that point). Not unreasonable, as I personally am not too sharp after 20 hours without sleep.

The PC Week folk made several serious mistakes. Jfs could overwrite files in a cgi-bin directory as the "nobody" user. They had not applied security patches. (Red Hat had issued a patch for the cron exploit over a week before.) And they used someone else's Perl scripts without checking them thoroughly ­ not that this would have been easy to do. As CGI scripts are the number one way of hacking UNIX Web servers, being extremely cautious and aware of how you handle any value that may be controlled by someone remote is not unreasonable.

A number of years ago, CERT put out an advisory suggesting that instead of filtering out dangerous characters, which most CGI scripts attempt to do, you instead only permit acceptable characters, as in filename =~ s/[^$OK_CHARS]/_/g. What you use for $OK_CHARS will vary, but think this through clearly. People often forget to filter out nulls (see the Phrack article), but this will do it for you as long as null (\0) is not included in $OK_CHARS. If this is a filename, you should also check for dot-dot (two dots appearing together) anywhere in the filename (unlike the photoads script, which expected the dot-dot at the beginning of the filename).

Crystal Ball

Okay, enough of being pointy-headed. I will now consult my famous cracked crystal ball and look into the future. Just living in Sedona, AZ, gives you special powers (ask any psychic), and I will now rely on those powers to predict the future. Of course, this process is subject to interpretation, and not guaranteed.

First off, I see Windows 2000! It actually ships during next year. Wow! Actually, not a surprise, as Microsoft would have shipped it this fall, except that nobody would bother installing it (well, nobody significant to Microsoft). With good ol' Y2K problems still on the horizon, and Microsoft's reputation regarding interesting bugs in brand-new software, people will just wait until we are well into the new year before opening that can of worms.

Microsoft will come up with some open-source initiative. They are already talking about this, and Eric Raymond is already dissing them about it. Sun has also been the target of harsh words from Linus Torvalds for the language in its "community license."

Merced, now called Itanium (please tell me, if Pentium replaced the 586, what number is Itan?), will not ship. Combining good ol' 1970s technology (the 8080 machine code) with the HP PA-RISC and having it work really fast is turning out to be harder than anticipated. Meanwhile, you can buy a PowerMac with the G4 processor doing a gigaflop (one billion floating-point operations) and sit it on your desktop. Too bad I don't play games. I am not going to tell my wife about this, as it would probably only save her about two minutes a week when using PhotoShop.

The Linux community will become more fractious. Hard to believe, eh, that they could be more excitable? With Red Hat putting pressure on SuSE in Europe, trouble is bound to arise.

The number of buffer-overflow exploits for Windows 9x/NT will rise every month. Another no-brainer ­ the Cult of the Dead Cow has a paper out on this, and it turns out that while abusing Windows is not simple, you have all of the power of Win32 API behind you, so you can download files and execute them with just two function calls! (<http://www.cultdeadcow.com/cDc_files/cDc-351/>; note that there is an R rating on this one).

Ooops, the ball's inner light is dimming. Remember not to be in an elevator at midnight on New Year's Eve, and have plenty of water handy.