Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Red Hat Software Businesses

Red Hat 'Piranha' Security Risk - And Fix 153

Posted by Roblimo from the another-bug-made-shallow dept.
patrixmyth writes "A default password of "Q" in the standard Red Hat 6.2 installation of the Piranha module opens a Web server to intrusion, according to Internet Security Systems. The problem was discovered during a review of Open Source code, and the fix is already available. Another victory for Open Source! The MSNBC article is here. The fix is here, or you could just reset the password yourself for the Piranha module."
This discussion has been archived. No new comments can be posted.

Red Hat 'Piranha' Security Risk - And Fix More

Red Hat 'Piranha' Security Risk - And Fix

Comments Filter:

  • Re:Patch the user? (Score:1)

    by Anonymous Coward
    Everyone who knows the least bit about computer security knows that default passwords are very bad ideas. They are simply dangerous. I'd like to think that software authors would take that into account and avoid using them. I think it says a lot about how security conscious the folks who wrote Piranha are that they left one in their software (although I know absolutely nothing about these people, so this is not a fair judgement on my part).

    I have no idea how Piranha is installed, never having done it myself, but I'd be willing to bet that it's either done with RPM or you compile it from scratch. Either way, I think it would be a much better idea if the program had an actual installation program. It would be nice to have an actual program that asks the users what the password should be and forces them to choose one. RPM is great and all, but it's not the most user friendly of beasts and it encourages people to do stupid things like leave default passwords in their software and assume that the user will change them at a later date. Why don't we address the larger problem and do something to improve program installation under Linux?

  • Hypocritical (Score:1)

    by Anonymous Coward
    People were bashing MS for their so-called security hole. Gee, I wonder why you can't apply the same standard here? Oh, that's right, some /. posters are hypocrites. These same people weren't smart enough to read the various bugtraq and MS alerts about the "peacsteN" hole to realize how minor it was. Heck most machines didn't even have the .dll installed.

    Now /. is stating that a default password issue is a "victory" for Open Source due to how fast it was fixed? HAH! Double-standard. How about fixing the problem, which is having EXPERIENCED AUDITORS check the code, something both MS and Redhat FAILED to do sufficiently. Heck, MS had a fix out just as fast.

    Forget Perens and the OSS folks who are simply a bunch of spin doctors and FUD generators as bad as MS is. They aren't doing you favors. Ignore stock prices, because they aren't indicators of quality code. Forget the hype, because it's hurting you, overlooking or making you indifferent to obvious weaknesses in your OS's quality.

    Oh, and thank you for supporting security through obscurity Redhat through your lack of auditing abilities. MS's product has been out far longer than yours, yet was discovered later. Both shouldn't have happened, but open source makes it easier to spot and exploit.

    Take a clue factor from the BSDs, esp. Open and Free, and review your code, train your coders, and keep your nose clean.

  • Re:Many eyes? (Score:1)

    by Anonymous Coward
    Exactly. This is a really big comceptual defeat. The whole supposed QA advantage of open source is that with all the peer review, bugs like this (the real bug not the default password) get fixed before the code makes it to release. If that doesn't work then the QA model of open source is just a big informal beta test with no formal testing. That is much less quality checking than any commercial closed source company

    Commercial code is usually tested by the programmer then peer reviewed then formally tested by internal testers and then opened for a beta test to catch hardware specific bugs.

    Open source is supposed to make up for the lack of formal internal testing by a really, really good peer review. Looks like that only happens sometimes if at all.

  • MAN, I wish I had moderator points today.

    +1, Insightful-intelligent-well-spoken.

    It's nice to see more and more people realizing (and speaking up) that Open Source itself is just a better means to an end, but not itself the better end -- just because code is Open Source doesn't mean it IS superior (except arguably in the political/philosophical sense), just that it's easier to get there.


    --
  • I don't see how a large vulnerability in a very popular piece of software that gets fixed counts as a victory for OSS. A victory is when the problem never arises, and is fixed before the source code is released. "Found during a review of Open Source code"? Security auditing should come as the code is being written - not as an afterthought. It's easier to secure a system up front than to have to duct tape barbed wire all over the outside of it later and hope no one figures out how to get in.

    If you want *real* security, check out OpenBSD [openbsd.org]. OpenBSD's code is always being audited and problems are fixed before the code makes it out the door. If I remember correctly, OpenBSD has not had a security vulnerability posted to BUGTRAQ in over 2 years -- but every day I see a new eMail for a security problem in some GNU software or OS. OpenBSD, as with most of the other free BSD's, has a combined code-base -- all the software for the base system is integrated into one big release, so that it can all be checked for proper interoperability and security. GNU/Linux, however, seems to spread farther apart every day. The kernel, each piece of software, each driver, everything - all of them are 'Open Source' but none of them play nicely with eachother. The distribution vendors then download the software and try to wedge it all into the software box without anything getting out...

    Another victory for Open Source?
    Try 'Another stumbling block for Open Source'

    (note - I've got nothing against GNU/Linux systems. but I know that this will be moderated and I'll have linux lovers eMailing me for a week because the views in here are not those shared by most Slashdot readers...)

    -- jason
  • ...by ensuring that /etc/issue.net is refreshed at startup with the OS and kernel version. With a default RH install, then, anyone who telnets into your machine knows immediately that you're running RedHat X.X, kernel version X.XX.

    Don't give them this info - comment out the line in rc.local that reads "cp -f /etc/issue /etc/issue.net" and put some uninformative welcome text into /etc/issue.net.

  • After reading the su manpage (again!) it does make sense. My apologies for the dumb post.

    However, This is the actual output on my slack 3.4 box:

    # su -c "/usr/bin/id" nobody
    uid=65534(nobody) gid=100(users) groups=100(users)

    And on my slack7 box:

    # su -c "/usr/bin/id" nobody
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel),11(floppy)

    So it appears that the older versions of su worked a little different. And again, after comparing the two man pages, they are indeed different. *grumble*

    # su --version
    su (GNU sh-utils) 1.16

    ... allows the su -c "command" username, and

    # su --version
    GNU bash, version 2.03.0(1)-release (i386-slackware-linux-gnu)
    Copyright 1998 Free Software Foundation, Inc.

    ... doesn't. Seems like it is part of bash now, even though it is running as /bin/su. Curious. Thank you for the reply though, at least now I know why I'm an idiot. :-)

  • Slackware 7 does something even weirder. As root, do this on a slack version (anything but 7):

    # su -c "/usr/bin/id" nobody

    You should get an id string for nobody. On slack7, you get root's. No man page explains why, only that the -c should work as shown. And it does on other systems.

    For some reason, you must use the shell:

    # su - nobody -c "/usr/bin/id"

    Can anyone explain this??

  • Wouldn't it be easier to have each of the boxes just use NFS? It seems like an enourmous waste to give them a hard drive anyway, since they're all going to have presumably the same data on them. NFS does have client-side caching you know (well maybe not on Linux, but no one uses Linux for anything serious anyway).
  • From the MSNBC.com artice - "Rouland said "X-force" researcher Wilson discovered the backdoor during a standard review of Red Hat's Linux source code, which is freely available. The user name and password were embedded in the code."

    It appears from this article that having the source was most definitely relevant in this case.
  • I checked the link you gave and, yeah, it should either have been moderated up as funny or just left alone. I've seen AC comments moved down to -1 that should have been upped or left alone as well, but it seems to be logged-in users that draw attack moderation [slashdot.org].

    Moderators don't have to browse at any particular level, but they aren't doing the job properly unless they browse at -1.

  • Anyone running a dictionary attack would probably not be expecting the password to be left as default, but when the attack revealed that it had been, they would no doubt consider the installer of the software clue-impaired and assume that they were attacking a site with almost no security whatsoever and hit it with everything they've got.
    I'd think that even worse than being cracked would be being cracked by somebody who stays to do as much damage as possible.
  • Don't know if anything worthwhile was said in the thread, but the duplicate of this story is here [slashdot.org].

    I do think that the /. crew could both be a little more aware of each others' postings AND admit to their mistakes whenever they do mess up (and perhaps express a desire to avoid doing it again, but this would purely be PR to me).
  • ...nobody trusts their security to RedHat.

  • I'm sure you'll go far with an attitude like that...

    BTW, how do you know they "took it aprat"? A thorough security audit of a large application is not something that Redhat does regularly (join the Linux Security mailing list for that sort of thing), so I suspect that someone doing a quick check found it. I mean, anything like a default password is going to scream "security hole!!!!" to even the most cursory examination, while buffer overruns can be much more subtle (many of which are fencepost errors - very hard to catch unless you're looking for them).

  • Hello? Did you read my post? I was talking about how if the password check section of Piranha has a similar buffer overrun, then it doesn't matter whether or not you've changed the default password - the very act of authentification (whether successful or not) could be a security hole.

  • Companies do charge for bug fixes on occasion.

    DOS 6.2->6.21 $10 (for an upgrade that removed disk compression) (or was it 6.2->6.22?) (I think this update might have been made freely available at one point)

    OS/2 2.1 Service Pack $20 (granted very few people actually needed it). I think with this one you could download it (even though at the time you would probably pay more for the time online downloading it)

    Win98 -> Win98SE $80 IIRC (and it seemed to cause more bugs than it fixed).
  • Up until recently most software had a default superuser password (or even no password...)
    Anyone that does not set administrator and superuser passwords is a security risk himself, not the software itself. Now, recognizing that a majority of users are inept at best it is a smart thing if the software forces setting passwords.
  • Lemme see... the fact that people are not setting a administrator or superuser password is a software problem???
  • No, it is not a software problem. The problem is that the default password was left in place.
    I agree that it is a nice feature when the software will not let me go on without setting a new password. However, far from every software does that so the security risk is in fact the user.
    The day that all and every program requires password setting on install it becomes a software problem.
  • Out of those 5 bazillion software packages approximately 1.88495556 bazillion are installed with default passwords and 0.31415926 bazillion are installed with no password at all the rest require you to set a password.
    I agree that the day when most programs require setting of passwords, one not doing so is a software defect. Until that day, it is a nice feature if the package requires password setting, but not doing so is not a bug.
  • What? Not ship beta with a distro?

    But then you would be with out Linux wouldnt you?
    Definition of Distro: Unstable beta software bundled in a package.
  • The person who put the bug in the code in the first place... shame on you...
    The person who made the call to include a prototype in a distrobution.... ohhh bad call dude..

    Thies two people will not hear the end of it for a very long time to come...

    While Slashdot IS spinning the positive with "Everything is ok we found the bugs" the people who made thies mistakes will be suffering for a long time to come...

    "Oh yeah your the Piranha bug person..."
  • RedHat missed it and someone else cought it.

    Dangerous defaults are insidous bugs. For one they don't look like bugs at all. There is no accual defect of code the program preforms exactly as expected. The danger is the default setting not the code and most people don't even consider this when writing code as they think the user will change it for his/her own benifit.

    This isn't automaticly the case. Any given user isn't going to be aware of all the options and may not be aware of a default set to "Let the crackers storm the gates.. send out a becon pulse to let them know your open and even post how valuable your information is"

    How can it be a bug? I mean you can change it with out recompiling the code.. what bug?

    Thats the addatude of many...

    Thats why a bug like this is very likely to go unchecked. But in open source that's not a problem for very long.

    RedHat made a mistake that is very easy to make.
    So lets blame RedHat for doing what happends every day at every software company and software project.
    In fact.. now that I think about it..... ohhh $#!+... I think I may have this bug in ZenToe...

    Bugs happen... we can reduce them to a very small amount but they still exist. In the mean time we are fixing them with breakneck speed....

    Why make a fuss over this? With closed source companys trying to clame open source is buggy they themselfs have known issues that have yet to be addressed.. Defects that will be with us for years to come. With open source even the insidiosly deceptive dangerous defaults are cought and fixed.

    Yes there is very good reason to prase open source for catching a bug that would otherwise be an issue for our childrens children...
  • If this were a closed source project eventually the bug would be found published become known and remain cement.

    This means the bug will be know to cracker and admin alike.

    This being a default setting could be fixed just by changing the default. However that dose not remove the bug...
    Many closed source companys wouldn't see a need to issue a bugfix...
  • Well known commercial software has them too, I know for sure many companies are running Oracle servers with the SYS/CHANGE_ON_INSTALL user/passwd duo...
  • Oy!

    For the hundreth time this morning:

    This IS a victory in a sense for OSS because:

    1) The hole/bug/problem was found, publicized and a fix/patch for it was put out immediately. Elapse time - a few hours to a few days. The MS bug was around for 4 years! 4 YEARS! Conclusion - software isn't perfect but OSS flaws are found and fixed much quicker than CSS, often before the "Black Hats" find out about it. How many other MS/CSS exploits are out there have we NOT heard of that have been known by the Black Hats for 4 years?

    2) This was mainly a problem of adminstration and configuration rather than a deliberate, secret backdoor or bug. The installation left a modules password at a default. Technically, this is not a problem if you are a good sys admin and secure your box properly by changing all the default passwords when you set software up. If you don't, why are you hooked up to the Internet (or any other network for that matter since most "cracking" is an inside job)? Why are you employed as or acting as a sys admin? My Oracle has username /password combos like "system/manager","sys/change_on_install" and "scott/tiger". Of course, it's not networked or attached to the Internet in any way ( though I should probably change it anyway) so for me it doesn't matter. But If I were running a production system, there is NO WAY any of these would be on my system!

    Is this bad PR? Sure it is but not nearly as bad as having a security hole around for 4 years!

    My guess is that you and the other negative posters have not read the story, work fro MS or both.

    Try thinking before you post..

  • Software isn't perfect. If you say you can program and make no bugs, you've got to be some kind of God. I've programmed many years, and the more lines of code that go into a program, the more bugs you'll end up having. Sometimes you lose perspective on some aspects of your program. But in a closed-source environment, the only peer-review is that -- your peers. And they don't always have more insight on what the program's doing.

    OSS shines. Let the world review the code (I do look at the source, not exactly everything, but I do look for the obvious buffer problems and other bug-prone parts of code). This way everyone wins. and patches get released much faster.
  • I always thought of a backdoor as something that was intentionally left there by the developers to get in--as was the case with the "netscape engineers are weenies" backdoor that Microsoft developers put into their software.

    Damn this ticks me off.

    You didn't even follow the IIS security issue did you? The phrase you use is NOT A FREAKING BACKDOOR. It's a keyphrase used to encode file names as they are transferred betwen client and server.

  • I thought you meant checking the password to see if it's a dictionary word, or long enough, that type of thing... (not the authentication)

    But anyway. In this case, I retract my last comment, and reply with 'duh'. You can "what if" every application in existence and say the same thing as you did (and not bring a whole lot to the conversation). Presumably the same people that took piranha apart to find any issues, only found the hard coded default.
  • ... You can't GET to the tool unless you can log into Piranha - which you can't unless you know the password.

    This is exactly like the "Hack Linux box" contest that was run a while ago. Everyone blamed Linux for it (an exploit in bind or named or one of those was exploited). Never mind the fact that the ONLY way the exploiter was able to get to it was to use a POORLY written THIRD PARTY/COMMERCIAL perl cgi script the people that run the contest had installed.

    That being said, this is no excuse for this RedHat blunder. Just when everyone was giving microsoft a hard time for hard coding a password in one of their dlls, someone at RedHat did the same...

    That "buffer overrun" should be fixed too, but RedHat's reply was correct: you should have changed the password on install and the problem would not even exist. That's a basic of sys admin (for any application! including oracle, etc.)
  • Honestly I think even the PHBs can see through this one unless the sysadmins are mis-leading them.

    "Hrm, our massive e-commerce system has been taken down because the password is 'Q'? You never thought to change it from the default that everyone else knows? Here's a slip of paper, although it's white, think of it as pink."

    As I understand it, the 'overrun' bug doesn't show until you've breached the password. In light of that, this isn't a case against Open Source, it a case against lax security measures. MS has the same type of problem with defaut passwords in SQL.
  • "MSNBC: Red Hat open to backdoor password"

    From a technical perspective, Linux is great. Many programmers, many distro makers, all (mostly) independent. This mean much "natural selection" at both levels.

    From a marketing perspective, though, this sucks (for us). Sure, only the Piranha package of the RedHat distro was broken. But what does the public hear: "Linux has security problems". Doh! (we got half-lucky with the above headline--only but all of RedHat is implicated

    Two possible solutions:

    1) Make the public understand how Linux development/distros work. This is unlikely to happen in the short term, especially while only Linux works this way. We properly blame "Microsoft" for FrontPage security problems and wonder about NT. This doesn't translate to blaming RedHat for Piranha, yet it will inevitably happen.

    2) Have all the major Linux vendors get a security audit project started and keep it going (many have started, few have kept it up). Create this list as a public list anyone can consult. Then each distro maker can choose only from this list OR create a separate "server" or "secure server" distro chosen only from the list. Then (and this step, as ugly and painful as it is, is absolutely necessary) when a claimed-secure distro is found to have a security problem because it didn't follow the list denounce that distro in a very public way. They did a bad thing and they need to be punished.
    --
  • Win98 -> Win98SE $80 IIRC (and it seemed to cause more bugs than it fixed).

    That's not a bug patch. You could have downloaded the Windows 98 Service Pack which would have given you all of the fixes in Win98SE and none of the new features. FOR FREE.

    Simon
  • Again, it seems that someone (ab)used system() once more without checking its arguments first, which is definitively a silly thing to do. There are tons of reasons why one shouldn't trust user input, even if it is in contrast with the KISS principle.

    Incidentally, this also means that the remarks in the system(3) manpage are not visible enough (there is a warning about security issues), and that some explicit advice has to be put in the libc info page (there is none). Volunteers?

    My 0.02 Euro.

  • There once was a poster name AC
    This kinda rhymes with hack
    Racist poetry he'd write
    For which we all wish him blight
    I hope someone give him a smack.
  • What the hell? What frickin' victory? MS has a bug, and they are shit....someone finds a bug in Linux and...."its a victory?!?!"

    What a joke. You Linux fanatics are nothing but propaganda lovers.
  • For two very good reasons. It clearly says that there is no guarantee of any kind, of merchantibility or ANYTHING. A lawsuit would not get anywhere. Even without such a warning prominently displayed, because the software is open-source, any person can go and look at the code and so any security issues would be their own fault of ignorance or whatnot.

    The second reason is the reason why a company such as Microsoft isn't sued for security. It's not open-source so someone could not review the code themselves. It also doesn't have the kind of warning that distros have. It is especially such that Microsoft has been shown to know about such problems in their software and not done anything, sometimes before the software is even released. Consequently, from a legal standpoint (as opposed to how much money the sides have) Microsoft is much more vulnerable to a lawsuit than any little distro- or package-maker.

    Chris Hagar

  • This isn't a backdoor. It's a default password that people should change anyway. It was not attempted to be hidden. It also has a fix, a quick fix, as opposed to saying "delete this random file." Oh, and it wasn't even existant for a month.

    Chris Hagar

  • Lesson of the day, kiddies: (Score:2)

    by Anonymous Coward
    If you don't know how to keep a box secure (change the fscking default passwords), then

    DON'T RUN A WEBSITE.

    If you admin your box like a mushroom, expect to be owned by some packet monkey or script kiddie.

  • Re:Where is the problem ? (Score:2)

    by Anonymous Coward
    hmmm, but it's not the password for your slashdot account
  • Since the problem is a default password, I'm not sure that having the source is even relevant to this one, really.

    --

  • For one very important Reason:

    Homogeneity in the field leads to a _very_ large damage radius if anyone ever discovers the slightest hole in the "secure" way of doing things. If everyone implements it slightly differently, no single problem can expose the widest audience to risk. Remember the Windows "Ping of Death" problem? Homogeneity in the field made it worse than it might otherwise have been...

    Although it seems like co-ordinated anarchy, it's important that there is no single point of failure.

    Just ask the Death Star... =-)
  • One could also state that this bug, altough repaired, is more like a defeat. Some maintainer can, whatever the background may be, release software with a huge security leak into the community, without any garanty of a decent and thorough checkup of every aspect of the program/packet/whatever.

    Maybe large vendors/distributions should start some sort of certification/verification protocol to provide standard quality of at least part of the products.

    Jeroen

  • "Security is going to become more and more important as more people get connected. I expect that eventually some lawsuits will be filed. I wonder how long that will take and what the outcomes will be..."

    I don't anticipate many lawsuits against companies like Red Hat (at least not in response to things like this), and any lawsuits that do occur are not going to go very far.

    The reasonably-sized print on a Mandrake 6.0 package:


    DISCLAIMER AND LIMITATIONS OF REMEDIES
    THE SOFTWARE IS PROVIDED AS IS AND COMPANY SPECIFICALLY DISCLAIMS ALL WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL COMPANY BE HELD LIABLE TO YOU FOR ANY DAMAGES, INCLUDING ANY LOSS OF PROFIT OR OTHER INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES EVEN IF COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. COMPANY DOES NOT WARRANT, GUARANTEE OR MAKE ANY PRESENTATIONS REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE IN TERMS OF CORRECTNESS, ACCURACY, RELIABILITY, CURRENTNESS, OR OTHERWISE AND DOES NOT WARRANT THAT THE OPERATION OF ANY SOFTWARE WILL BE UNINTERRUPTED OR ERROR FREE. COMPANY EXPRESSLY DISCLAIMS ANY WARRANTIES NOT STATED HERIN. NO ORAL OR WRITTEN IN FORMATION OR ADVICE GIVEN COMPANY OR OTHERS SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPY OF THE FOREGOING WARRANTY, AND NEITHER SUBLICENSEE NOT PURCHASER MAY RELY ON ANY SUCH INFORMATION OR ADVICE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATION OR EXLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE EXLUSIONS AND/OR LIMITATIONS MAY NOT APPLY TO YOU.


    Other distributors also tend to include disclaimers such as this.

    How do they get away with this disclaimer? Why is this alright, but it'd be horrendous for Microsoft to disclaim any liability on their software, and put a back door in it?

    Well, even if there is a back door put into a piece of free or open-source software, you can take it out.

  • I find it quite interesting that, today, Red Hat has been criticised for it's poor quality control/assurance, not (I hasten to add), because I disagree with this criticism - I personally agree that the fault here lies entirely with RH. If ISS were able to discover this hole during a review of the source, RH's should also have been able to discover it and, to be honest, in light of this incident, I would actually query whether RH have in place any proper QA procedures in respect to the security of the software they package.

    Anyway, *drags self back to the point* the reason I find it interesting that RH are under fire is because we've been slamming Microsoft for years for their poor Quality Control.

    Now, five or six years ago, when Slakware was the dominant Linux distribution, nobody really cared that much if there were security flaws in the software they downloaded. It was acknowledged (at least, I acknowledged) that open source programmers wrote this stuff in their spare time, as a hobby, and that it wasn't subjected to the same QA as "normal", commercial software. Therefore, bugs were to be expected. But that was okay, because the source was open and once found, a bug would be quickly fixed, and the fix would probably be included in the next release of that software. Hell, even if it wasn't included in the "official" distribution, it didn't matter. The very nature of open source software meant that anyone could do anything they wanted to it. That's why so many people are attracted to it.

    But now, things have changed. Open source software isn't just a hobby now. It's big business, and companies like RedHat are making money out of it. Therefore, our (well, at least my) attitudes have changed, and we expect a higher level of quality control from profit-orientated open source distributors.

    I guess the point (such as it is), is that Open Source is changing. The values and ideals espoused by the FSF aren't always applicable to the commercial reality we find ourselves in, and I don't feel that all these changes are for the better. Sooner or later, we're going to start hearing horror stories, caused by the collision of open source and capitalist values. I've already heard an anecdote about one instance where a small 'Net startup employed a group of freelance open source web developers to build their website, only to be ripped off for thousands of dollars which the developers used to pay themselves for time spent writing new open source software.

    I think it'll be interesting to see what the collision of Open Source and Capitalism produces.

    D.
    ..is for Deranged!


  • Don't bet on it. Buffer overflows are insidious lttle beasts, and they generally pop up because of bad coding habits, which means a program that has one buffer overflow found almost never has only one buffer overflow.

    FOr example, in the case of Piranha, what if there's a buffer overflow not only in the password change portion of the code, but also the password check part? You then have a hole that anyone can utilize. Just think of the number of buffer overflows found in programs like Sendmail, and even ssh, and you get an idea of the scale of the problem.

  • Well, I'm cheering for Open Source for two reasons.

    One, the bug was found within weeks of the release of the software in question, not years.

    Two, the bug was nearly instantly fixed and a patch available that doesn't involve deleting things to reduce the functionality of Pirahna.

    So yeah, Hurray for Open Source in both instances.

    Yes, RedHat should've caught this one before it made it out the door, but they didn't. Stuff like that shouldn't happen, and you should do what you can to prevent it, but no matter what you do, it always will. It's very easy to prove software has a bug, very hard to prove that it doesn't.

  • Only it's not a backdoor, it's a default password. Therefore the source code is not at all relevant in this case. Anyone with a copy of the manual could find out that you must change the default password.
    The security problem is not the software but the administrator of a WEB site that installs software without setting administrator passwords that only he knows.
  • Gosh, a whole two months. Nothing like the four year old bugs in M$ products. We have the source, we use the source, we fix the source, we don't charge $80 for a lame service pack full of new "features".

    Eric
  • > True security lies in requiring the password be set on install.

    Good point.

    > That, however, requires a genuine installation routine, so that the source can't be installed without the defaults being changed. That, in turn, makes it impossible to have a truly secure open source solution.

    I don't think that follows. Clearly, RH didn't do it here, but is it truly impossible for OSS?

    --
  • > how would *you* personally feel if *I* tried to ship software with such a restriction, keeping in mind that I work for MS?

    If the restriction you have in mind is that privileged software that uses a password must be given a new password during the installation process, I would think it was only good sense, and appreciate you for looking after my interests.

    VMS used to do this with system or application installations that create accounts. Even Red Hat does it for root, during a new installation. The only disappointment is that they did not also do it in this case.

    As for your assertions about users hacking on offensive code, I am not aware of any users who have modified the Red Hat installer to take out the offensive code requiring entry of a root password. I haven't even heard any complaints about it.

    --
  • > if the user really wants they can extract the magic number and bypass the setup script

    I like to think of such cases as evolution in action.

    --
  • > So how come this "good news" when it is Open Source software, but had it been a closed source application for which the vendor made a release we'd all be badmouthing them?

    Like we've been saying all along... with OSS a white hat finds it pretty quickly; with CSS the black hats potentially know about it for years before the white hats stumble across it. This is an illustration of the first half of that claim.


    --
  • Try reading some comments below, pin head. This has been addressed ..oh, about 1000 times already.

    All this proves to me that the "Open Source review" worked. How long was the RedHat bug around for? Now How long for the MS bug?

    Now how many independant code reviews has MS had? Did their bug show up because of a careful QA review by peers? No, It was discovered through reverse engineering 4 years after the fact...

    Could the MS bug be changed simply by having the admin alter the coniguation? Now how about the RedHat "bug"?

    Try answering these questions before you post silly, insulting commnets.

    No code is perfect, but OSS is much faster in the bug discovery bug fix patch cycle than any CSS could hope to be.

  • Like we've been saying all along... with OSS a white hat finds it pretty quickly; with CSS the black hats potentially know about it for years before the white hats stumble across it.

    Oh, come on, be realistic. We're talking about default passwords. Things that are mentioned in an installation guide. Some people manage to read English instead of C.

    I used to be a Sybase DBA. When you install Sybase, by default there's no password for the SA. That isn't an obscure fact only known to black hats because Sybase is closed source. Anyone with the ability to read simple English words knows. And I've yet to hear someone argueing it's a backdoor.

    -- Abigail

  • This is the mail sent to the Red Hat Security Advisory Mailing List regarding the Piranha security hole and fixes, which everyone who runs Red Hat and cares about security should subscribe to (mail a letter with the subject "subscribe" to redhat-watch-list-request@redhat.com [mailto]).

    And no, this is not redundant, as this has not been posted on the Red Hat errata web site [redhat.com], or elsewhere on the web, yet as of this writing. I couldn't find it at least.

    Begin letter.
    ----------------------------------------
    Subject: SECURITY: [RHSA-2000:014-10] Updated piranha packages available
    Resent-Date: 24 Apr 2000 20:33:43 -0000
    Resent-From: redhat-watch-list@redhat.com
    Resent-CC: recipient list not shown: ;
    Date: Mon, 24 Apr 2000 16:33:32 -0400 (EDT)
    From: Cristian Gafton (gafton@redhat.com)
    Reply-To: redhat-watch-list@redhat.com
    To: redhat-watch-list@redhat.com
    CC: Linux Security , BUGTRAQ@SECURITYFOCUS.COM

    -----BEGIN PGP SIGNED MESSAGE----- - -------------------------------------------------- -------------------
    Red Hat, Inc. Security Advisory
    Synopsis: Piranha web GUI exposure
    Advisory ID: RHSA-2000:014-10
    Issue date: 2000-04-18
    Updated on: 2000-04-24
    Product: Red Hat Linux
    Keywords: piranha remote CGI command
    Cross references: php

    -------------------------------------------------- -------------------

    1. Topic:

    The GUI portion of Piranha may allow any remote attacker to execute commands on the server. This may lead to remote compromise of the server, as well as exposure or defacement of the website.

    2. Relevant releases/architectures:

    Red Hat Linux 6.2 - i386 alpha sparc

    3. Problem description:

    Piranha when it is installed generates a 'secure' web interface ID using the HTML .htaccess method. The information for the account is placed in /home/httpd/html/piranha/secure/passwords which was supposed to be released with a blank password. In fact the password that is actually on the CD is either 'q' or 'piranha'. It was intended that when the administrator loaded the piranha package onto their box, that it was their resonsibility to change that password. This is not a hidden account. It is meerly used to protect the web pages from unauthorized access. The security problem arises from the /home/httpd/html/piranha/secure/passwd.php3 file from which it is possible to execute commands by inserting them into the change password option eg entering 'blah;/bin/command to execute' into the field, and again to verify, everything after the semicolon is executed with the same privilege as the webserver. It is possible at this point to compromise the webserver or do serious damage to the site.

    4. Solution:

    For each RPM for your particular architecture, run:

    rpm -Fvh [filename]

    where filename is the name of the RPM.

    Temporarily, you should set a password on the web pages as should be done when you first install the package for the sake of speed you can issue the following command htpasswd -c -b /home/httpd/html/piranha/secure/passwords piranha 'password of choice' In theory, this means only you have access to that area and you are hardly likely to try and exploit the problem yourself.

    When you install the update for the piranha-gui, please take a moment to login into the gui frontend and set a password on the account (http://localhost/piranha)

    5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

    N/A

    6. Obsoleted by:

    N/A

    7. Conflicts with:

    N/A

    8. RPMs required:

    Red Hat Linux 6.2:

    intel:
    ftp://updates.redhat.com/6.2/i386/piranha-0.4.13-1 .i386.rpm
    ftp://updates.redhat.com/6.2/i386/piranha-docs-0.4 .13-1.i386.rpm
    ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4. 13-1.i386.rpm

    alpha:

  • The guys who uncovered the "Q" password are way off base in calling this a "back door".

    It's really more of a badly thought out installation procedure. However discovering a "back door" is a bit more of a PR feather in the cap of a would be security honcho than discovering a way that brain dead admins can shoot themselves in the foot.

    That said, it also appears that there is a buffer overrun problem, which is very serious, but again really a garden variety bug, serious, but common enough.

    All in all this is nothing compared to the named bind hole that is still being exploited.

    Red Hat needs to get their act together. Why do all these servers have to run as root? Of course, you end up with a proliferation of pseudouser accounts, but so what?

    Aren't they going to add capabilities in ext3? Wouldn't this clear up a lot of the root access mess ups?
  • Firstly there is the issue of Red Hat's mistake in leaving a potential security hole in something that goes out to users. Ok, so it may well be the users fault if they install piranah by accident or install it on purpose and don't change the password, but a good distro should protect users from themselves.

    Secondly, there is the way that the MSNBC article is worded. Basically seems to be saying, "forget about the IIS problem, look, look, Red Hat has it too! See! Red Hat has a huge, I mean really really really huge, big security hole!! And they don't care! They're downplaying it!"

    That was what the big bold bit before the rest of the story said. Of course, the actual story with real facts in it makes a little more sense.
  • So how come this "good news" when it is Open Source software, but had it been a closed source application for which the vendor made a release we'd all be badmouthing them? I don't see how recovering from a stupid mistake is such "good news" or even that open-source specific.
  • Rouland said "X-force" researcher Wilson discovered the backdoor during a standard review of Red Hat's Linux source code, which is freely available. The user name and password were embedded in the code. "Anybody else who's viewed the source code could have found the vulnerability and been exploiting it all along," he said. "This one was so easy to find I would think people would have found it and exploited it.... I think people will figure it out very quickly."

    I always thought of a backdoor as something that was intentionally left there by the developers to get in--as was the case with the "netscape engineers are weenies" backdoor that Microsoft developers put into their software.

    It seems that there may have been a buffer overrun on piranha, but they make it sound like having a default password of 'Q' is Redhat's fault--It doesn't really matter what the default password is for something if the user doesn't set their own. That's pretty obvious.

    And that last part sounds a bit like they are trying to make open source sound like an inherent flaw. Not like I'd expect them to compare and contrast with Microsoft's intentional backdoor that was there for months or years which no one except a few select Microsoft developers and friends knew about. That compared to a buffer overrun in a Redhat product discovered weeks later and quickly fixed doesn't make open source look like a security risk to me. Who'd be running an e-commerce site on a product that's only a couple weeks old anyway (earlier in the article the author alludes to the fact that the so-called backdoor would have allowed an intruder to "access customer databases.")

    I wouldn't get too upset over this though. The spin gets more obvious everytime. Anyone with a clue about security won't be fooled. It'll just make Microsoft and the author of the article look more like idiots than they did last week.

    numb
  • OK, good point, I guess, but I would say, "not very long". Malicious exploits found a a cracker dude are quickly shared.... Like I said, you have a point. I was really going off on the "$80 for a service pack" win98/SE thing. The fact is, if you're stupid enough to actually pay for it, that's your problem. The company is there to make money. If they can get you to fork over $80 for it, fine.
    ---
  • before any damage was done

    Brave words: the commercial damage may well have been done already or, failing that, be done in the interlude between the news becoming available and sysadmins fixing their RH installations. The damage to RH and, by extension, open source is inestimable: even when closed-source companies have embedded backdoor passwords in their executables, they haven't concurrently published the source with the passwords embedded. This isn't going to play well with the PHBs for whom Open Source == Linux == Red Hat.
    --
    Cheers

  • So - RH6.2 has been out for a couple of months now and it's only now that the whitehats have spotted that there's a username/password combination which hands out some pretty serious permissions hard-coded in the (open-sourced) toolkit? Is anyone else slightly amused by the gaping lacuna between the "everyone's a peer-reviewer" rhetoric and the reality?

    And Microsoft thought Netscape engineers were weenies... coming next, the Red Hat Shoot Yourself In The Foot awards
    --
    Cheers

  • Piranha is a good name for this module.
  • Maybe the commercial Linux companies should take a little more time to audit the code of the servers they offer. Buffer overflows such as the one described here are relatively easy to prevent.

    I've yet to find a Linux distribution that doesn't just slap in any setuid program whose author felt it needed root privs without so much as a raised eyebrow. Of the ones I've tried, Debian seems to be the most secure right out of the box. I'd be surprised if the more expensive "Server" distributions of Linux were any better than most other distributions, security-wise.

    Security is going to become more and more important as more people get connected. I expect that eventually some lawsuits will be filed. I wonder how long that will take and what the outcomes will be...

  • Thanks for pointing that out how, just a few days ago the backwards text about Netscape was called a backdoor.

    (Its looking like the 'password' was not really a backdoor password in a classic sense. It is used, but not as orignally reported.)

    And yes, declaring this black-eye for Red Hat a victory IS a total biasing. But remember this forum is Linux-biased.
  • No, you're wrong. "Netscape programmers are weenies!" is simply used to encrypt certain data travelling back and forth between two Microsoft components. Clearly, Microsoft did not intend for this security method to be foolproof; they simply wanted to keep the casual observer from seeing certain data. Here's what Russ cooper said:

    While reports focused on a phrase -- "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!" -- which was present in the DLL, that's a red herring, said Cooper, adding that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users..
  • A 'security' company that blasts that password around rather than saying 'there is a default password that can be cracked' is even more foolish.

    Of course in general you are right, it would be best for ISS or any other company not to publish such passwords. But in this case, anyone who had enough knowledge to exploit the password could easily install Piranha and get the default password (considering that it's standard with RH6.2). Publishing the password didn't really put anyone at risk in this case.

    -rt-
  • I don't think this is such a glowing testimony to open source as it is a lukewarm observation of fact. They staple-gunned themselves in the foot and someone bandaged them. *applause*

    You have a point. Open Source created the bug as well as fixed it. How much damage OSS itself deserves for the potential damage depends, to my mind, on where the backdoor was and how long it's been around.

    I confess ignorance with respect to this. If the backdoor was part of some relatively new and experimental software, RedHat is to blame for putting it in a box and distributing it worldwide. If the it was in some code that's been around a long time and could also have propagated "naturally," then it is a problem for Open Sourcce that the insecurity was able to survive.

    As an analogy, consider the difference between private and public speech. If you go on /. and post "CmdrTaco and Hemos are a bunch of corporate shills!" then you're to blame when the masses flame you. But if you say it in the privacy of your home and a journalist puts it on the main page of the New York Times (and suspends mandatory login for the day), you'd be justified in blaming your infamy on the journalist.

    I hope someone can clarify which situation pertains regarding this security hole.

    - Michael Cohn

    The bad do bad because the bad is rewarded. The good do good because the good is rewarded.
  • Very much agree.

    The MSNBC article starts off with in gonzo-type with the words:

    A team of Internet security researchers say they've found a serious security hole in the most popular distribution of the Linux operating system. According to Internet Security Systems Inc., there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files on some computers running Red Hat's most recent version of Linux. But a spokesperson for Red Hat downplayed the flaw, saying few Red Hat users had been exposed to it.

    This is absolutely sensationalist spin.

    I agree with the views expressed elsewhere ... if you install it, be prepared to administer it. If you don't know how to administer it, then ... anyone installing an unknown application on a production machine is begging for trouble.
  • The spin I picked up from the M$NBC article seemed to suggest that because the source was freely available, anyone could have exploited this hole. It smelled to me like they were trying to make this out to be a bad thing. Oh well. Only a fool would use the default password anyways.

    Never forget what the MS in MSNBC means.

  • Default passwords are a security hole. Users will forget to change them and when you are installing a system with 5 bazillion different software packages on them (not a good idea in it'self but people will do that) you'll never find all of the default passwords lieing around.

    Blaming the user won't help. Like it or not not everyone using Linux is a expert. And the experts will still make mistakes anyway, why tempt fate?

  • Read the MSNBC artical. If want a look at MS spin-doctoring this is a perfect example of it! Many of MS's apps have default passwords too. Recently a bunch of ecommerce sites were found to have not reset the default passwords on all of their MS software. If a default password is called a backdoor then MS has 5 times as many!

  • How are you going to check that without the source?

    Look at the source maybe?
    Molog

    So Linus, what are we doing tonight?

  • Given that setting up MS SQL server 7.0 comes with a whole raft of default passwords for system administrator and related positions, I don't think that MS could even come close to complaining about the Piranha system having a default password. Like this excerpt from http://www.microsoft.com/t echnet/SQL/Technote/secure.asp [microsoft.com]

    If the sa password is blank (as per a default installation), an intruder (or the Windows NT Administrator) would be able to gain access to the server. For information on ways to reduce the chance of such an attack, see "Registry."

    I mean, it's not as if the database is an essential part of the Web E-commerce revolution... :-)

    Cheers,

    Toby Haynes

  • The default password issue is unimportant, although if people aren't informed that there is a default password and what that password is (in documentation), then there's something wrong. Also, anything with a default password should really change that password on installation (if it has an interactive install, great, change it then, otherwise there definitely should be something about it in the readme). Any good sysadmin should know what's on his machine, and change the default passwords, but that's no excuse for a lackadaisical attitude wrt security on the coder's part.

    Nevertheless, I don't think this is an important aspect of the story. What worries me is that it is possible to run code at the webserver user level from the web. This is very NOT good. Even if you set the password, someone could still potentially guess it using a program.

    Also, it is somewhat interesting how MSNBC has handled this story.
  • See, they should have picked a harder to guess default password, like "JSD3$@KJ". These people don't know anything about security.
  • I browse at 0 because some very relevant and interesting points are made by AC (and sometimes some items [slashdot.org] are moderated down for bizarre reasons). I am however very glad that moderators are removing the particularly poor items. I do not browse at -1 to avoid what is down there. In fact it is interesting to reflect that the only people who can see your post are those who do browse at 0 and so defeat your argument as to why AC comments should not be moderated down.

    I would be interested to know what the percentages are for the various default browsing levels. After that comment that most people browse at at least 1.

    As I understand it the moderators themselves don't have to moderate at 0 (I've never moderated so don't know for sure). So only logged in users who normally browse at 0 (unless they set their browse level specifically down to 0 when moderating) are seeing these posts to moderate them.

    I would say that your comment about how you meta moderate shows that you have a poor grasp of the function of the 0 and the -1 levels. After all if -1 weren't there to collect the dross it would always appear. Do you maybe not approve of the -1 level at all?

    It's interesting that you posted this as AC because if you are posting at 0 simply to make a visiblity point then why didn't you include your ID?
  • One of the biggest selling points of OSS is that "with enough eyes, all bugs are shallow". This strength is also a pretty big flaw in the OSS model.

    As more and more software is released as Open Source, the ratio of eyes to SLOC will decrease.

    Also, as the software that is released as Open Source becomes more complex and specialized, the odds of the eyes looking at the source code being knowledgable enough to identify bugs decreases as well.

    What does this mean? At some point, for certain software packages, it will make more sense for a company to keep it closed source as the cons of releasing it as Open Source (basically, giving it away) will outway the pros (find bugs).

  • Please insert random Microsoft flame here. After all, we all know Redhat isn't a company buying every related company in sight to make their army grow... errr wait, they are. This isn't a troll, but people- come on. This kind of incident should be used to learn from for the Open Source community- not another chance to thumb our noses at yet another closed source company. Pardon all the cliches, but making fun of MS here is like shooting fish in a barrel and preaching to the choir at the same time. Is there a 'best way' to set up default passwords?
  • It is a software problem. The software was not written well. Shouldn't the software be design to not work unless a new password is issued first? Shouldn't the documentation say that "the module [blah] will not work unless a new password is entered"? I've had lots of accounts that required me to change the password upon first usage. Why should this be any different?

  • Re:This is all getting out of hand. (Score:3)

    by Black Parrot ( 19622 ) on Tuesday April 25, 2000 @03:53AM (#1112236)
    Pray tell, what default password would have been safe?

    Even if it had been 2048 characters of line noise, the fact that it was the default password means that anyone else using the same software knows what it is.

    Safety does not lie in more difficult default passwords; safety lies in changing default passwords after you install the software.

    --

  • Patch the user? (Score:3)

    by VSc ( 30374 ) on Tuesday April 25, 2000 @02:16AM (#1112237) Homepage
    As far as I can understand that, "Piranha" is not installed by default and you have it only if you *want* it; and once you took the pain to install it, the least thing would be to change the default password.. is it really a backdoor or a lazy user? If s/he's got enough insight to install the thing in the first place, that seems quite unprobable to me that s/he would leave it at that.

  • Re:This is all getting out of hand. (Score:3)

    by laborit ( 90558 ) on Tuesday April 25, 2000 @02:41AM (#1112238) Homepage
    There have been a few responses to this, which I'd like to draw together:

    1) The victory is that the problem was found. It was found quickly, before any damage was done, and it was found expressly because a member of the community had free and easy access to the code.
    The gentleman who found the flaw frets that "Anybody else who's viewed the source code could have found the vulnerability and been exploiting it all along," but this ignores the community-spiritedness of opensource as well as the loose lips of most crackers. Things like this go public. And. . .

    2) The problem can be fixed, in a variety of ways, by anyone. No waiting for patches from The Source.

    3) This reflects very well on open source. But it is a blow to Redhat.
    If a Linux for serious hackers shipped with a few holes, the make-rs might reasonably claim that their product wasn't meant to be polished and perfect (they'd be asses not to abase themselves and offer a fix, though).
    But Redhat,, which even more than other distros claims to make Linux easy and user-friendly, desperately needs to be just that. They're the ones who should be allowing users to trade up-to-the-minute kewlness for reliability and security. There's no shame in that, but there is shame in doing it badly.

    Summary:
    Redhat screwed up. Open source fixed it.

    - Michael Cohn

    The bad do bad because the bad is rewarded. The good do good because the good is rewarded.

  • beta quality code (Score:3)

    by porcorosso ( 178451 ) on Tuesday April 25, 2000 @02:23AM (#1112239) Homepage

    Would any good sysadmin allow beta (0.4) code on a production box? ...

    Which brings up another point ... If RedHat or any of the other distros want to avoid this type of hype, include only production-quality code in the distro.

    Porco Rosso

  • Another Red Hat password to try (Score:4)

    by Anonymous Coward on Tuesday April 25, 2000 @04:13AM (#1112240)
    !seineew era sreenigne erawkcalS

  • Hrm... (Score:4)

    by Psiren ( 6145 ) on Tuesday April 25, 2000 @02:14AM (#1112241)
    Another victory maybe... but what stupid arse done that in the first place? Yes, I know, people make mistakes all the time. However, if we want open source to be taken seriously, we at least need to try. Look at how many people laughed at the Microsoft Web Server backdoor not long ago. Isn't this error just as idiotic?

    Now weary traveller, rest your head. For just like me, you're utterly dead.

  • This is all getting out of hand. (Score:4)

    by arivanov ( 12034 ) on Tuesday April 25, 2000 @02:29AM (#1112242) Homepage

    So what do we have now?

    Instead of kicking Rhat's but for slack in Quality Control we sing praises to open source. This is getting fscking out of hand. Slashdot has to get some bias control after all.

  • Does the door swing both ways? (Score:4)

    by Zagato-sama ( 79044 ) on Tuesday April 25, 2000 @03:36AM (#1112243) Homepage
    Microsoft "backdoor": Hurray for open source!
    Redhat backdoor: Hurray for open source!

    Now the question is, will ESR write an article about the dangers of Open Source? Or will the open source community set another wonderful hypocritical example?

  • development environment bug (Score:4)

    by swinge ( 176850 ) on Tuesday April 25, 2000 @02:30AM (#1112244)
    I subscribe to BugTraq, a mailing list devoted to security. (you can find archives buried in the horrible security focused [securityfocus.com] website.) After a while you get a good idea of the range of security holes and mistakes that allow them. But, IMO many of them could be avoided if the fix was put in the development environment, and not in the app. Then, other apps could benefit from it as well and not repeat the error.

    A great example of this is if an application needs to create a temporary file. Temp directories are publically accessible, they need to be. But this means more than one user has access to them (if your OS can handle multiple users :) and this provides a place where malicious users can interfere. There's a lot of bending over backwards you can do to detect or avoid the problem, but the so-called experts seem to think that everybody should learn every trick and apply it manually. Why not provide API calls that allow a programmer to SecureFileOpen() and get a secure open file?

    So, I haven't read the source for this Piranha web admin package to see why the default password Q was in there, but I suspect the coder working on it put it in as a convenience to herself for development purposes, so she could test things without having to create accounts every time. But, every app with passwords needs to do this because it is just as tedious as for every programmer. So why not build pseudo test accounts into the platform just for this purpose, rather than into the app?

  • Default Passwords (Score:5)

    by Bob McCown ( 8411 ) on Tuesday April 25, 2000 @02:20AM (#1112245)

    Anyone that doesnt change a non-unique, default password, that is documented 8 ways from sunday, deserves whatever he gets.

    -=Bob

  • Happens all too often (Score:5)

    by Tim C ( 15259 ) on Tuesday April 25, 2000 @02:44AM (#1112246)
    Okay, hands up anyone that's never used software that creates an account with a dumb password when it's intsalled?

    Two notable examples are Oracle's database (I've been told that it's set to change_this by default - my apologies if that is no longer the case), and MS SQL Server (the admin account has no password set by default - we were using it like that for at least the first 6 months that I was at the company before someone thought to change it...)

    There is absolutely no reason whatsoever for creating an account with either no password or a default one. To not prompt the user to enter a password smacks of laziness and/or thoughtlessness. Someone at RedHat needs to have a good, long talk to whoever there is responsible about good security practice. Unfortunately, the same can be said of a good few other companies, too.

    As for the second flaw, that you can cause arbitrary commands to be executed by the user running the web server when using piranha to change the password, that is utterly inexcusable. Assuming that the server is not running as root, then it is not too serious, (as long as you don't mind your website being deleted/defaced), but it displays an almost breathtaking lack of thought on the part of the person responsible.

    I assume that the password is changed by way of a call to passwd, and that the "hack" is to append a "; arbitrary commands go here" to the end of the password field. If this is the case, then why on earth isn't the string checked for that sort of thing?

    This has to be the oldest way of attacking a web site in the book; ever since the concept of CGIs was invented, people have been trying to get arbitrary commands run on servers in this way. (Another common first attack is to do a similar thing to any input field that looks like it'll be used to construct an SQL query - just end the field with '; (single-quote semi-colon) and insert your own commands. A coleague and I very nearly had one of our SQL servers play ball when we did it to one of the sites that he'd developed using SiteServer Commerce edition - the code being executed was in a SiteServer module, not something that he'd written. IIRC it was only the max length being set on the field that stopped us, and we couldn't be bothered to write a perl script to bypass the html page...)

    I know that everyone makes mistakes, but this really is very basic stuff indeed. I'm no security expert, and even I know about it :-)

    In this day and age of entire businesses depending on the security of machines that are open to attack 24/7 (and have to be up 24/7, too), people really do need to be more security conscious.

    Okay, rant over - I just needed to get that off my chest :-)

    Cheers,

    Tim

  • DON"T JUST RESET THE PASSWORD (Score:5)

    by turg ( 19864 ) <<gro.notsniw> <ta> <grut>> on Tuesday April 25, 2000 @02:19AM (#1112247) Journal
    Quote from the story: A second flaw, also discovered by Internet Security Systems, could then allow a user to gain full control of the computer. In this second flaw, an intruder working inside the Piranha console can select the "change password" option, then tack a line of computer instructions on the end of the new password. The code, which can do anything the Web server itself can do, will then be executed by the computer, according to researcher Allen Wilson, who discovered both flaws.
    This is the serious part of the security issue, obviously. Just resetting the password, as is suggested above, is not going to solve the problem.

    ========

  • Funny, funny (Score:5)

    by Sonus ( 22732 ) on Tuesday April 25, 2000 @03:23AM (#1112248)
    I just read the article on ZDNN, and knew that something like that would come up here at Slashdot. Oh man, this is a victory for open source??!?! Just a few days ago tons of people were bashing Microsoft for a very minor security hole. And I mean really bashing Microsoft.

    So this "backdoor" comes up, minor also, but it would apppear quite a bit more serious then MS's. And what do we get? That's a victory! We found the bug! That's why open source is king! Jeez people, that's one big way of making open source look bad, and I mean really bad. Is it all just the hype and total biasing?

    If we want to bring more respect to the Open Source initiative, then we have to treat these things the same way another OS is treated. If we don't, then it just helps to convince the world that it's just all hype.

    You know, there should be a contest. I'd love to stick in a mischievious backdoor and see if people could find it in thousands/millions of lines of code.

  • Re:Default Passwords (Score:5)

    by Alan Cox ( 27532 ) on Tuesday April 25, 2000 @04:21AM (#1112249) Homepage
    Accidentally shipping a default password is not good. A 'security' company that blasts that password around rather than saying 'there is a default password that can be cracked' is even more foolish.

    As to Pirahna, it was audited. I can attest to that because I'm the guy who audited it and Im the one who missed the quoting error that let the ; thing work.

    Real Lesson 1: Never write secure code in languages with unclear evaluation semantics.

    Real Lesson 2: Nobody is infallible

    Alan

  • Re:This is all getting out of hand. (Score:5)

    by Hard_Code ( 49548 ) on Tuesday April 25, 2000 @03:40AM (#1112250)
    Let me play devil's advocate:

    1) The victory is that the problem was found. It was found quickly, before any damage was done, and it was found expressly because a member of the community had free and easy access to the code.

    Is there really a difference between this and a company coder finding the bug? There is something to be said for a constant number of eyeballs being paid to stare at and stress the code all day long. A million open source developers won't help much if any one of them doesn't analyse the code for more than say, 30 minutes, or whatever their personal interest level or attention span is. The difference is purely philosophical.

    The gentleman who found the flaw frets that "Anybody else who's viewed the source code could have found the vulnerability and been exploiting it all along," but this ignores the community-spiritedness of opensource as well as the loose lips of most crackers. Things like this go public. And. . .

    Well thank god crackers have such big mouths. That really saved us. Again, how does this differ from a cracker finding it in a proprietary product and blabbing about it? The only difference in this case is that, while we all agree that security through obscurity is EVIL and anyone who relies solely on it should be ashamed and flogged with wet noodles, it DOES have the effect of slightly lowering the chance it would be found by black hats in the first place. Thus technically the closed-source product has an edge here. No, put down the flame thrower, I STILL agree that there are fundamental philosophical virtues of open source, but I think technically the closed source product has the slight edge at this point. (the sin of the closed source product being that maybe you don't WANT to rely on them to find and fix it before the crackers do something bad...I'm talking about an ideal universe here)

    2) The problem can be fixed, in a variety of ways, by anyone. No waiting for patches from The Source.

    This is a concrete benefit of Open Source. While a company coder can probably whip up a fix and distribute very fast, it most probably will not be as fast as the person who just found the bug. But again, Open Source puts the burden on the user (user in whatever sense the person is using the product...could be a developer) to have the knowledge and skills (and time!) to actually fix the bug.

    3) This reflects very well on open source. But it is a blow to Redhat.

    I think this reflects ambiguously on open source. It just proves what we thought all along. YES, bugs are easier to find and exploit. YES, bugs are easier to find and fix. Net gain: 0 Net loss: 0

    Yes it is a blow to Redhat. Distros are basically for packaging/quality assurance/testing. So they better damn well be sure there are no glaring, Microsoft-sized, holes in their distros. That's just plain careless.

    I don't think this is such a glowing testimony to open source as it is a lukewarm observation of fact. They staple-gunned themselves in the foot and someone bandaged them. *applause*

    There is room for both cathedrals and bazaars.

  • Where is the problem ? (Score:5)

    by Bouglou ( 109816 ) on Tuesday April 25, 2000 @02:22AM (#1112251)
    I do not understand where the security hole is.

    I use 'Q' as password really often, it is a FAR better password that 'E' or 'W'. Trust me, with 'Q' you are secure, don't be afraid.

Slashdot Top Deals

He who steps on others to reach the top has good balance.

Close