[Discussioni] Interbase back door exposed

Francesco Potorti` pot a gnu.org
Lun 5 Mar 2001 15:54:40 CET 

Una bellissima frccia al nostro arco!

<http://www.securityfocus.com/news/136>



		      Interbase back door exposed

Open  source exposes  a hardcoded  password that  remained a  secret for
seven years.  By Kevin Poulsen January 11,  2001 3:33 PM PT  A back door
password has been hidden in Borland/Inprise's popular Interbase database
software  for  at  least  seven  years,  potentially  exposing  tens  of
thousands of  private databases at corporations  and government agencies
to unauthorized access and manipulation over the Internet, experts say.

Analysts report  that the account  name 'politically' with  the password
'correct' unlocks access to Interbase versions 4.0, 5.0 and 6.0 over the
net, on  any platform.  Moreover, because Interbase  has the  ability to
execute  user-defined functions,  the back  door can  be used  to inject
malicious   code  into   a  system,   which  could   give   an  attacker
administrative access  to the computer itself, according  to a Wednesday
advisory from the Computer Emergency Response Team (CERT).

"The  back  door  account  password  can not  be  changed  using  normal
operational  commands, nor  can  the account  be  deleted from  existing
vulnerable server," reads the CERT warning.

Jim Starkey, the architect of the original, 1985 version of Interbase --
which did  not contain a  back door --  says hackers have  already begun
scanning the  Internet for services on  TCP port 3050,  the default port
for Interbase servers.

California-based Borland did not return phone calls, but the company web
site acknowledges  "a potential  security loophole within  the Interbase
product."

According to company press material, Interbase users include Nokia, MCI,
Northern Telecom, Bear Stearns, the  Money Store, the US Army, NASA, and
Boeing.  'The words politically  correct show  up about  eighteen places
throughout the code.'  
-- Jim Starkey 

No malice 

Rather than  reflecting the work  of a disgruntled insider  or saboteur,
the secret password appears to be a programmer's ill-advised solution to
a software design problem, says  Starkey, who has analyzed the back door
code.

Up until 1994,  Interbase did not have its  own access control mechanism
--  the software was  protected by  the password  scheme built  into the
underlying  operating system.  With version  4.0, engineers  set  out to
change that.

"What  they decided to  do was  to set  up a  special database  on every
system  that   contained  all  the  account  names   and  the  encrypted
passwords,"   says  Starkey.   That   model  created   something  of   a
chicken-and-egg problem: To authenticate a  user, the system had to have
access to the password database; but to access any database -- including
the password database -- the user first had to be authenticated.

The  unknown programmer's solution  was to  hardcode a  special password
into the software itself--a secret  shared by the client and server. The
back door  solved the problem, but  was a devastatingly bad  move from a
security standpoint, says Bruce  Schneier, CTO of Counterpane and author
of Secrets  & Lies: Digital Security  in a Networked World.  "As long as
nobody knows  about this back door,  it works. It's  still secure," says
Schneier.  "But as soon  as somebody  finds out  about it,  everybody is
immediately and irrevocably insecure."

Open  Source led to  exposure 

Discovery became inevitable when Borland made Interbase open source last
year, giving  outsiders the chance to  peer into its  inner workings for
the  first  time.  German  software  developer Frank  Schlottmann-Goedde
spotted the  hardcoded password  in late December  while working  on the
Firebird Project, a  community open source project built  on the Borland
Interbase release.

"We reacted with  horror," says Starkey. "Everyone had  a real good idea
of how easy it was to exploit it."

Competing fixes are now available from Borland and the Firebird Project.

"The thing that  everybody was worried about is that  the word would get
out  that  there  was  a   problem  before  we  had  a  solution,"  says
Starkey. "The words 'politically  correct' show up about eighteen places
throughout the code."

The last  back door to  be reported in  a major software release  was in
April,  when  the  password   'wemilo'  was  found  hardwired  into  the
small-business Internet shopping cart  program Cart32, where it had gone
undetected for five years.

			 tips a securityfocus.com

	      Want to link to this article? Use this URL:
	       < http://www.securityfocus.com/news/136 >

			   Privacy Statement
		Copyright © 1999-2000 SecurityFocus.com

More information about the discussioni mailing list