NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > InfoSec News> 2001-q1

Re: [ISN] Security hole found in Borland database

From: InfoSec News (isnC4I.ORG)
Date: Sat Jan 13 2001 - 15:09:37 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fowarded By: Russell Coker <russellcoker.com.au>

On Friday 12 January 2001 17:46, InfoSec News wrote:

> The username and password--"politically" and "correct,"
> respectively--are written into the program, easy to find, and
> can't be removed by changing settings, CERT said.

Note that they ARE WRITTEN INTO THE PROGRAM, EASY TO FIND.

> Borland acknowledged the back door and has begun releasing
> patches. The company has notified customers and sales partners and
> will begin shipping repaired versions this week, said Jon Arthur,
> director of the InterBase project for Borland. The problem exists
> in versions 4, 5 and 6 of InterBase.

The article omitted to mention whether Borland is releasing patches to
InterBase 4. Which of the following options will be given to IB4 users?

1) Never receive a patch.
2) Be told to pay for an upgrade to IB6.
3A) Receive a patch for IB4 at the same time as the IB6 patch is released.
3B) Receive a patch 6 months after the IB6 patch.
4) Be offered a free or cheap upgrade to IB6 so they can apply the
patch.

> The back-door feature was an innocent addition to the code in 1994

It should be noted that Open Source programmers will ask on mailing
lists questions like "how do I make two programs communicate, should I
just hide a password in one of them?". The result will be that they
will be told 100 times that it's a stupid idea and they'll design
things differently.

> The problem illustrates the double-edged sword of open-source
> software regarding security. On the good side is the fact that so
> many more

No it doesn't.

> On the other hand, it can be easier for a malicious programmer to
> find vulnerabilities. This particular back door has existed since
> 1994, and nothing was preventing a malicious programmer from
> finding it in the last six months.

The article says above that the password is EASY TO FIND. It's not
uncommon for me to run "strings" on binaries to see what they do.
Often command-line options etc aren't documented properly and running
"strings" on a binary is the only way to discover how to run a program
properly. When doing such operations on commercial software I often
see information that the programmers apparently didn't want me to see.
I haven't found any backdoors that way yet, but I may in future.

> Another advantage to open-source software is that people, if
> skilled enough, can fix problems themselves instead of waiting for
> a company to release a software patch. But that can be a problem.
> Borland cautions that applying patches that don't come from
> Borland voids the company's warranty.

Here is Borland's warranty cut directly from it's web site. It only
covers media (IE the CD-ROM). So basically Borland are saying that if
you apply an unsupported patch you should get a CD-burner and make a
few extra copies of the install disks first.

LIMITED WARRANTY

Borland warrants the physical media and physical documentation
provided by Borland to be free of defects in materials and workmanship
for a period of ninety (90) days from the original purchase date. If
Borland receives notification within the warranty period of defects in
materials or workmanship, and determines that such notification is
correct, Borland will replace the defective media or documentation. DO
NO RETURN ANY PRODUCT UNTIL YOU HAVE CALLED THE Borland CUSTOMER
SERVICE DEPARTMENT AND OBTAINED A RETURN AUTHORIZATION NUMBER.

> Though speedy repair is a benefit of the open-source world, lack
> of formal support can be a problem, Rouland said. For example, it
> often requires a lot of programming expertise to apply a patch.

Here's how to install a new (patched) program on a Debian system:
apt-get update apt-get install package

> "Open source advances the technology quickly and gets patches out
> quickly, but you have to have gurus on staff," Rouland said.

So being able to run "apt-get" makes someone a guru?

--
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]