[ISN] MS bugware blamed for 'inadvertent' hack

From: InfoSec News (isnat_private)
Date: Mon Aug 27 2001 - 05:53:52 PDT

  • Next message: InfoSec News: "[ISN] Defending against SYN-flood DoS attacks"

    http://www.theregister.co.uk/content/4/21288.html
    
    By Thomas C Greene in Washington
    Posted: 27/08/2001 at 12:10 GMT
    
    Possible Good Samaritan Brian West of Oklahoma was using MS FrontPage
    when he learned (inadvertently, he claims) that he could gain
    privileges on the local Poteau Daily News Web site without
    authentication. After bringing this gaffe to the paper's attention, he
    got into a bit of hot water with the Feds for 'exceeding
    authorization' on the machine.
    
    Now West's lawyers are claiming that Microsoft's bugware is to blame
    for the whole incident.
    
    "It appears that Microsoft's software may have caused this unfortunate
    situation to occur," the Oklahoma-based Chappell Law Firm representing
    West says in a press release circulated on the Politech mailiing list.
    
    And then there's this bit, discouraging US Attorney Sheldon Sperling
    from opening a ghastly can of worms: "If this case goes to trial, the
    Microsoft personnel who developed these programs will likely be
    subpoenaed as witnesses by Mr. West's defense team," the legal beagles
    warn.
    
    "Or if it is found that this software contributed to, participated in
    or caused the events under investigation to occur, Microsoft could be
    indicted under the same statute."
    
    Jeez, you'd think these guys had never seen a click-through
    agreement....
    
    What was West up to?
    
    According to a now-famous explanation by Linuxfreak, while looking at
    the Daily News Web site "West clicked the 'Edit' button on Microsoft's
    Internet Explorer. This action brought up Microsoft FrontPage and
    should have created a local copy of the Web page, allowing West to do
    a mock-up of the site on his own computer."
    
    "In this case, however, Microsoft FrontPage displayed some unusual
    files due to a server misconfiguration. After some confusion, West
    realized that the Web server hosting the Poteau Daily News site
    required no authentication to edit any file on the site."
    
    But according to the FBI affidavit, the computer West is suspected of
    using was logged making approximately 40 attempts to access the Daily
    News Web server in an hour's time. These included attempts to access
    files. A few hours later the passfile was downloaded, and five minutes
    after that someone logged in on a user account, but the user in
    question claims not to have been on line at the time.
    
    >From this we can infer that the Daily News does practice grotesquely
    bad network hygiene. The passfile, obviously, didn't need to be
    cracked. But was their network hygiene so incredibly poor that a naive
    surfer could just hit their edit button and waltz inside?
    
    It would require some determination to stuff up a server configuration
    quite that badly. Absurdly bad judgment in setting file and directory
    permissions could do the trick. And using a FAT file system on Win-NT
    would give full privileges to anyone who can connect to the server.
    
    The most common exploit against an IIS server with Front Page
    extensions is a quite old buffer overflow attack against Dvwssr.dll,
    which supports the Link View feature in Visual Interdev 1.0. If West
    did something along those lines, his intrusion can hardly be
    considered inadvertent.
    
    The documents here are incomplete; we really don't know the
    circumstances. If the Linuxfreak account is full and accurate, then
    it's outrageous that West should be punished. But if things went more
    along the lines the FBI is claiming -- well, we'll just wish him luck
    with his 'inadvertent buffer overflow' defence.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 08:18:31 PDT