security and MS??? YEAH! RIGHT!

Jason plug-discuss@lists.PLUG.phoenix.az.us
Wed, 27 Jun 2001 23:00:19 +0000


Just goes to show ya that the advantages of open source in mass-market
products that require security is quite real. 

Security thru obscurity works damn good when there are only a
reletively few copies of your server in existance (i.e. some of the
old phone company systems...) Nevertheless, even then people locate
security holes, sometimes on accident*. With open source, there are
both security professionals and hackers who want nothing more than
their name in lights, as authors of a script (hence gaining fame and
admiration from script kiddies the world round...) who will search day
and night for a hole. When such is found, its generally reported to
something like BUGTRAQ pretty quickly, right?

The net result of this constant repurging of security flaws is that
its quite rare that the same security flaw sits undiscovered for half
a decade in Open Sourced software... What eEye has discovered is quite
shocking, really, if the story is reported factually... and unless
Bill and friends recently sold all their stock and are now shorting
Microsoft, I doubt msnbc.com will be slandering Microsoft...

Ive heard from a friend who develops for Microsoft that they DO
release their source code, after you sign a billion waivers, your
firstborn, etc... to their developers, for an outrageous sum of money,
or some such. I'd bet money this is how eEye was able to discover this
flaw, and the one they discovered prior to it. 

Microsoft could dramatically better its image if it offered
high-dollar rewards to companies that could demonstrate, privately for
MS, working exploits with patches to provided source to prevent
them... ah well.

--
*Ive done so myself, having found the magic to get to the
configuration menu for "Proctor Test Set" - a centrally located
payphone testing tool. I published that and other info in the summer
1994 issue of 2600 magazine. The "exploit"? Administrators were
leaving the configuration password at 000 and then setting the system
to not make option 11 (the configuration submenu) not available. The
problem was that the button "B", (a DTMF tone not found on most
phones, most phones only have 12 of the 16 DTMF tones. Most older
modems, particularly USR and Hayes, could dial the A, B, C, and D
tones, however), returned the SAME VALUE that the programs menu driver
reinterpreted the two key combo of 11 to be... 

I only discovered this since I was trying to figure out why the hell
menu item 11 wasnt there. Since "1" was obviously an extension to add
digits, I figured that 11 might have even more digits. I'd also
noticed that *, #, and A, C, and D were shortcuts for dialing the
higher-numbered menu items. Since pressing 11 resulted in a message of
"invalid choice", I started mapping out by pressing B, then hitting
zeros. (suffice to say, B001 and all others returned the phrase
"invalid password", something I discovered later).



Technomage wrote:
> something I happened across in a hacking newsgroup.
> http://www.msnbc.com/news/588963.asp?cp1=1

-- 
jkenner @ mindspring . com__
I Support Linux:           _> _  _ |_  _  _     _|
Working Together To       <__(_||_)| )| `(_|(_)(_|
To Build A Better Future.       |                   <s>