COMMAND
backdoor
SYSTEMS AFFECTED
Some vendors on Win98 (others?)
PROBLEM
Richard M. Smith posted following. He's talking about the scope
of a security problem that he found in a Compaq Presario Windows
98 system. It seems that this system was configured at the
factory with a backdoor in Internet Explorer. This backdoor
allows programs from a Compaq Web site to be executed on the
computer with no security warnings. What he's wondering here is
how widespread of practice it is for Compaq and other computer
maufacturers to turn this type of backdoor on their PCs. Here
are the steps to determine if the backdoor is on:
1. Start Internet Explorer 4 or 5
2. Select the "View | Internet Options..." menu command in IE4
or the "Tools | Internet Options..." menu command in IE5
3. Select the "Content" tab in the "Internet Options" dialog
box
4. Push the "Publishers..." button
If "Compaq Computer Corporation" (or the name of the company
who made your computer) is now listed as a trusted publisher in
the "Authenticode Security Technology" dialog box, then the
backdoor is on.
Richard believes that this backdoor is turned on in most Compaq
models that run Windows 98. Assumption is that this Internet
Explorer feature was designed to be used only by system admins and
users and not computer makers.
Why was this backdoor turned on in the first place? Seems kind
of strange that a computer company wants to be able to remotely
run programs on their customer's computers. It looks like the
backdoor is intended to be used in some specialize utilities that
Compaq ships as part of Windows 98. These utilities reside on
the local hard drive. Security checking is turned off for
programs created by Compaq so that these utilities can be run
without getting annoying security warnings in Internet Explorer.
As a side-effect of this decision, Compaq can also execute
programs from pages from their Web sites or even from HTML Email
messages.
However, there exists a much more serious hole on this same Compaq
system which allows anyone to go through this same backdoor and
run programs on the system. This second security hole means that
a malicious program can be used to drop a computer virus, delete
data from the disk, or steal private files. This second problem
was first found late last year by another person, but for some
reason never fixed by Compaq. His name is Frank Farance and the
site with more info is:
http://www.farance.com/etc/ie40-security-bug-19981120/index.html
Experiment #1: Can Windows commands be executed from a browser?
Frank was concerned that significant, potentially abusive system
access was permitted through the browser. With a little
experimentation (but not actually wiping the disk yet), he
discovered that it is possible to access Windows commands
directly via the browser. He inspected the HTML files (see below
for a copy of the files) and discovered Windows commands embedded
in the HTML. Apparently, the HTML calls Javascript which invokes
a Java applet which then can run any program on the local
computer.
Experiment #2: Does this work on other browsers? Frank tried
this in Netscape Communicator 4.5 on the same laptop, which
balked. He wes unable to recreate the problem in Netscape. He
added the ActiveX plug-in by NCompass to Netscape, but still were
unable to recreate the problem in Netscape.
Experiment #3: Does this problem exist on Windows 95? Frank tried
creating the problem on Windows 95, but was unable to. IMPORTANT:
This problem may exist on Windows 95, Frank was unable to recreate
the problem with limited experimentation.
Experiment #4: Will this work across the web? Frank thought this
problem might exist only because the files were local. Not true.
He uploaded the files onto a web sever, loaded the remote URL,
and caused his laptop to execute commands.
Experiment #5: Can any command be executed over the web? Frank
modified the HTML and Javascript and were able to choose any
program to run. The applet was "signed" by Verisign. It's not
clear yet how the signed applet is related to additional and/or
insecure access to the system. IMPORTANT: This means that any
command can be silently run on a user's computer, including:
formatting the disk drive (verified), rebooting your computer
(verified), silent upload/download (simulated) of any of the
user's files.
Experiment #6: Can comands be run with parameters? Frank also
verified that commands can be run with parameters -- an important
feature because it allows, potentially, more destructive behavior
with less setup. IMPORTANT: In effect, this security hazard
doesn't require the user to download viruses onto the computer --
the viruses (normal windows commands) are already there.
Frank reached the limits of experimentation techniques. Further
experimentation would require significantly more effort and is
better performed by the Compaq (laptop manufacturer) and/or
Microsoft (browser vendor and operating system vendor). He
copied all the files into the following directory:
http://www.farance.com/etc/ie40-security-bug-19981120/sample-files
The file "fwqrcd.html" is the original file where the problem was
discovered. The files "testjunk.html" and "testjunk1.html" show
calling a command and a command with a parameter. We've chosen
harmless commands in "testjunk*".
This backdoor, in combination with a Compaq-supplied Java applet,
has introduced a serious security hole in Internet Explorer 4
which allows outsiders to execute DOS and Windows programs from
Web pages or HTML Email messages. Once an outsider is able to
run a program on a system, all the usual bad stuff can be done
such as install a virus or trojan horse, delete files from the
hard disk, steal private information, etc. The backdoor occurs
because IE4 is configured on this Presario system to trust all
ActiveX controls and Java applets signed by Compaq. It appears
that for my system, Compaq was added as a trusted source at the
factory. This wouldn't be so bad by itself, except that the
Presario system also includes a signed Java applet that has a
function for running programs. Because the applet is signed by
Compaq, it will execute with no security warnings in IE4 on any
system where Compaq is a trusted publisher.
This applet is used on a Compaq HTML page to link to various
service options for customers. Some these links go to Compaq Web
sites, but other links run diagnostic programs from the local
hard drive. The Java applet is used to run these programs. Since
it is a signed applet, it is able to do things outside of the Java
sandbox such as execute programs. The applet appears to have no
security mechanisms built into itself so it can run any program,
not just the Compaq diagnostic programs.
The method that Compaq uses to make itself a trusted publisher in
IE4 is quite interesting. On the Windows desktop there is an icon
labeled "Compaq Support". Clicking on this icon takes you to the
HTML page described above. However it gets there by a very
curious route. The icon doesn't start up IE4 directly but instead
runs a DOS batch file of all things. The first thing that the
batch does is to feed a .REG file to REGEDIT. This .REG file
contains the appropriate settings to make Compaq a trusted
publisher in IE4. Yikes, lowering security settings in IE is
just too darn easy! Once the registry has been appropriately
tweaked, IE4 is started up with the services links page.
SOLUTION
Compaq is looking into various ways to patch the problem. In the
meantime, a simple solution to the problem is to delete from the
hard disk the .REG file that makes Compaq a trusted publisher.
The path of the file to be deleted is:
C:\CPQS\SERVICE\CERTREG.REG
You'll also want to remove Compaq as a trusted publisher from IE.
Here are the steps:
1. Start Internet Explorer 4 or 5
2. Select the "View | Internet Options..." menu command in IE4
or "Tools | Internet Options..." in IE5
3. Select the "Content" tab in the "Internet Options" dialog
box
4. Push the "Publishers..." button
5. Click on the "Compaq Computer Corporation" entry if present
6. Push the "Remove" button.
7. Push the "Okay" button for the "Authenticode Security
Technology" dialog box.
8. Push the "Okay" button for the "Internet Options" dialog
box.
You'll need to remove Compaq as the trusted publisher after
deleting the .REG file. Otherwise, clicking on the icon will make
Compaq be trusted again.