COMMAND

    QuickBooks

SYSTEMS AFFECTED

    QuickBooks 2000

PROBLEM

    Following is  based on  a Tyger  Team Security  Advisory by  Steve
    Birnbaum.   Intuit is  collecting information  ranging from system
    configuration to usage from users  of its new QuickBooks 2000  and
    QuickBooks Pro 2000 software.

    Intuit  uses  Marimba  Castanet,  an  automated  software   update
    technology,  to  update  the  QuickBooks  2000  software  on their
    customers' computers  automatically.   The client  does not  allow
    the  user  to  restrict  what  information  is sent to Intuit upon
    request by the Intuit server.   Intuit is able to collect  private
    user information without  the user's knowledge.   Intuit has  also
    implemented  this  software  in  an  insecure  manner  that allows
    malicious users to hijack  it and either obtain  information about
    the user,  or install  their own  files or  programs on the user's
    computer.

    Intuit provides WWW integration  by providing links to  web sites.
    When going to such a link,  Intuit is sent both the user's  unique
    serial  number  and  their  registration  number.  This allows the
    monitoring of software installation and user's usage patterns.

    Tested configuration is QuickBooks 2000 (Canadian version) running
    on a dedicated test platform  Windows NT 4.0 with service  pack 6.
    No other  software, other  than Microsoft  Internet Explorer  5.0,
    which Quicken both provides and requires, was installed.

    Some basic tests  were conducted with  QuickBooks Pro 2000  and it
    is confirmed to have the same problems.  QuickBooks and QuickBooks
    Pro are the same  program.  The mode  in which it runs  depends on
    the serial number.

    Using two different  methods, QuickBooks reports  user information
    back to Intuit.

    Issue 1
    =======
    QuickBooks has integrated the Marimba Castanet product into  their
    software.  Immediately  upon first execution,  QuickBooks displays
    the license agreement.   However, before QuickBooks completes  its
    launch and presents  the user with  the interface, it  connects to
    Intuit's Castanet server on port 80.

    Below  is  the  start  of  the  first  http session.  It shows the
    initial  connection  to  the  Castanet  server  and the sending of
    information  regarding  the  configuration  of  the  host  running
    QuickBooks, such as the operating system version.

    The meaning of the other strings that are seen below, such as  the
    reference to "properties.txt" and "any/any" are currently unknown.

        qb2000-pc.1046 -> qbmarimbaqw.quicken.com.http over TCP
                POST /UpdateDirChanQB HTTP/1.0.
                User-Agent: null.
                Connection: Keep-Alive.
                Content-length: 391.
                Pragma: no-cache.
                Content-type: application/marimba.
                Request-type: update/13.
                .
        
        -----------------------------------------------------------------
        qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
                <No data>
        -----------------------------------------------------------------
        qb2000-pc.1046 -> qbmarimbaqw.quicken.com.http over TCP
                ........%.......qbmarimbaqw.quicken.com...P.....(..
                update.sdk....1..L_L....US..L_C....en..
                Windows NT..x86..4.0..en_US....UpdateDirChanQB........DATA=AUC01QFN00000
        21911004000011501002                                0000000000
                      0000000005200000057010300000000000000000                    05701n
        ewfeatures         00000000                    0000................
        -----------------------------------------------------------------
        -----------------------------------------------------------------
        qb2000-pc.1047 -> qbmarimbaqw.quicken.com.http over TCP
                <No data>
        -----------------------------------------------------------------
        qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
                HTTP/1.0 200 Reply follows.
                Server: Marimba-Transmitter/4.0.3.
                Content-type: application/marimba.
                Expires: 0.
                Pragma: no-cache.
                Connection: Keep-Alive.
                Content-length: 140.
                .
                .........%...B....B..A....A..segment....any/any....T..........UpdateDirC
        han.QFNz...0..kE.@.6.f....D.....properties.txt.X+.X.<.....7......p..

    Next,  QuickBooks  connects  again  to  the  Castanet  server  and
    initiates  a  request  for  updated  information.   The  following
    capture gives an indication of  the control that the server  holds
    over   the   client.    It   includes   the   receipt  of  various
    configuration instructions.   The commands "desktop.shortcut"  and
    "install.inactive=ignore"  raised  our  suspicions   considerably.
    The explanation we were later given by Marimba via Intuit is  that
    these options are part of the full version of Castanet which  were
    not removed from the more  limited SDK software that Intuit  uses.
    Steve was told that while the server has not had this code removed
    and it still sends it as  part of the handshaking, the SDK  client
    has had  the code  to process  them removed.   Therefore, we  were
    told by Intuit that these specific commands are ignored.

        qb2000-pc.1047 -> qbmarimbaqw.quicken.com.http over TCP
                POST /UpdateDirChanQB HTTP/1.0.
                User-Agent: null.
                Connection: Keep-Alive.
                Content-length: 113.
                Pragma: no-cache.
                Content-type: application/marimba.
                Request-type: getfiles/3.
                .
        
        -----------------------------------------------------------------
        qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
                HTTP/1.0 200 Reply follows.
                Server: Marimba-Transmitter/4.0.3.
                Content-type: application/marimba.
                Expires: 0.
                Pragma: no-cache.
                .
                ..........      ...........z...0..kE.@.6.f........DAUS000000000000000000
        00QFN0000030111004010011501002                                0000000000
                                0000000005200000139010301000000000000000
            11801newfeatures         n .edition                 000000213dff621c4a11b6c0
        2b10fe8c8394cd92..0000000000000000000000002000_01_14_17_21_25.
                ....X+.X.<.....7..........pcapabilities=none
                desktop.shortcut=false
                extension=channel
                install.inactive=ignore
                locale=any
                macresourceforks=false
                mimetype=application/x-castanet-channel
                name=UpdateDirChanQB
                platform=any
                publish.time=944543763933
                title=UpdateDirChanQB
                type=Data
                update.action=ignore
                update.active=never
                update.inactive=weekly
                update.schedule=every 1 weeks on sun update at 04:00AM

    There  are  further  exchanges  between  QuickBooks  2000  and the
    Castanet  server.   During  these  exchanges  files  are  sent and
    installed without  user approval.   In fact,  the user  isn't even
    aware that this entire exchange is taking place.

    Steve contacted Marimba to find out what their software is capable
    of.  They informed us that the full version of Castanet is able to
    retrieve information  such as,  but not  limited to  IP addresses,
    user names and host names.  The exact information that is obtained
    depends on what their  customer configures the server  to request.
    Marimba explicitly  stated that  there is  no way  for the user to
    prevent  certain  types  of  information  from  being  sent if the
    server requests it.  We were informed that there is an  additional
    module (which Intuit has not  purchased) that will perform a  full
    disk scan  of the  computer running  the client  software and send
    the output  to the  Castanet server.   Steve was  told that Intuit
    uses the much more limited SDK version, which cannot perform  this
    full disk scan.  According to Marimba, the SDK version is  limited
    in the host information  it can retrieve.   It is also limited  in
    its ability to download only to one specific directory within  the
    QuickBooks  directory  tree.   The  information  it  has access to
    includes the IP  address, OS name,  version and architecture,  the
    locale  and  time  zone.   Even  though  the  list  of information
    retrieved is smaller  than the full  version, users still  have no
    ability to control what is sent within that set.

    On the other hand, Marimba has also stated that their software  is
    capable of  working with  an SSL  encrypted session.   The  client
    software can store the server's  key and would reject any  attempt
    from someone  to represent  himself as  the real  Castanet server.
    This  would  also  prevent  hijacking  of  an  already established
    session.  Furthermore, they support the ability to digitally  sign
    each file being sent.

    Castanet  seems  like  a  very  nice  product  for  an  enterprise
    network.  However, Steve question Intuit's use of Castanet in this
    environment.  Regardless, Intuit has not activated the most  basic
    security features in the Castanet  software.  This results in  the
    user being at risk of session hijacking.

    If  someone  is  able  to  hijack  a  session,  they could install
    programs that create back doors to allow an intruder to take  full
    control of the computer.  These sessions raise a list of issues:

    1) Intuit  knows the  identity of  the user  connecting.  They can
       theoretically target specific files to specific users, such  as
       a  program  to  monitor  the  user's  computer or network, even
       behind a firewall.
    2) Since the sessions are not secured, the session can be hijacked
       and a malicious  user can insert  their own files  or backdoors
       onto the user's system.   Intuit has chosen not to  encrypt the
       sessions, thereby creating this risk.
    3) The user has no control over what information is retrieved from
       their  system.   They  must  simply  hope  that Intuit won't do
       something to violate their privacy, and that no malicious users
       will hijack a legitimate session.
    4) Users are  unaware of what  information is being  collected and
       for what purpose it is being used.

    Issue 2
    =======
    QuickBooks 2000 is integrated with Microsoft Internet Explorer  5.
    Many of the windows in  QuickBooks are HTML generated on  the fly.
    With  the  seamless  web  integration,  Intuit has created certain
    text items within  the GUI that  are in fact  links to web  sites,
    and not buttons, to perform local program functions.  These  links
    are not labeled  as such and  appear no different  than HTML links
    that open  other local  windows.   This in  itself is  not such  a
    security problem.

    The issue lies in the method with which Intuit directs the user to
    a web site.   The following is the  URL that is accessed  when the
    user clicks on the text of  a reminder that the program refers  to
    as an "alert".  The example is linked to by a warning with  regard
    to a periodic tax payment due to the government.

        http://redirect.quickbooks.com/redirect/reg=****-****-****/serial=####-###-####-####/?http://www.ccra-adrc.gc.ca/menu-e.html

    The '*' replace  the registration number  provided by Intuit.   If
    you have not registered, the  value in the URL is  "Unregistered".
    This  is  a  unique  number  identifying  a particular customer of
    Intuit.

    The '#' replace the serial number found on the back of the manual.
    This  is  a  unique  number  identifying  a  specific  copy of the
    software.

    When you register  your purchased copy  of QuickBooks with  Intuit
    after supplying them with  your detailed information, you  receive
    a registration number  in return.   Even if you  buy the software,
    you can only run it a  certain number of times without entering  a
    registration  number.   So  unless  you  provide  them  with false
    information when  registering, Intuit  knows exactly  what actions
    their users are performing that take them to Internet sites.

SOLUTION

    Since  first  contacting  Intuit  on  March  14,  2000,  they have
    implemented the following changes with  the US R5 and Canadian  R6
    updates to QuickBooks 2000:

    1) Users installing  the R5 and  R6 updates are  presented with an
       html window the next  time they run the  application explaining
       the  use  of  the  Automatic  Update feature but also including
       information on how to disable it.
    2) Added  a  top-level  item  on  the  help menu "About  Automatic
       Update,"  which  displays  a   secondary  page  used  for   the
       previously  described  html  window,  and  also provides detail
       about  the  Automatic  Update  feature.   This is more complete
       than in the previous help index.
    3) All,  rather than  most, html  links to  Internet sites are now
       marked with  a lightning  bolt.   However, users  are not  told
       clearly what this means unless they click on the relevant  help
       link.   It is  suggested to  put this  information in  a splash
       screen on startup, or a one-time notification on clicking  such
       a link, and Intuit has  said it will include information  about
       the html  links in  the welcome  pages in  its next  version of
       QuickBooks.
    4) Instead  of sending  serial numbers  in readable  text to their
       redirect  server,  they  now  perform  a  two-way  hash  of the
       information  using  a  proprietary  algorithm.   This  is basic
       obfuscation.  This is not optimum, but Intuit acted to  protect
       against transient sniffing and will use an MD5 one-way hash  in
       the next version of QuickBooks.
    5) When  running the  installer for  the update,  a connection  to
       Intuit's Castanet server was made if that option was enabled in
       QuickBooks  2000.   This  appears  to  be an unintentional side
       effect of installing the Automatic Update software itself.   As
       the software installs itself into Windows, it starts itself  up
       the  default  way;  i.e.,  to  check  for  available   updates.
       However,  after  installing  itself,  the software quits, which
       will terminate any  connection it may  have initiated.   Intuit
       believes that it's unlikely that, even on a slow computer,  any
       such connection would remain  open long enough for  any content
       to actually be downloaded to the computer.
    6) Intuit is planning to switch to the industry standard,  highest
       security level SSL for all Castanet updates beginning with  the
       next version of QuickBooks.  The Castanet SDK software embedded
       in  QuickBooks  2000  currently  supports  SSL  enablement  and
       provides  other  security  features.   However, Intuit believes
       that  updating  QuickBooks  2000  to  enable SSL would risk key
       functionality  in  the  product  and  risks adversely affecting
       existing users.
    7) Still not happy  with the auto-update feature,  although Intuit
       has taken steps to inform users of it and gives them the option
       to turn  it off.   Initially, we  believed there  was too  much
       power  in  the  Castanet  client  that  can be turned on by the
       server.  Based  upon information provided  by Intuit, this  was
       found to be inaccurate.   QuickBooks 2000 does not install  any
       software to customers' PCs  that would allow their  hard drives
       to be scanned or their hard drive file listings to be  hijacked
       by a  rogue server.   In addition,  Intuit was  told by Marimba
       that the  hard drive  scanning capability  in the  full feature
       Castanet product (i.e., not the Castanet SDK used in QuickBooks
       2000)  is  of  limited  scope.   Since  this  does  not  affect
       QuickBooks,  which  uses  only  the  Castanet  SDK,  we did not
       pursue this avenue  to find out  what scanning is  available in
       the full version.  We assume that such a version would be  used
       by  an  enterprise  network  administrator  for whom full drive
       scanning capabilities for client machines would be acceptable.

    Quick Solution/Workaround:  Turn off the Automatic Update feature.
    Information about  how to  do this  is found  in the  help menu of
    QuickBooks 2000.  Or, use Intuit's QuickBooks 2000/QuickBooks  Pro
    2000 on a computer that  is a dedicated, standalone computer  with
    no  modem  or  network  interface.   The  computer should not have
    Internet connectivity capability at any time.

    For Long-term  solution, customers  should contact  Intuit through
    their web site at

        http://www.intuit.com/corporate/quickbooks2000privacy/

    and request that this issue be resolved immediately.