COMMAND
QuickBooks
SYSTEMS AFFECTED
QuickBooks 2000
PROBLEM
Following is based on a Tyger Team Security Advisory by Steve
Birnbaum. Intuit is collecting information ranging from system
configuration to usage from users of its new QuickBooks 2000 and
QuickBooks Pro 2000 software.
Intuit uses Marimba Castanet, an automated software update
technology, to update the QuickBooks 2000 software on their
customers' computers automatically. The client does not allow
the user to restrict what information is sent to Intuit upon
request by the Intuit server. Intuit is able to collect private
user information without the user's knowledge. Intuit has also
implemented this software in an insecure manner that allows
malicious users to hijack it and either obtain information about
the user, or install their own files or programs on the user's
computer.
Intuit provides WWW integration by providing links to web sites.
When going to such a link, Intuit is sent both the user's unique
serial number and their registration number. This allows the
monitoring of software installation and user's usage patterns.
Tested configuration is QuickBooks 2000 (Canadian version) running
on a dedicated test platform Windows NT 4.0 with service pack 6.
No other software, other than Microsoft Internet Explorer 5.0,
which Quicken both provides and requires, was installed.
Some basic tests were conducted with QuickBooks Pro 2000 and it
is confirmed to have the same problems. QuickBooks and QuickBooks
Pro are the same program. The mode in which it runs depends on
the serial number.
Using two different methods, QuickBooks reports user information
back to Intuit.
Issue 1
=======
QuickBooks has integrated the Marimba Castanet product into their
software. Immediately upon first execution, QuickBooks displays
the license agreement. However, before QuickBooks completes its
launch and presents the user with the interface, it connects to
Intuit's Castanet server on port 80.
Below is the start of the first http session. It shows the
initial connection to the Castanet server and the sending of
information regarding the configuration of the host running
QuickBooks, such as the operating system version.
The meaning of the other strings that are seen below, such as the
reference to "properties.txt" and "any/any" are currently unknown.
qb2000-pc.1046 -> qbmarimbaqw.quicken.com.http over TCP
POST /UpdateDirChanQB HTTP/1.0.
User-Agent: null.
Connection: Keep-Alive.
Content-length: 391.
Pragma: no-cache.
Content-type: application/marimba.
Request-type: update/13.
.
-----------------------------------------------------------------
qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
<No data>
-----------------------------------------------------------------
qb2000-pc.1046 -> qbmarimbaqw.quicken.com.http over TCP
........%.......qbmarimbaqw.quicken.com...P.....(..
update.sdk....1..L_L....US..L_C....en..
Windows NT..x86..4.0..en_US....UpdateDirChanQB........DATA=AUC01QFN00000
21911004000011501002 0000000000
0000000005200000057010300000000000000000 05701n
ewfeatures 00000000 0000................
-----------------------------------------------------------------
-----------------------------------------------------------------
qb2000-pc.1047 -> qbmarimbaqw.quicken.com.http over TCP
<No data>
-----------------------------------------------------------------
qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
HTTP/1.0 200 Reply follows.
Server: Marimba-Transmitter/4.0.3.
Content-type: application/marimba.
Expires: 0.
Pragma: no-cache.
Connection: Keep-Alive.
Content-length: 140.
.
.........%...B....B..A....A..segment....any/any....T..........UpdateDirC
han.QFNz...0..kE.@.6.f....D.....properties.txt.X+.X.<.....7......p..
Next, QuickBooks connects again to the Castanet server and
initiates a request for updated information. The following
capture gives an indication of the control that the server holds
over the client. It includes the receipt of various
configuration instructions. The commands "desktop.shortcut" and
"install.inactive=ignore" raised our suspicions considerably.
The explanation we were later given by Marimba via Intuit is that
these options are part of the full version of Castanet which were
not removed from the more limited SDK software that Intuit uses.
Steve was told that while the server has not had this code removed
and it still sends it as part of the handshaking, the SDK client
has had the code to process them removed. Therefore, we were
told by Intuit that these specific commands are ignored.
qb2000-pc.1047 -> qbmarimbaqw.quicken.com.http over TCP
POST /UpdateDirChanQB HTTP/1.0.
User-Agent: null.
Connection: Keep-Alive.
Content-length: 113.
Pragma: no-cache.
Content-type: application/marimba.
Request-type: getfiles/3.
.
-----------------------------------------------------------------
qbmarimbaqw.quicken.com.http -> qb2000-pc.1046 over TCP
HTTP/1.0 200 Reply follows.
Server: Marimba-Transmitter/4.0.3.
Content-type: application/marimba.
Expires: 0.
Pragma: no-cache.
.
.......... ...........z...0..kE.@.6.f........DAUS000000000000000000
00QFN0000030111004010011501002 0000000000
0000000005200000139010301000000000000000
11801newfeatures n .edition 000000213dff621c4a11b6c0
2b10fe8c8394cd92..0000000000000000000000002000_01_14_17_21_25.
....X+.X.<.....7..........pcapabilities=none
desktop.shortcut=false
extension=channel
install.inactive=ignore
locale=any
macresourceforks=false
mimetype=application/x-castanet-channel
name=UpdateDirChanQB
platform=any
publish.time=944543763933
title=UpdateDirChanQB
type=Data
update.action=ignore
update.active=never
update.inactive=weekly
update.schedule=every 1 weeks on sun update at 04:00AM
There are further exchanges between QuickBooks 2000 and the
Castanet server. During these exchanges files are sent and
installed without user approval. In fact, the user isn't even
aware that this entire exchange is taking place.
Steve contacted Marimba to find out what their software is capable
of. They informed us that the full version of Castanet is able to
retrieve information such as, but not limited to IP addresses,
user names and host names. The exact information that is obtained
depends on what their customer configures the server to request.
Marimba explicitly stated that there is no way for the user to
prevent certain types of information from being sent if the
server requests it. We were informed that there is an additional
module (which Intuit has not purchased) that will perform a full
disk scan of the computer running the client software and send
the output to the Castanet server. Steve was told that Intuit
uses the much more limited SDK version, which cannot perform this
full disk scan. According to Marimba, the SDK version is limited
in the host information it can retrieve. It is also limited in
its ability to download only to one specific directory within the
QuickBooks directory tree. The information it has access to
includes the IP address, OS name, version and architecture, the
locale and time zone. Even though the list of information
retrieved is smaller than the full version, users still have no
ability to control what is sent within that set.
On the other hand, Marimba has also stated that their software is
capable of working with an SSL encrypted session. The client
software can store the server's key and would reject any attempt
from someone to represent himself as the real Castanet server.
This would also prevent hijacking of an already established
session. Furthermore, they support the ability to digitally sign
each file being sent.
Castanet seems like a very nice product for an enterprise
network. However, Steve question Intuit's use of Castanet in this
environment. Regardless, Intuit has not activated the most basic
security features in the Castanet software. This results in the
user being at risk of session hijacking.
If someone is able to hijack a session, they could install
programs that create back doors to allow an intruder to take full
control of the computer. These sessions raise a list of issues:
1) Intuit knows the identity of the user connecting. They can
theoretically target specific files to specific users, such as
a program to monitor the user's computer or network, even
behind a firewall.
2) Since the sessions are not secured, the session can be hijacked
and a malicious user can insert their own files or backdoors
onto the user's system. Intuit has chosen not to encrypt the
sessions, thereby creating this risk.
3) The user has no control over what information is retrieved from
their system. They must simply hope that Intuit won't do
something to violate their privacy, and that no malicious users
will hijack a legitimate session.
4) Users are unaware of what information is being collected and
for what purpose it is being used.
Issue 2
=======
QuickBooks 2000 is integrated with Microsoft Internet Explorer 5.
Many of the windows in QuickBooks are HTML generated on the fly.
With the seamless web integration, Intuit has created certain
text items within the GUI that are in fact links to web sites,
and not buttons, to perform local program functions. These links
are not labeled as such and appear no different than HTML links
that open other local windows. This in itself is not such a
security problem.
The issue lies in the method with which Intuit directs the user to
a web site. The following is the URL that is accessed when the
user clicks on the text of a reminder that the program refers to
as an "alert". The example is linked to by a warning with regard
to a periodic tax payment due to the government.
http://redirect.quickbooks.com/redirect/reg=****-****-****/serial=####-###-####-####/?http://www.ccra-adrc.gc.ca/menu-e.html
The '*' replace the registration number provided by Intuit. If
you have not registered, the value in the URL is "Unregistered".
This is a unique number identifying a particular customer of
Intuit.
The '#' replace the serial number found on the back of the manual.
This is a unique number identifying a specific copy of the
software.
When you register your purchased copy of QuickBooks with Intuit
after supplying them with your detailed information, you receive
a registration number in return. Even if you buy the software,
you can only run it a certain number of times without entering a
registration number. So unless you provide them with false
information when registering, Intuit knows exactly what actions
their users are performing that take them to Internet sites.
SOLUTION
Since first contacting Intuit on March 14, 2000, they have
implemented the following changes with the US R5 and Canadian R6
updates to QuickBooks 2000:
1) Users installing the R5 and R6 updates are presented with an
html window the next time they run the application explaining
the use of the Automatic Update feature but also including
information on how to disable it.
2) Added a top-level item on the help menu "About Automatic
Update," which displays a secondary page used for the
previously described html window, and also provides detail
about the Automatic Update feature. This is more complete
than in the previous help index.
3) All, rather than most, html links to Internet sites are now
marked with a lightning bolt. However, users are not told
clearly what this means unless they click on the relevant help
link. It is suggested to put this information in a splash
screen on startup, or a one-time notification on clicking such
a link, and Intuit has said it will include information about
the html links in the welcome pages in its next version of
QuickBooks.
4) Instead of sending serial numbers in readable text to their
redirect server, they now perform a two-way hash of the
information using a proprietary algorithm. This is basic
obfuscation. This is not optimum, but Intuit acted to protect
against transient sniffing and will use an MD5 one-way hash in
the next version of QuickBooks.
5) When running the installer for the update, a connection to
Intuit's Castanet server was made if that option was enabled in
QuickBooks 2000. This appears to be an unintentional side
effect of installing the Automatic Update software itself. As
the software installs itself into Windows, it starts itself up
the default way; i.e., to check for available updates.
However, after installing itself, the software quits, which
will terminate any connection it may have initiated. Intuit
believes that it's unlikely that, even on a slow computer, any
such connection would remain open long enough for any content
to actually be downloaded to the computer.
6) Intuit is planning to switch to the industry standard, highest
security level SSL for all Castanet updates beginning with the
next version of QuickBooks. The Castanet SDK software embedded
in QuickBooks 2000 currently supports SSL enablement and
provides other security features. However, Intuit believes
that updating QuickBooks 2000 to enable SSL would risk key
functionality in the product and risks adversely affecting
existing users.
7) Still not happy with the auto-update feature, although Intuit
has taken steps to inform users of it and gives them the option
to turn it off. Initially, we believed there was too much
power in the Castanet client that can be turned on by the
server. Based upon information provided by Intuit, this was
found to be inaccurate. QuickBooks 2000 does not install any
software to customers' PCs that would allow their hard drives
to be scanned or their hard drive file listings to be hijacked
by a rogue server. In addition, Intuit was told by Marimba
that the hard drive scanning capability in the full feature
Castanet product (i.e., not the Castanet SDK used in QuickBooks
2000) is of limited scope. Since this does not affect
QuickBooks, which uses only the Castanet SDK, we did not
pursue this avenue to find out what scanning is available in
the full version. We assume that such a version would be used
by an enterprise network administrator for whom full drive
scanning capabilities for client machines would be acceptable.
Quick Solution/Workaround: Turn off the Automatic Update feature.
Information about how to do this is found in the help menu of
QuickBooks 2000. Or, use Intuit's QuickBooks 2000/QuickBooks Pro
2000 on a computer that is a dedicated, standalone computer with
no modem or network interface. The computer should not have
Internet connectivity capability at any time.
For Long-term solution, customers should contact Intuit through
their web site at
http://www.intuit.com/corporate/quickbooks2000privacy/
and request that this issue be resolved immediately.