Symantec recently contacted ?regarding its April 11th, 2001 analysis of pcAnywhere securities issues and pointed out several features we glossed over in our (albeit brief) discussion of pcAnywhere 10.0. To summarize Symantec’s claims and our responses:?

1. pcAnywhere 10.0 client-host traffic can be encrypted using internal pcAnywhere, symmetric, or public key encryption.

The encryption Symantec refers to prevents network monitors or “sniffers” from capturing a remote pcAnywhere session. But unless you select public key encryption, and then do not publish the key, it will not provide any additional protection from other pcAnywhere users. A login attempt will report the level of security being used.

2. pcAnywhere 10.0 requires that users password protect their pcAnywhere hosts. A “null” password is not accepted.

pcAnywhere 10.0 requires that users password protect new Callers, not new hosts. Password protection of the host is optional. And both levels of password protection can be defeated via the .CIF file “back door.”

3. Authentication options offered with pcAnywhere 10.0 include Active Directory, NDS, Novell Bindery, LDAP, FTP, HTTP, and NT Domain.

4. Random searches for pcAnywhere hosts can be prevented by going to Tools > Options > Host Communications and clicking the “Do not display host in TCP/IP search results” box.

This is an important feature for pcAnywhere users wishing to ensure their privacy over local area networks and the Internet.

5. pcAnywhere users can add a further level of security by limiting connections to within a specific subnet or even a specific TCP/IP address or host name.

This is perhaps the easiest-to-implement safety feature for both home/small business and corporate users. Go to Tools > Options > Host Communications. In the TCP/IP options box you can enter a list of valid connections. Callers from addresses other than those listed will be rejected, regardless of permissions and passwords.

6. If you use the pcAnywhere 10.0 Packager to create custom pcAnywhere hosts, “Integrity Checking” will check the installation every time pcAnywhere is launched for changes in the registry, pcAnywhere objects, executables and DLL’s. Integrity Checking prevents .CIF files from being copied into the pcAnywhere data directory and circumventing security settings.

“Integrity Checking” applies only to Packager-created hosts. Packager installation requires Windows NT or Windows 2000. Otherwise, pcAnywhere 10.0 does not distinguish between a CIF file generated by its own host and a .CIF file generated elsewhere. In fact, you can copy a foreign .CIF file to the \pcAnywhere directory while the host is running and the host will incorporate the new password and login “on the fly.” Subsequently (until and unless either the new Caller or the .CIF file is deleted), all new hosts will incorporate that .CIF file’s defined Caller.

This porous “back door” necessitates careful attention to all the other security measures pcAnywhere offers and incorporates.

Network Associates’ PGP Security has issued an advisory concerning a security flaw in many implementations of FTPd-derived server software. File transfer protocol (FTP) software is a critical element in all Internet servers, allowing both administrators and users to upload and download files. This particular flaw, related to a buffer overflow in the glob() function, affects FTP daemons in a half dozen Unix server platforms.?

When dealing with file systems it is useful to be able to use wildcards and other file-search shortcuts. For example, listing the contents of a directory using the DOS command: DIR *.MP3 (in Unix, ls *.mp3) will list all files that end in an .MP3 suffix. The asterisk here is called a “metacharacter.” Other commonly used metacharacters are the slash, question mark, colon, and tilde. The process of expanding metacharacters into identifiable file names is called “globbing.”

Not just file names, but paths can also be “globbed.” For example, the tilde character (”~”) can be expanded into the path of the home directory of the specified user. In the case of FTP server code that allows globbing of the tilde character, the FTP daemon typically expects file paths limited to 512 characters. But when expanded in the glob() function by wildcard characters, the resolution of the path can result in “very large input strings being passed into the main command processing routines,” which can lead to “exploitable buffer overflow conditions” and “unbounded string operations.”

Out of Bounds

The deliberately triggered buffer overflow is at the heart of many software “hacks.” When a buffer overflows it spills data over a memory boundary, and is mistaken by the operating system as a legitimate command. How the buffer overflow occurs differs from system to system. In Solaris, a LIST command can do the trick; in HPUX, the STAT command causes a stack-based overflow; BSD has four commands tied to the glob() function that can be exploited.

COVERT labs at PGP Security has so far confirmed that six Unix operating systems have vulnerable FTP daemons, though many others may also be affected:

FreeBSD 4.2
OpenBSD 2.8
NetBSD 1.5
IRIX 6.5.x
HPUX 11
Solaris 8

PGP Security has also published an update to its CyberCop Scanner utility that detects affected software.

Patches in the Works

PGP recommends that until patches become available, administrators should make sure to protect any directories in the anonymous FTP tree that are writeable by an anonymous FTP user. But even without a writeable directory present, OpenBSD and NetBSD can be exploited if a directory has a name longer than 12 characters; FreeBSD is vulnerable for names longer than 9 characters.

The CERT Coordination Center at Carnegie Mellon University has contacted the various Unix vendors about the status of their Unix products in regards to these flaws. FreeBSD reports that they have corrected the bugs “in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE, and they will not be present in FreeBSD 4.3-RELEASE.” NetBSD has a fix that should “work on any 4.4BSD derived glob(3).” Fujitsu is in the process of preparing patches to UXP/V versions V10L20 and V20L10. SGI has acknowledged that the flaw exists in its software and is “currently investigating.”

For Unix operating systems not listed above, webmasters and network administrators should contact their vendors and confirm whether their software contains the FTP flaw, and if so, when a patch will be made available.

Tsutomu Shimomura, a security expert at the San Diego Supercomputing Center (best known for tracking down hacker Kevin Mitnick in 1995), has uncovered several security vulnerabilities in the Alcatel Speed Touch line of ADSL “modems.” Flaws in this popular Asymmetric Digital Subscriber Line router/bridge could allow an attacker to reconfigure or disable the device, and even upload code that would spy on outgoing and incoming network traffic.?

The SDSC report identified three primary areas of concern with the Alcatel Speed Touch ADSL modem: unauthenticated Trivial File Transfer Protocol (TFTP) access, weak password protection, and no validation of downloaded firmware.

Taking a Bad Bounce

Exploiting these vulnerabilities requires either access to the physical copper wire attached to the Speed Touch (via a DSLAM, or DSL Access Multiplexor), or to its LAN (local area network) or WAN (wide area network) interfaces. In the latter two cases, a proven strategy is to “bounce” UDF packets (the data format used by streaming audio and video) off an active server on the WAN/LAN side of the network, and fool the modem into believing the data was delivered internally. Once the source of the data has been thus “spoofed,” the sender can gain access to the modem via TFTP.

TFTP is a subset of the File Transfer Protocol (FTP) used to upload and download files over the Internet. TFTP has no directory or password capability. It is used in the Speed Touch to allow a DSL service provider with DSLAM access to update the user’s firmware and make configuration changes to the modem. However, in this case it also creates an unobstructed “back door” to the device.

Who Goes There?

Perhaps the biggest security problem with all password-protected systems occurs when the password is not set. This is true of the Alcatel Speed Touch, which, according to the SDSC, is shipped with only a “null” password enabled. It’s up to the user or service provider to set the password when the modem is configured.

However, even when this password is set, the modem contains a second administrative account that can be accessed via Telnet, HTTP, and FTP, provided that a connection can first be established using TFTP (as described above). This administrative account, called EXPERT, relies on a standard challenge-response mechanism. Unfortunately, the SDSC considers the underlying algorithm insufficiently strong and the password itself “easily reversible.” Setting the user password separately does not affect the security (or lack of it) of the EXPERT account.

Show Me an ID

Even if a malicious person were to gain access to a Speed Touch modem, further damage could be limited by requiring that a known digital signature key be presented before allowing a change in the firmware. This Alcatel does not do either. The company contends that the packet bounce strategy that makes these exploits possible is a “security problem in all data communication networks”, and should be “solved by means of a firewall.”

The CERT Coordination Center at Carnegie Mellon University concurs to an extent, suggesting that you can prevent a TFTP UDP bounce attack by setting up a firewall to filter packets with spoofed source addresses, packets with a source address of 255.255.255.255, and packets with a destination port of ECHO. They also strongly recommend that Alcatel product owners check their devices to make sure the password has been reset from its null default setting.

No Chicken Little (Yet)

Considering the expertise required to execute such a hack, the home user is an unlikely target. More typical would be businesses and institutions with valuable network traffic at risk. As Tom Perrine, who with Shimomura authored the SDSC article, told the San Diego Union Tribune, it would take a “savvy” hacker, well versed in both network operations and the inner workings of the Speed Touch modem to cause any serious damage. “The sky isn’t falling,” he said. The vulnerabilities of Alcatel devices remain, for the time being, hypothetical ones.

And all these documented flaws notwithstanding, Alcatel does have a point when it insists that like analog modems, telephones, and fax machines, these devices provide “connectivity not security,” and that “private and LAN security is in the responsibility of the user.” In this ever more wired world, that’s what it always comes down to, you can count on it.