| By Nicholas Petreley |
Article Rating: |
|
| February 12, 2003 12:00 AM EST |
Reads: |
27,588 |
I believe I have stumbled upon two of Microsoft's most-startling and best-kept secrets, the ramifications of which for Linux and open source are profound.
The revelation began when I realized that I had been mistaken in thinking that the lack of a well-funded marketing department could prevent open source and free software from displacing the commercial variety. The events of the past few months demonstrate that free software is being promoted by the richest and most-talented marketing organization on the planet: Microsoft.
Consider for a moment what a well-orchestrated promotional stunt the Microsoft SQL Server Slammer worm proved to be. Does anyone honestly think it was a coincidence that Slammer brought the Internet to its knees before the echoes of Bill Gates' state of the union on trustworthy computing address could fade? The timing was as impeccable as food to a beakless chicken.
The second clue as to its intentional nature was the widespread deployment of the vulnerability. Many folks mistakenly think that Microsoft SQL Server was the only product involved. Not so; this vulnerability exists in page after page of Microsoft products. Here is a partial list of the products containing the weakness:
- SQL Server 2000 (Enterprise Edition, Developer Edition, and Personal Edition)
- .NET Framework
- ASP.NET Web Matrix
- Visio Enterprise Network Tools
- Visual FoxPro
- Visual Studio .NET
- Visual Basic .NET
- Visual C++ .NET
- Visual C# .NET
- Office XP Premium, Professional and Developer editions
- Project Server 2002
- Windows Enterprise Server
- Windows Server 2003
- ... and many, many more
If the above isn't enough to tip one off to the promotional nature of Slammer, the intelligent design that went into the bug should remove all doubt. If you think buffer overflow was the weakness exploited by Slammer, you would be only partly correct. As dangerous as buffer overflows may be, they are relatively benign unless one can exploit them via the network. Unless you are willing to embed a buffer overflow into a core public network service such as a Web site, FTP server or e-mail, it takes a concerted effort to make it available to crackers. Database servers are particularly hard to crack, because no sane software company would make one listen to the Internet by default.
Here's why: if you are using a database for a Web site, and the Web server is on the same machine as the database, one doesn't need to use networking at all to make the Web server communicate with the database. Assuming it is desirable to use a network port for communications between Web server and database, one only has to configure the database to listen to the local host (the same machine) and no outside requests. Even if the server and database reside on separate machines, it is a simple matter to tell the database to listen only to specified IP addresses (i.e., the Web server machine) or all machines on the internal network.
Under normal circumstances, one would have to deliberately configure a database server to be vulnerable to outside attack. Microsoft circumvented this limitation by opening up the port to the world. Then it embedded the engine in so many of its applications that hardly a Windows machine on the Internet lacked the vulnerability!
But that's not all! Once you understand the purpose of the service that listens to this port, you know it had to be a planned event. Microsoft added a feature to SQL Server that lets you install several copies of the database server on the same machine and run them as if they were running on separate machines. Naturally, they can't all listen to the same port without getting their messages crossed. So Microsoft created a Resolution Service that listens on port 1434, sorts out the requests for the various copies of SQL Server and routes the requests as needed.
Now consider the fact that this vulnerability exists in many third-party products that use the Microsoft engine, not just in the Microsoft products listed above. The entire list comprises almost 200 applications, including such unlikely candidates as Timeslips (a time-billing program). Of all these products, ranging from financial software to fax software, how many do you suppose lend themselves to being installed several times on the same machine so that you can run multiple copies simultaneously? If this capability is only useful for a few of them, why else would Microsoft enable this feature by default? To maximize the attack's impact, of course.
Fans of Microsoft will also appreciate the fact that there are other vulnerabilities on this port that do not require one to exploit a buffer overflow. For example, you can use a carefully crafted "keep-alive" packet to make multiple database servers spin their wheels so hard they'll stop responding to any requests at all — a denial-of-service attack. This just goes to show how hard the programmers worked to provide crackers with as many avenues as possible.
Subscribe to Linux Email News Alerts
Subscribe via RSS
