Today was a bad day.

Having kipped over at Joels place due to being locked out for the night, I drove off to Hertz to try and recover the missing apartment key. Well I spent an hour there walking with one of the reps through the entire car lot of 3000 cars trying to find the one I'd been driving to get the key off the keyring. An hour later we havn't found it and another search of the online booking system shows that the 'locked/do no hire' status on the car was ignoreed and rehired that morning... DOH! NO KEY!!! Very miffed. Wasted an hour.

Rushed off to Redhat to find that ISS/MSBNC have managed to completely blow out of proportion the 2 bugs in the piranha package. Now I personally took 2 days timeout to work out exactly what the exposure was and how it affected people. So to be brief

The 'rogue' backdoor account wasn't a backdoor at all but the frontdoor that people were supposed to use to make use of the GUI pages. These pages are controlled by the very standard .htaccess control mechanism. Unfortunately in packaging the software to be burned onto the CD, it looks like the default password file pointed to by the .htaccess file was altered by some last minute testing, which is where the password 'q' came into the story. The password for the user 'piranha' was actually meant to be BLANK so that people could use the package out of the box.

What should have been done had the 6.2 deadline not been so ludicrously tight was that at that the password should have been set as a non login account but that on trying to use the GUI pages, a message stateing that as the root user of the box you should type in htpasswd -c -b /home/html/piranha/secure/passwords "<password>" before attemping to use the package. All well and good in HINDSIGHT. However, leaving the acount wide open with no password was, while not great, a mostly acceptable situation, because all that the gui would have allowed you to do would be to alter /etc/lvs.cf which is for the cluster configuration.

Sub point: the default install of RH6.2 didn't even install piranha. If you wanted to use clustering services, then you would have to want to use the packages and should have read the documentation which did point out that you should change the password after you installed it. Unfortunately we lost the documentation person assigned to the piranha project back in January and it's been quite a struggle trying to keep documentation in sync with what we were coding. Anyway. I digress..

The SECOND bug and the one that carries the greater value of weight from a security point of view was the passwd.php3 web page which made an external call to the htpasswd program normally built up with the apache distribution (though it's root origin is from CERN's httpd src tree). I might as well as show EXACTLY what happens and why. Theres no point just saying 'bug' if you don't understand it.. This is going to ramble a bit so you might like to skip to the next paragraph after this one 8)

The offending code fragment in passwd.php3 lines 121+ are shown below.

$temp = `/usr/bin/htpasswd -b /home/piranha/conf/passwd
               piranha $try1`;
       if ( $temp != 0 ) {
               echo "...HOWEVER, I wasn't able to update the
                        password file. Permission problems
                        maybe?";
       } else {
               echo "Successfully updated the password for
                        'piranha'";
       }

What this code portion shows is the php3 variable $temp having a shell command constructed with the aid of $try1. $try1 was actually the input field for the first of the password verify fields (<INPUT TYPE="PASSWORD" NAME=try1>)
Now, because php3 evaluates and executes in a seperate shell anything between the ' marks, $try1 was unprotected from being passed the ';' character which from the shell expansion viewpoint allows it to execute the htpasswd and ADDITIONALLY another string of commands as long as they were colon seperated.
Bad call. I need to be slapped down for missing that. In my defense, I plead time pressure and lack of sleep.
As a consequence. you have to understand the enviroment that the piranha pages are running in. The web server itself runs as user nobody by default so any shell commands will be run as user nobody. Ok, so what can nobody do? Well in theory, nothing, however, it CAN execute something like "rm -rf / ". In theory this will do bugger all. Alternative scenarios are that you could mail out the /etc/passwd of the box which would give the evil cracker some targets to hit against but again, the default install is to install shadow passwords which only root can see and operate on though people do have the choice to use the old BSD style GCOS passwd file which isn't protected from other people reading out the encrypted password strings. Humm ok, theres a possible nasty. The charge of 'defacement of a website' is almost groundless. because pretty well all web sites I've ever seen are created under the id of webmaster and local user ID's. User nobody doesn't normally have any featureed files in an HTML_HOME and if it did then you arn't reading the httpd server documentation which says, *run* the server as user nobody but keep files as webmaster or your own personal userid. Humm I truely can't see 'defacement of website' being an issue, though I'm prefectly happy for someone to show me how it would be possible. By very careful arrangement of typed in passwords, you could actually manage to export a shell to an external host through xterm. So shell access to the machine is possible but as user nobody who *should* have nothing intresting he can attack. Mostly you'd be suffering information leakage and in an extreme case loss of CPU/memory through some form of DOS attack though trust me,.. there are MUCH easier ways to do that than this method.

Reading through the 5000+ articles on zdnet/slashdot and other places, I see people getting lambasting OpenSrc as a result of all this,.. Bad news folks, This *is* the first showing of the piranha GUI, it hasn't had a full peer review as yet so claiming that OpenSrc doesn't work is imeadiately shot down in flames because this exposure was something I never had before,.. community feedback.. admitidly I didn't expect it in this form. Some gentle prods of 'hey! look! I can make it do this in the following circumstances' in a newsgroup or email would have sufficed.

Lets see what other charges are there,.. ah,.. not audited. Hum. Actually it was audited before being put on the RH6.2 CD, however, the piranha package was literally nailed together a day before the CD had to be finalized so there was <24 hrs for other people to review the code. It's not surprising it got missed.

Miscillanious charges: Yes, this is a security exposure. It will, however, not end up in your web server being trashed or your machine being left inoperable. Provided that when you installed the original gui package, you read the text that prompted you to wander of and set a password on the gui, you should have been safe because only you would know the password that would then let you get at the change password function which had the security flaw.. A chicken and egg security flaw.

Now then as to how MSNBC/ISS handed the announcement, that was woeful. They misrepresented the severity of the problem and they claimed backdoor access to the syetem which was inaccurage as their 'backdoor' was, as I said earlier, the frontdoor!. Also the severity of the problem seems to have been set at 5.. somewhere akin to 'This will result in your machine catching fire and all data being deleted (not necessarily in that order). in truth, I would have rated it as 'easily solvable blunder' that allows for information leakage. I can't see an armageddon scenario from this.
I guess in ISS/MSNBC's eyes, I'm the author and am biased. Pah, humbug. I hope the above is semi intelligable for those that care and gives a measured account of the security flaw. MSNBC seems to have launched a political attack on RHAT over this since they were caught with something akin to this in their software which they got badly bitten for. I wonder if this is simply their attempt to try and push the spotlight away from themselves. On the pluss side they *DID* come to redhat with their findings so there is some thread of decency in there somewhere. I don't think they're all bad however I can easily spot the break between engineering and marketing/sensationalism. Why can't people just report the facts and not make things up? 'Honest mistake, leads to potential following security exposures, fix available'

Things got progressively worse during the rest of the day,.. Wanger kept getting called by journalists throughout the day asking about the above problem and whay was it so devastatingly serious,.. He also got a radio show interview about it,.. he may even have had two. I think he's feeling the heat. I better watch out as that probably means my life is no longer worth living for the next fortnight.

Allstate Insurance rang to get even more details about my car insurance in the UK Reminsds me to send over a lump of cash to the UK account after the next pay cheque comes in. So lots of emails and calls later they are finally happy that my insurance is correctly sorted out. Good.

Tried to call my apartment complex managers office several times to find out what process/hoops I needed to jump through to get new keys cut, but couldn't get through. Hopped in the car and beat down the road to the office to see if I could find anyone there at all only to find out that the reason I couldn't get through was that the manageress was busy singing to her mother down the phone line.. (bizzare). Fortunately they were able to open the door to the apartment and had the locks changed which didn't cost me anything because it turned out they only had the one key to the apartment in the first place (the one now on someones Hertz rental car keyring) So that was ok and I now have two spares ,.. on hidden in the RHAT office and one on the my car keyring.

While I was in the vacinity, I beat round to the Western Union bank?/hut? to try and pay off the deposit on the phone. They'd run out of Bell South deposit slips and could I come back tomorrow.
DOH!!!!

Went back to the office, and overheard lots of political piranha mutterings from the closed conferance room behind me. At one point they were all clapping which initially I took to be agenda item 1: Fire responsible people. Finally got fed up with it so I went back and stared doing code changes to piranha 0.5 (not 0.4). Any chance of a good day has really kind of crumbled to dust.

Mail arrived,. My first bank statement.
There is a problem with this,.. where is my personal cheque book?? it was ordered up over 3 weeks ago. Called up Wachovia to check that they wern't holding it at the branch or some other oddity. Nothing there, so I had them cancel the entire cheque book and reorder a new one (muppets). Additionally NONE of my home banking kit cas come through but they vanished off the end of the phone after cancelling/ordering the new cheque book before I had time to query it. I wasn't feling in the mood to beat down the call waiting system to get another person to ask about it. Maybe tomorrow when I'm not being savaged by a fish.

Went home at 20:40 via WallMart where I bought some audio cable to hook up the speakers and surround sound/cd player system I bought off Keith (cheaply ie <$400) and in the process picked up a trinitron TV from 'Best Buy' which I neeed to do anyway for the cable guy who's due in on thursday 13:00ish to hook up to the cable network. Sony need to be reminded that adding 10" of extra dimentions to the tv packaging can make for intresting moments loading a car up. finally got home and installed all the above components. Seems to work fine. I don't have a TV supply as yet so being bored, came back to the office to type up the diary

I would write more but I'm too shattered and my entries are starting to become novels.

I'll try and make up in tomorrows diary.
In short, MSBNC are cowboys that have almost zero journalistic ability to report the truth. May they be cursed as the equivilent of the British newspaper 'The Sunday People'.