Security Scene Errata: Feedback


Date: Wed, 3 May 2000 10:51:40 -0500 (CDT)
From: rain forest puppy 
To: emarkowi@cmp.com
Cc: fennelly@wkeys.com, jyacono@cmp.com, gshipley@nwc.com, fnelson@cmp.com,
        mfratto@cmp.com, gyerxa@nwc.com, rfaletra@cmp.com, hclancy@cmp.com,
        pforman@cmp.com, mspiwak@cmp.com, folhors@cmp.com, ianwar@cmp.com,
        ahoffman@cmp.com, errata@attrition.org
Subject: Re: IIS Security Hole (CRN is unprofessional)
In-Reply-To: <852568D4.0056415E.00@NotesSMTP-01.cmp.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-UIDL: 76bf189be2b6e302f013ccf12965ea27

> If you still feel strongly about what was printed in CRN, put your
> response as a "Letter To The Editor" and I will print it, but I would
> need your name and location.

I just so happen to have one composed...


Letter to the Editor:

I wanted to comment on the articles CRN published in regards to the IIS
backdoor/dvwssr.dll incident.  I have addressed aspects of each article
separately:

> http://www.crn.com/search/display.asp?ArticleID=15842
 
"The security flaw, first disclosed Thursday, renders solutions using the
 NT 4.0 Option Pack or FrontPage extensions non-compliant with the
 government's C2 security standard."

Actually, running a web server itself makes it non-C2 compliant.
http://www.microsoft.com/technet/security/c2config.asp

So forget FrontPage extensions (bug or not), if you have IIS, you're not
C2.  I don't understand why CRN felt the need to drop anything related to
C2-compliance in the article, except for the awe factor.

"However, no notices had been posted as of Friday afternoon" 

Microsoft didn't post as of Friday afternoon, but Bugtraq and
www.wiretrip.net were updated by 8:30am on Friday.  I would consider these
primary and secondary sources for this topic.

> http://www.crn.com/search/display.asp?ArticleID=15872
 
"The Test Center found a Perl script on the Web that appears to have been
 authored by the same individual who originally reported the flaw to
 Microsoft."

Ok, the script you posted says 'by LordRaYden'.  So did they mean
LordRaYden, or rfp?  If they knew I was the original reporter, then
why didn't they check my website, especially when the script exhibited
problems?

Further, the script you posted was orginally posted on Usenet--
LordRaYden posted it to alt.hack.nl.  See for yourself:

http://x42.deja.com/getdoc.xp?AN=611203332&CONTEXT=957296763.370933776&hitnum=4

What's funny?  The script there is correct.  So somehow during the process
of copying it from Usenet, someone at CRN incorrectly formatted it,
causing it to lose particular linefeeds and produce errors on execution.

"In a preliminary examination of the script, it appears that "dvwssr.dll"
 is used to invoke an http request to retrieve a file over the Web"

That's incorrect.  The script invokes a HTTP requst to dvwssr.dll, to   
retrieve a file over the Web.

"The Test Center has released the Perl script to the public (see below)
 in hopes of starting an active forum regarding the script and means to
 exploit the security hole."

This article was posted on the 18th; the original script was to be found
at www.wiretrip.net and on Bugtraq, Win2KSecAdvice, NTBugtraq, and other
full-disclosure outlets.  How is it in 4 days you did not even check a
primary or secondary source for the security information?  I would think
even a little research would have turned up the original advisory and
script.

> http://www.crn.com/search/display.asp?ArticleID=15994

"A Perl script recently posted on alt.hackers.malicious makes that
 expertise unnecessary. "

Again, you used Usenet as your primary source.  Usenet is third-party,
unverified information, and yet this is your direct source of information
for your article(s)?

"Whoever wrote the script is either on a par with Sir Isaac Newton and  
 able to reverse-engineer an encryption algorithm from assembly code or,
 more likely, had access to the DLL source code."

Security experts reverse engineer software everyday.  You'd think as   
engineers in the 'Test Lab', they'd understand this.

"The script mentions the name "Rain Forest Puppy," the so-called security
 consultant who first reported the flaw to Microsoft, as a clue or red  
 herring."

Red herring?  Clue?  If you would read Bugtraq and/or www.wiretrip.net,
you will see I *did* orgininate the script.  "so-called security
consultant"?  More like "so-called journalists".

Reine Forriest, a.k.a. Rain Forest Puppy
- Bath, UK