From xforce@iss.net Mon Jan 18 15:15:12 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: 18 Jan 1999 18:39:31 -0000 Subject: ISSalert: ISS Security Advisory: Vulnerability in the BackWeb Polite Agent Protocol -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory January 18, 1999 Vulnerability in the BackWeb Polite Agent Protocol Synopsis: Internet Security Systems (ISS) X-Force discovered a vulnerability in the BackWeb Technologies (http://www.backweb.com/home.html) BackWeb Polite Agent Protocol that allows a user on a local network on which BackWeb clients operate to spoof a BackWeb server. Hardware and software vendors often include BackWeb software in their distribution to facilitate remote distribution of software updates. Affected versions: ISS X-Force has confirmed that this vulnerability exists on all versions of the BackWeb client using the Polite Agent Protocol for communication with BackWeb servers. Fix Information: Until a suitable security mechanism is made available by the vendor, ISS recommends upgrading to BackWeb 5.0, which supports VeriSign digital certificates for enhanced security. Description: The BackWeb Polite Agent Protocol is a UDP-based protocol that BackWeb clients use to communicate with BackWeb servers. BackWeb's "anti-spoofing mechanism" for delivery of UDP data to the client and server is the exchange of a 32-bit integer, randomly generated by the client each time it requests data from the server. This integer is appended to each packet of a specific piece of BackWeb data (InfoPak). By examining these packets in transport, an attacker may send false data to a BackWeb client, acting as the real BackWeb server. Exploit Information: BackWeb uses a sequencing method to maintain packet data integrity. Any attacker who can examine a local network can determine the 32-bit integer and sequence numbers. A race condition exists where the attacker may deliver a false response to the client 'match request,' which is the first packet delivered by the client to determine whether or not the server should send data to it. If this spoofed response reaches the client before the real BackWeb server responds, the attacker may continuously write realistic-looking BackWeb packets to the network in response to the client request. These packets may direct the client to update files on its drive, execute programs, or display messages on the client screen. While client security settings may not be changed, other client settings such as displayed data may be changed. Depending on the client security settings, an attacker may send executable files to be executed on the client machine. By default, BackWeb's security settings disable automatic execution of downloaded files. BackWeb strongly recommends that customers do not enable automatic execution of downloaded files when using software prior to version 5.0 unless other security mechanisms are implemented separate from the BackWeb system. Customers using BackWeb client version 5.0 and above can enable automatic execution of files that will only automatically execute a file after verifying that the file is digitally signed and that the signing certificate is approved. __________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html, as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNqNr6TRfJiV99eG9AQEqqwP8DzeL1po1edkVYlAtbLEoGLGxqdHjJIam LmbIL2Be0b2D09ovZXPc+r5muvs184kYAUbu1eDPS25W8ti9XFYW2VJIYEWHl6eB qzCi/ZDr76szOQealai8q/RqtN6q9qVypVhAOgDsh/C/SUi2mEs1Z6gbXnsV73VT DcF9EZ9C+Qo= =cC4a -----END PGP SIGNATURE-----