Backdoor passwords
Message # 1
Date: Fri, 10 Feb 2006
From: Stephan Neuhaus
To: PracticalSecurity at hbarel.com
Subject: [PracticalSecurity] Backdoor passwords
Hi list,
today's WTF has an example of a backdoor password that was allegedly found during a source code audit and staunchly defended by its perpetrator (http://www.thedailywtf.com/forums/59595/ShowPost.aspx):
authTicket = identMgmt.GetAuthenticationTicket(username, password); if (authTicket == null)
{
if (request.getParameter("backdoor") != null
&& request.getParameter("backdoor").equals("secret"))
{
authTicket = AuthenticationTicket.CreateFromTemplate("sysadmin");
authTicket.Username = username;
authTicket.FullName = "System Administrator";
}
else
{
throw new AuthorizationException();
}
}
We all know that one shouldn't do this kind of stuff; one only has to think of the original Morris worm to know that backdoors are bad. But of course, sometimes such backdoors or hardcoded master passwords are very tempting.
What I'd like to know is, how many of you list members have seen such backdoors in actual production code? I'll start the list by mentioning a server application that had the master password to encrypted user data hardcoded. This was a customer request by the way: they didn't want to enter the password manually because the server was supposed to operate without manual intervention, and they didn't want to put it on the file system in unencrypted form. So it was actually defensible, in a twisted sort of way, to hardcode the master password.
Fun,
Stephan
Message # 2
Date: Fri, 10 Feb 2006
From: Michael Silk
To: Stephan Neuhaus
Cc: PracticalSecurity at hbarel.com
Subject: Re: [PracticalSecurity] Backdoor passwords
I do.
(no i don't).
Shh.
-- Michael
On 2/10/06, Stephan Neuhaus
Hi list,
today's WTF has an example of a backdoor password that was allegedly
found during a source code audit and staunchly defended by its
perpetrator (http://www.thedailywtf.com/forums/59595/ShowPost.aspx):
authTicket = identMgmt.GetAuthenticationTicket(username, password);
if (authTicket == null)
{
if (request.getParameter("backdoor") != null
&& request.getParameter("backdoor").equals("secret"))
{
authTicket = AuthenticationTicket.CreateFromTemplate("sysadmin");
authTicket.Username = username;
(snip)
Message # 3
Date: Fri, 10 Feb 2006
To: Stephan Neuhaus
From: Hagai Bar-El
Subject: Re: [PracticalSecurity] Backdoor passwords
Cc: PracticalSecurity at hbarel.com
Hi Stephan,
At 10/02/06 10:20, Stephan Neuhaus wrote:
Hi list,You know, I somehow remember that such an issue was actually discovered with Hotmail several years ago - a three letter password that could be used to log into all accounts. This was resolved instantly and the issue was silenced. Frankly, I could not find a mention for that, but remember there was such a case. I hope I am not making this up.
today's WTF has an example of a backdoor password that was allegedly
found during a source code audit and staunchly defended by its
perpetrator (http://www.thedailywtf.com/forums/59595/ShowPost.aspx):
authTicket = identMgmt.GetAuthenticationTicket(username, password);
if (authTicket == null)
{
if (request.getParameter("backdoor") != null
&& request.getParameter("backdoor").equals("secret"))
{
authTicket = AuthenticationTicket.CreateFromTemplate("sysadmin");
authTicket.Username = username;
(snip)
Such backdoors are a complete no-no for security applications, and I believe open source programs don't introduce any - it's too risky for the developer. With commercial products I admit I saw this happen once or twice...
A flavor of backdoor that is common is what is called "key escrow" in cryptographic applications. This is a backdoor in its use-case, but is done a bit more securely, usually by following every key encryption operation with another such operation using a known constant public key. This opens the door for the administrator to decrypt everything you do with that application, but at least does not open the door to anyone else; until that administrator looses his private key, of course...
Regards,
Hagai.