The GRC Flaw

19 January 2006 23:04 UTC
Go ahead - drink it.

Things were confusing enough over the holiday season for Windows users - and then the redoubtable Steve Gibson got in the picture. Always eager to hijack media attention, Gibson suddenly had major news outlets typing backwards and Microsoft chief of security Stephen Toulouse blogging in defence on his own site.

How did he do this? Simple - the same way he's always done it. In his award-lacking 'Security Now' podcast, Gibson accused Microsoft outright of planting a backdoor in their WMF code - and then naturally left all hanging for another week.

Gibson ended his intimate soiree with Leo Laporte with a prediction that he might have to return with his tail between his legs the following week, but no such doing for the resourceful head of the GRC entrepreneurship.

Erstwhile backup vocalist with a famous pop supergroup, Gibson stated unequivocally that he'd found a code snippet that could not be explained by other than evil intent. The code had no business being in there - it had to be a backdoor.

Gibson tested this backdoor by slightly borrowing the code of Ilfak Guilfanov and discovering that only a bogus value of '1' could trigger the exploit. As a '1' in this location was almost as nonsensical as his podcasts, it had to be by intent. Microsoft make mistakes, but they're not the bumbling duo of Gibson and Laporte.

Naturally it turned out Gibson was completely wrong on all counts. The code was very much there by intent, but as with most code it was there to actually do something - admittedly a novel concept for Gibson.

And the exploit was actually triggered in a totally different way too. Gibson got it wrong because Gibson always gets it wrong.

[This is totally amazing - remember he's got Ilfak's code to pour over - and he still can't get it right. And considering he's been proclaiming himself a security expert recognised by no one for nigh on ten years now, one wonders if he'll ever get it right. Ed.]

Dial A for Armageddon

Of course this isn't the first time Gibson's stuck his foot in it - and certainly not the first time he's been out to stir the pot. Gibson first made his mark on the planet back in the days of the Dark Avenger - the unidentified supposed Bulgarian hacker who'd devised the ultimate threat: a 'virus mutation engine'.

A virus kit so devious no antivirus signature lists would ever find it.

Gibson predicted the end of the world as we know it - something his buddy John McAfee had counted on. Sales of McAfee Antivirus soared despite the gloomy prospect of never again being able to defeat the bad guys.

And Gibson was not timid in his rhetoric either: no amount of secure computing, neither 32-bit protected memory nor anything else, would ever save you, he wrote.

Years later Gibson would do it again - and for the same reasons. McAfee's ZoneAlarm was totally indefensible against raw sockets, so Gibson did all in his power to brand the Berkeley Internet standard as an Armageddon.

Surprisingly the planet survived both of these end of the world threats. And since then Butch and Sundance have gone separate ways, and Sundance is again on his own with no visible means of support. Save SpinRite™.

Useful Utility?

After repeatedly pointing out that Windows 9x users cannot be hit by the WMF flaw, that Win2K and WinXP can, and that WinNT users must use Ilfak's patch, Gibson then unveiled his latest freeware utility © Gibson Research Corporation.

Mouse Trap, as Gibson calls it, does one thing and one thing only: it tells you if you need to get the Microsoft patch or run Ilfak's code. Which sounds a bit much, considering he's just told everyone who needs to and who doesn't need to do what.

Gibson calls the program Mouse Trap because it will detect the possibility of 'M.I.C.E.' - 'metafile image code execution' [sick]. It's a hefty 29 KB, which considering it hardly does anything at all, says reams about Gibson's assembler programming. (XPT modules average 7.19 KB and are hardly as trivial as GRC hacks.)

Why Do They Drink It?

With such a track record, it's a wonder anyone ever stops by the GRC site. But they do - in droves. And every time JJ Gibson tells them the end of the world is nigh, they believe it.

Gibson's a joke in the security industry. He's never been welcome at security conferences and is too smart to dare force his way in. He'd be laughed out just as he's laughed at in the online press every day.

And yet the 'home computer security hobbyists' continue to flock to him and hover on every Sesame Street formatted word he publishes. When you don't know anything at all, it's hard to know who else does. Gibson knows this and exploits it to the hilt.

His rhetoric and even his pseudo scientific explanations are riddled with such mumbo jumbo as to turn the head of any serious engineer.

ShieldsUp Analysed

Gibson's greatest claim to fame is his ShieldsUp security test web service. As explained elsewhere, this was orchestrated for the imminent emergence of ZoneAlarm as the Windows personal firewall of choice. At McAfee's behest Gibson concocted an extremely dumbed down online application that provided the necessary 'up-sell' for ZoneAlarm.

[At the height of the hysteria, GRC had nearly 300 links to the Zone Labs website and yet only one mention of any competing firewall was ever linked. To this day GRC has over forty live links to Zone Labs. Ed.]

And although most security experts have rolled their eyes at the overly simplistic and deliberately misleading ShieldsUp, few have done such a job as the Net Warriors.

In an article entitled 'ShieldsUp Analysed' from 11 November 2003, Jonas Luster picks apart Gibson's sham and goes to the attack.

When clicking the 'Test my shields' button, ShieldsUp will inform you about its attempt to contact the 'Hidden Internet Server' [sick] within your PC. Matter of fact, ShieldsUp will send a NQUERY NetBIOS UDP packet with Broadcast, Query and Request flags set. Upon receiving an answer (or not), ShieldsUp will determine if your Shields are 'up'.

This is - obviously - not a very accurate method.' And - also obviously - not really a 'Hidden Internet Server' either.

Now, there's a twist to this test. I set up a machine laden with vulnerabilities. Beginning from a few installed backdoors (BackOrifice, Sub7) and other vulnerabilities, I did not even spend the few minutes to close down the most obvious security holes. ShieldsUp, however, happily reported:

Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

Which is simply wrong. There is nothing I could have done to stop even unsophisticated intruders from attacking and breaking into my machine - a small script like ShieldsUp, however, is simply fooled by Windows' inconsistent behavior on UDP responses.

A textbox just below the results asks me to perform another check of my system, this time by probing my ports. A click on the button and I am there.

Again, the script presents me with a number of results. At this point, it starts probing my system with a number of connect() calls, which essentially seek to establish a connection to a few ports on my system. This time, oh wonder, it recognizes the fact that NetBIOS is open, but overlooks the installed Spyware and Backdoor programs.

It also gracefully overlooks a grave security problem I introduced by installing a freely available third party application which essentially allows anyone on the net to browse my machine's hard drives and down- and upload files.

I also had a web server installed. A small program which can be downloaded from download.com or similar sites allows my computer to export pictures to the net. My friends or casual visitors would then be able to browse this photo album with a regular web browser. The source code for said program is freely available. It's a very short program which basically implements a 'crippled' web server and some extra features. After reading the source code, I am sure there is not much an attacker could exploit.

GRCs 'nanoprobes' diligently connect() to the server and then wander on. The port test, however, tells me my HTTP port is closed. Strange. Very strange. A look at the logs I am sniffing from this connection shows my web server responded - still the test program reports it to be closed. I repeated the exercise with both Windows and Unix based web servers and got an overall hit rate of less than thirty percent. In other words, more than often the test program would not detect my open web server.

There is no such thing as 'stealth' on the Internet. Ports are either open (they respond accordingly), closed (they do not respond accordingly) or are non-existent (nothing comes back at all). Gibson calls the latter 'stealth', which is as wrong as could be.

A false sense of security even here. Just for Mr Gibson's records: my FTP port is not stealth - it's just not responding with an ICMP_DESTUNREACH when probed.

I received a clean bill of health from ShieldsUp!. Despite having a computer which is most likely the least secure computer ever tested by those scripts. A day later, I tried the same with the help of a friend's NeXT cube and was swamped with 'you are sooo insecure' messages. Regardless the fact that said friend's NeXT cube is about the safest place to store data I can imagine, it responds to every port probe and connect() attempt with a TCP or UDP stream saying 'go away' in its packet payloads. Gibson tends to exaggerate. His supposedly superior system does not divert in much parts from what is already available out there in hundreds if not thousands of other incarnations. The boldest claim, however, can be spotted on his Ports page.

If you have used ShieldsUP! in the past, you may have just noticed that the Port Probe system is much faster than ever before. This is the result of the emerging deployment of our much-anticipated NanoProbe Technology. It is finally becoming real.

The WMF Flaw - The Real Story

It didn't take long for a couple of real security experts to come forward and explain what was really going on with the WMF flaw, although Gibson's provocative assault on Microsoft didn't hurt.

Mark Russinovich of System Internals sent a letter to Gibson explaining for Gibson how WMF callbacks worked and what in particular was wrong with Gibson's appraisal.

Specifically Russinovich explained why the callback was set in the first place and how the print routine called it: after each record of the metafile is rendered, the routine gives the client code a chance to abort.

[Between the lines: this is why Gibson's test failed: there's no point in calling back at end of file. Ed.]

Russinovich ends with the following.

The bottom line is that I'm convinced that this behavior, while intentional, is not a backdoor.

Russinovich also follows up with a blog entry online where he labels Gibson's accusations and claims as 'suspicious'.

John Graham-Cumming, acquainted with the WINE project which also had the bug, also refutes Gibson's claims.

What's Next, Jim?

The GRC induced hysteria surrounding the WMF flaw - 'the GRC flaw' - is almost over. Gradually things will die down, although Gibson will do his best to keep the storm alive as long as possible.

But it's bound to happen again - unless journalists lax in ethics start refusing to sell the cheap story and the sheeple grazing around the GRC website stand up and refuse to drink any more FlavorAid.