Web server cracked in Mac OS contest
An Australian hacker won a contest last week when he broke into a Mac Web server, and two software companies are revising their products as a result.
The Crack a Mac contest, which was being hosted at http://hacke.infinit.se and was scheduled to run July 4 through Oct. 15, was designed to prove that Mac OS Web servers are secure. It was the contest's second run; no one won the first round, held this spring. The contest's rules prohibited participants from physically attacking the server, and hackers could not target other servers in the same domain.
Last week, an Australian man calling himself Starfire broke into the site. The server, an Apple Workgroup Server 9650/233, was running Mac OS 8; File Sharing; Open Transport 1.2; StarNine WebStar 2.1; Blue World Communications Inc.'s Lasso, a utility tying Claris FileMaker Pro databases to the Web; and Pacific Coast Software's SiteEdit Pro, a Web site management tool. No fire wall or additional security devices were in place.
Joakim Jardenberg, CEO of Infinit Information AB, the Genarp, Sweden-based company that hosted the contest, said Starfire hacked into the server by using Lasso to create a customized search form whose results pointed to the SiteEdit passwords file. Then, Jardenberg said, Starfire accessed the password settings in SiteEdit, logged onto the server, and changed the contents of the Web site's index page.
Many Web server products store sensitive information in file types called WWW Omega. WebStar does not serve those files, but a security flaw allowed Lasso to return WWW Omegafiles - in this case, the SiteEdit passwords file. To address the problem, Blue World last week posted a free patch to Lasso on its Web site; it is available from http://www.blueworld.com/lasso/security_update.html.
Blue World recommends that all Lasso users update their software.
Blue World President Bill Doerrfeld said that while WebStar protects against serving WWW Omega files, most Mac Web servers, including those from Social Engineering Inc., Pictorius Inc., Apple, Stairways Software Pty. Ltd. and Microsoft Corp., do not. Doerrfeld added that other CGIs and plug-ins could also be susceptible to this problem.
"This is a complex issue," Doerrfeld said. "We did introduce a security fix that denies Lasso the ability to serve up a response file that has the WWW Omega creator code assigned to it. No Lasso customer that we're aware of has had their Web server compromised."
In addition, Pacific Coast plans to update SiteEdit Pro. John Hill, Pacific Coast vice president of marketing, said the company will release a patch that will store passwords in a file's resource fork, which Hill said will protect the passwords even if a user downloads the WWW Omega file.
Starfire, who declined to provide his name or profession, said the hack took about 15 hours. "I found no holes in either the Mac OS or WebStar," he said. "The hack was conducted via a flaw in the third-party plug-ins used in conjunction with WebStar."
Starfire said the contest proved that the Mac community is strong and responsible. "I simply remain awed at the integrity of those involved," he said. "Everyone has cooperated in the true spirit of this challenge.
"The Mac OS, along with WebStar, is a secure and reliable network solution," Starfire said. "We simply need to remember that there are numerous other variables at play."
Chuck Shotton, an author of StarNine WebStar and vice president of Quarterdeck Corp. of Marina del Rey, Calif., said the hack was an "isolated, obscure case." He said it demonstrated a flaw in server add-ons and stressed that the break-in could have occurred on any platform.
"The OS and server can be as secure as possible, but the minute you let servers execute external applications, you're at the mercy of that application," Shotton said, adding that only someone very familiar with Lasso could have found the flaw.
For his efforts, Starfire, who lives in Queensland, Australia, will win 100,000 Swedish kronor (about $12,350). Blue World is offering the prize, Jardenberg said.
In the original contest, which was held Feb. 10 to April 10, the server was configured similarly but lacked SiteEdit Pro and Lasso (see 04.21.97, Page 18). That time, the server survived more than 220,000 hacking attempts.
The Crack a Mac contest will continue. "We are back on track again," Jardenberg said, "even more secure and confident."