Back Orifice

Vulnerability Description

Brief description: a back door to give access to the system without proper authorization

Full description: Once installed, Back Orifice listens at a port. The attacker connects and supplies a BO password. The BO program then allows the attacker to control any function on that remote system. Example commands are to list files, run commands, share directories, kill processes, change the registry, and so forth. The attacker can use either a GUI or a text-based client to control the remote Back Orifice server.

Components: none

Systems: Windows 95, Windows 98 (server and client); variants of the UNIX operating system (client)

Effect(s) of exploiting: Once Back Orifice is installed, attackers have complete access.

Detecting the hole:

    This is a Trojan horse attack, so if you are connected to the network and can install programs, you are vulnerable. You can detect Back Orifice either by checking the system directly or probing it from the network.
    1. This assumes you have login access to the system. As part of the installation of Back Orifice, the boot registry key has the BO server file name added to it so the server runs at boot time.
    1. Get the keys under the above-named key and look for one you don't know about. The default name is " .exe " (but it could be something else) and is in the system directory ( c:\windows\system ). The description field is by default "(Default)" but the user can change this.
    2. Check the length of the named file. ISS has reported the length of BO is approximately 124,928 bytes, so if any unknown file named in the start-up key has that size, it may be Back Orifice.
    2. This is the network-based check.
    1. Check for a server listening on UDP port 31377 (the default Back Orifice port). This is probably Back Orifice.
    2. If the first step shows nothing, check for an unknown server on any other port. Back Orifice allows the installer to specify the port to be listened to. This may or may not be Back Orifice.

Fixing the hole:

    1. You need access to the system registry to de-install Back Orifice.
    1. Delete the RunServices key corresponding to the Back Orifics server.
    2. Reboot the system.
    3. Look in your system directory for the file named in the key just deleted, and delete it.

Other information: To determine the password, and port information, for BO given the executable, use a text editor to view the executable. If the last line of the file is "88$8(8,8084888<8@8D8H8L8P8T8X8\8'8d8h8l8' , then the server is using the default configuration (port 31377). Otherwise, the configuration will be the last several lines of this file, in this order: filename, service description,$port number, password, optional plugin information.

All communications between backdoor client and the server use UDP. All data sent between the client and server is encrypted. BO generate a 2 byte hash from the password, and uses that hash as the encryption key. The first 8 bytes of all client request packets are

*!*QWTY? . So, just try all 65,535 possible hashes. Given the correct hash, one can then generate random passwords until a password that produces the desired hash is found. At this point, you have the hash for thast installation of BO. (ISS's X-Force reports doing this in a few seconds on a Pentium 133 system.)

Keywords

backdoor, Trojan horse, server

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s): not classified yet

CVE Number: CAN-1999-0660 -- A hacker utility or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.

Exploit Information

Attack:

Related Information

Back Orifice home page

Advisories: Symantec's web advisory on Back Orifice and NetBus

Related Vulnerabilities: none yet

Reportage

Reporting: Announced by Cult of the Dead Cow (Thu. Aug. 06, 1998 11:04:26)

Other information: Analysis adapted from ISS X-force posting on www.securityfocus.com

Revision Number 1

  1. Stacey Anderson (6/21/2000):
    Initial entry