TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Microsoft Office for Macintosh OS X has an antipiracy mechanism that secretly opens network service ports on a Macintosh system and broadcasts version information to other systems on a single subnet. The problem is that open network services provide attack points for intruders and need to be controlled by users. |
| PLATFORM: | Microsoft Office for Macintosh OS X or any part of Office for OS X. Site licensed versions of Office for Macintosh OS X (where all installations have the same serial number) do not have this mechanism enabled. |
| ABSTRACT: | The applications in Microsoft Office for Macintosh OS X contain a piracy detection mechanism that broadcasts product IDs and access information to port 2222 on the local subnet. Other Office applications listen for these broadcasts and compare the product IDs to their own to determine if there is a license violation. If a license violation has occurred the two machines exchange additional information, decide which of the two applications must shut down, and shut down the offending application. The information passed between the machines has been either hashed or encrypted so port and serial number information is not discernable from simply sniffing network traffic. The offending copy of the office application is gracefully shutdown so the user can save files and not lose anything. The difficulty is that for each office application that is running there is an open tcp server port at a port number greater than 3000 plus a udp server at port 2222. These ports are opened in secret by Office applications and remain open as long as the Office application is running. While the Office applications only send information to machines on the local subnet, the service ports are open to whomever can send packets to them. These ports have already been the cause of one vulnerability (see Microsoft bulletin MS02-002). This paper describes how to protect these ports from attack by outsiders. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/techbull/CIACTech02-003.shtml |
| OTHER LINKS: | MS02-002 Malformed Network Request Can Cause Office v. X for Mac to Fail |
[Revised 5/7/02 Fixed bug in firewall rules.]
Note: While the protection mechanisms described in this paper may defeat the piracy detection mechanism in Microsoft Office for OS X, CIAC in no way endorses software piracy. Users are admonished to read and abide by their license agreements.
When Microsoft issued Security Bulletin MS02-002, Malformed Network Request Can Cause Office v. X for Mac to Fail it came to light that Office applications were opening network ports and broadcasting licensing information over the local network. The broadcasts were used to detect and shut down pirate copies of Office applications. While preventing software piracy is a worthwhile endeavor, the mechanism used here raised several security concerns.
We investigated these concerns and found that only the last one has significant security implications.
When any Office for Macintosh OS-X application starts up, it opens udp port 2222 and a random tcp port greater than 3000 (the ones we saw were all in the range 3000 to 3999). It then sends a udp broadcast packet to port 2222 on the local subnet. It resends these udp packets every few minutes. Office applications that receive this packet compare the product ID contained in the packet to their own product ID and determine if a license violation has occurred. If a license violation has occurred, they open a connection back to the system that sent the broadcast using the open tcp port (the port number must also be in the udp packet). The two systems then exchange a block of information which they use to determine which of the two applications is out of compliance with the license. The out of compliance application is then shutdown.
Broadcasting version information on the network in such a way that systems can be shutdown, makes it possible for an intruder to capture that information and use it to shut down running Office applications at will. We examined the udp and tcp packets sent by Office and found that there is no easily discernable information in the packets. The packets have been either hashed or encrypted in some way to make it very difficult for anyone to use the packets to shut down systems. The protection appears to change with time so packets cannot be saved and replayed at a later time to compromise a system. The tcp and udp packets are only sent over the local subnet.
We have confirmed with Microsoft that the packets are encrypted.
We see little risk here.
It does not appear that license violation information is being captured elsewhere as we saw no attempts to connect to any other site when a license violation was detected. This has been confirmed with Microsoft.
Applications determined to be out of compliance were gracefully shutdown. A dialog box is displayed, letting the user know that this application is out of compliance. The shutdown then continues as if you had chosen the File, Quit command. You are given the chance to save any new or changed documents before the application quits. You should not loose any files if you heed the dialog boxes and save your documents. This has been confirmed with Microsoft.
Each open Office application opens a tcp port with a number greater than 3000 and udp port 2222. Thus there are n + 1 open ports on a system where n is the number of open Office applications. Each of these open ports is an attack point for a malicious intruder to use to compromise a system. Vulnerabilities have already been found in these ports (see Microsoft Security Bulletin MS02-002) and others may exist.
Server ports are a particular problem when they are open and predictable, waiting for a connection from any machine that can send packets to them. These antipiracy ports are particularly bothersome because they are opened in secret by applications that you would not expect to need network connectivity (word processor, spreadsheet, etc.) and they cannot be controlled by the user in a normal manner. For example, other servers on a system can be protected from malicious connections using wrappers or other filters to control when they are open and who can connect to them.
To see what ports are open on a system, use the following command in a terminal window,
netstat –a
Note that systems often have many ports in place that are not open to the outside world. In the sample output below, the ports whose local address starts with localhost are not accessible externally. There are three open tcp ports in the example: ssh, ftp, and 3639. On the udp side, ports 137, 138, 855, 2222, syslog, and 49156 are open. Ports with names defined in the /etc/services file are listed with their name instead of a port number.
root# netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 localhost.1033 localhost.887 ESTABLISHED tcp 0 0 localhost.887 localhost.1033 ESTABLISHED tcp 0 0 *.ssh *.* LISTEN tcp 0 0 *.ftp *.* LISTEN tcp 0 0 *.3639 *.* LISTEN tcp 0 0 localhost.815 localhost.1033 ESTABLISHED tcp 0 0 localhost.1033 *.* LISTEN udp 0 0 *.2222 *.* udp 0 0 *.138 *.* udp 0 0 *.137 *.* udp 0 0 *.49156 *.* udp 0 0 localhost.49155 localhost.855 udp 0 0 localhost.49154 localhost.855 udp 0 0 *.855 *.* udp 0 0 localhost.1033 *.* udp 0 0 *.syslog *.* . . .
Another way to detect open tcp ports (not udp) is to use the Network Utility and do a port scan of localhost. This shows you all the ports that are accessible by the outside world. Start the Network Utility and choose the Port Scan tab. Set localhost as the machine name and click Scan. All open tcp ports will be listed.
To scan the udp ports, you will need to run a utility like nmap from another machine and scan for open ports.
The open ports are not under the control of the user so their security cannot be directly controlled. This creates a difficult situation for the user who must use the Office applications to get work done but who also must insure that his machine is protected from external attack. The options left to the user are to find a different application or to block access to the ports in some way.
The first place to block the ports is at your external firewall or router. Block incoming udp connections to port 2222 and incoming tcp connections to ports greater than 3000. If you have a firewall in place, you are probably already blocking incoming connections to ports greater than 1024 and most ports below 1024 as well.
To block the ports on individual machines, use the firewall built into OS X. The rule control program for the built-in firewall is ipfw. Some options are:
ipfw list – list the
current rule set.
ipfw show – list the rule
set and the counters associated with the rules.
ipfw flush – delete all but
the last rule.
ipfw delete <rule number>
– delete a rule.
ipfw add <rule> –
add a rule.
A rule is created in the following form,
[number] action [log] proto from src to dst [via name | ipno] [options]
number is an integer between 1 and 65534 which determines the location of the rule in the rule set. Rules are tested from the top down and the first rule to hit is executed. Rules without a number are added to the bottom of the list above the last rule. The last rule is usually,
allow ip from any to any
action = allow, deny
proto = udp, tcp, icmp
src, dst = source and destination addresses and optional port numbers.
address/mask [ports]
For example: 192.168.5.1/24 for all addresses on the 192.168.5.x subnet.
name = The name of the interface (en0).
ipno = The ip address associated with the interface.
options = in – incoming packet, out – outgoing packet, setup – open connection packet.
More information and options are available on the ipfw man page.
To create a set of rules to block udp port 2222 and tcp ports 3000 and above,
su root
Note: The root account is enabled with the Netinfo Manager. Choose the Domain, Security, Enable Root User command. Give root a password with the Domain, Security, Change Root Password command.
ipfw add allow udp from <subnet>
to <subnet> 2222 via <en0>
ipfw add allow tcp from <subnet>
to <subnet> 3000-65535 via <en0>
ipfw add deny udp from any to
any 2222 via <en0>
ipfw add deny tcp from any to
any 3000-65535 in setup via <en0>
The first two commands create rules that allow the antipiracy detector to continue to work on the local subnet by allowing connections from anyone on the local subnet. The third command creates a rule that blocks all incoming and outgoing udp packets to port 2222. The fourth blocks all incoming tcp connections to ports greater than or equal to 3000. These last two commands completely block the listed ports. The rules work because connections from machines on the same subnet will trigger one of the first two rules before the last two blocking rules take effect.
Note: Note: If you have other rules already in place or need specific, high-numbered ports to be open, you will need to add additional rules to this set.
Firewall rules created in this way are active until the system is rebooted. To make the rules always active, they need to be inserted as startup items. Assuming you do not have any firewall rules installed on your system, perform the following steps to install some. If you already have firewall rules as startup items, add these rules to the existing set.
su root
cd /System/Library/StartupItems
mkdir Firewall
cd Firewall
#!/bin/sh
ipfw add allow udp from <subnet> to <subnet>
2222 via <en0>
ipfw add allow tcp from <subnet> to <subnet>
3000-65535 via <en0>
ipfw add deny udp from any to any 2222 via <en0>
ipfw add deny tcp from any to any 3000-65535 in setup via <en0>
chmod 755 Firewall
{
Description = ("Firewall");
Provides = ("Firewall");
Requires = ("Portmap","Resolver");
OrderPreference = "None";
Messages =
{
Start = "Starting Firewall";
Stop = "Stopping Firewall";
};
}
ipfw list
Your system should now install the firewall rules and protect access to udp port 2222 and tcp ports greater than or equal to 3000 whenever your system is booted.
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)