ISS Security Advisory
January 18, 1999

Vulnerability in the BackWeb Polite Agent Protocol


Synopsis:

Internet Security Systems (ISS) X-Force discovered a vulnerability in the
BackWeb Technologies (http://www.backweb.com/home.html) BackWeb Polite
Agent Protocol that allows a user on a local network on which BackWeb
clients operate to spoof a BackWeb server.  Hardware and software vendors
often include BackWeb software in their distribution to facilitate remote
distribution of software updates.


Affected versions:

ISS X-Force has confirmed that this vulnerability exists on all versions
of the BackWeb client using the Polite Agent Protocol for communication
with BackWeb servers.


Fix Information:

Until a suitable security mechanism is made available by the vendor, ISS
recommends upgrading to BackWeb 5.0, which supports VeriSign digital
certificates for enhanced security.


Description:

The BackWeb Polite Agent Protocol is a UDP-based protocol that BackWeb
clients use to communicate with BackWeb servers. BackWeb's "anti-spoofing
mechanism" for delivery of UDP data to the client and server is the
exchange of a 32-bit integer, randomly generated by the client each time
it requests data from the server. This integer is appended to each packet
of a specific piece of BackWeb data (InfoPak). By examining these packets
in transport, an attacker may send false data to a BackWeb client, acting
as the real BackWeb server.


Exploit Information:

BackWeb uses a sequencing method to maintain packet data integrity. Any
attacker who can examine a local network can determine the 32-bit integer
and sequence numbers. A race condition exists where the attacker may
deliver a false response to the client 'match request,' which is the
first packet delivered by the client to determine whether or not the
server should send data to it. If this spoofed response reaches the
client before the real BackWeb server responds, the attacker may
continuously write realistic-looking BackWeb packets to the network in
response to the client request. These packets may direct the client to
update files on its drive, execute programs, or display messages on the
client screen. While client security settings may not be changed, other
client settings such as displayed data may be changed. Depending on the
client security settings, an attacker may send executable files to be
executed on the client machine. By default, BackWeb's security settings
disable automatic execution of downloaded files. BackWeb strongly
recommends that customers do not enable automatic execution of downloaded
files when using software prior to version 5.0 unless other security
mechanisms are implemented separate from the BackWeb system. Customers
using BackWeb client version 5.0 and above can enable automatic execution
of files that will only automatically execute a file after verifying that
the file is digitally signed and that the signing certificate is
approved.

__________

Copyright (c) 1999 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this alert
electronically.  It is not to be edited in any way without express
consent of X-Force.  If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.

Disclaimer:

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html,
as well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to: X-Force
<xforce@iss.net> of Internet Security Systems, Inc.