__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ TECHNICAL BULLETIN Protecting Office for Mac X Antipiracy Server Ports April 26, 2002 17:00 GMT Number CIACTech02-003 Revised: 7 May 2002 ______________________________________________________________________________ PROBLEM: Microsoft Office for Macintosh OS X has an antipiracy mechanism that secretly opens network service ports on a Macintosh system and broadcasts version information to other systems on a single subnet. The problem is that open network services provide attack points for intruders and need to be controlled by users. PLATFORM: Microsoft Office for Macintosh OS X or any part of Office for OS X. Site licensed versions of Office for Macintosh OS X (where all installations have the same serial number) do not have this mechanism enabled. ABSTRACT: The applications in Microsoft Office for Macintosh OS X contain a piracy detection mechanism that broadcasts access information to port 2222 on the local subnet. Other Office applications listen for these broadcasts and compare the product IDs to their own to determine if there is a license violation. If a license violation has occurred the two machines exchange additional information, decide which of the two applications must shut down, and shut down the offending application. The information passed between the machines has been either hashed or encrypted so port and serial number information is not discernable from simply sniffing network traffic. The offending copy of the office application is gracefully shutdown so the user can save files and not lose anything. The difficulty is that for each office application that is running there is an open tcp server port at a port number greater than 3000 plus a udp server at port 2222. These ports are opened in secret by Office applications and remain open as long as the Office application is running. While the Office applications only send information to machines on the local subnet, the service ports are open to whomever can send packets to them. These ports have already been the cause of one vulnerability (see Microsoft bulletin MS02-002). This paper describes how to protect these ports from attack by outsiders. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/techbull/CIACTech02-003.shtml OTHER LINKS: MS02-002 Malformed Network Request Can Cause Office v. X for Mac to Fail http://www.microsoft.com/technet/security/bulletin/ ms02-002.asp ______________________________________________________________________________ [Revised 5/7/02 Fixed bug in firewall rules.] ______________________________________________________________________________ Note: While the protection mechanisms described in this paper may defeat the piracy detection mechanism in Microsoft Office for OS X, CIAC in no way endorses software piracy. Users are admonished to read and abide by their license agreements. ______________________________________________________________________________ When Microsoft issued Security Bulletin MS02-002, "Malformed Network Request Can Cause Office v. X for Mac to Fail it came to light that Office applications were opening network ports and broadcasting licensing information over the local network. The broadcasts were used to detect and shut down pirate copies of Office applications. While preventing software piracy is a worthwhile endeavor, the mechanism used here raised several security concerns. 0 Broadcasting version information onto the network could give an intruder the information he needs to shutdown all Office applications running on a network. 0 Broadcasting version information could make it possible for an intruder to capture a valid Office serial number, making it possible for the intruder to register pirate versions of Office. 0 Information could be sent to other places, such as to a server that logs piracy violations. 0 Shutting down out of compliance Office applications could cause users to lose data. 0 Opening server ports onto the network potentially make the systems vulnerable to attack and compromise. This is especially true when the port number is predictable (in this case, 2222). We investigated these concerns and found that only the last one has significant security implications. Operation of the Piracy Detector ================================ When any Office for Macintosh OS-X application starts up, it opens udp port 2222 and a random tcp port greater than 3000 (the ones we saw were all in the range 3000 to 3999). It then sends a udp broadcast packet to port 2222 on the local subnet. It resends these udp packets every few minutes. Office applications that receive this packet compare the product ID contained in the packet to their own product ID and determine if a license violation has occurred. If a license violation has occurred, they open a connection back to the system that sent the broadcast using the open tcp port (the port number must also be in the udp packet). The two systems then exchange a block of information which they use to determine which of the two applications is out of compliance with the license. The out of compliance application is then shutdown. Version Information on the Network Concern ========================================== Broadcasting version information on the network in such a way that systems can be shutdown, makes it possible for an intruder to capture that information and use it to shut down running Office applications at will. We examined the udp and tcp packets sent by Office and found that there is no easily discernable information in the packets. The packets have been either hashed or encrypted in some way to make it very difficult for anyone to use the packets to shut down systems. The protection appears to change with time so packets cannot be saved and replayed at a later time to compromise a system. The tcp and udp packets are only sent over the local subnet. We have confirmed with Microsoft that the packets are encrypted. We see little risk here. Other Information on the Network Concern ======================================== It does not appear that license violation information is being captured elsewhere as we saw no attempts to connect to any other site when a license violation was detected. This has been confirmed with Microsoft. Shutdown of Out of Compliance Applications Concern ================================================== Applications determined to be out of compliance were gracefully shutdown. A dialog box is displayed, letting the user know that this application is out of compliance. The shutdown then continues as if you had chosen the File, Quit command. You are given the chance to save any new or changed documents before the application quits. You should not loose any files if you heed the dialog boxes and save your documents. This has been confirmed with Microsoft. Open Server Ports on the Network Concern ======================================== Each open Office application opens a tcp port with a number greater than 3000 and udp port 2222. Thus there are n + 1 open ports on a system where n is the number of open Office applications. Each of these open ports is an attack point for a malicious intruder to use to compromise a system. Vulnerabilities have already been found in these ports (see Microsoft Security Bulletin MS02-002) and others may exist. Server ports are a particular problem when they are open and predictable, waiting for a connection from any machine that can send packets to them. These antipiracy ports are particularly bothersome because they are opened in secret by applications that you would not expect to need network connectivity (word processor, spreadsheet, etc.) and they cannot be controlled by the user in a normal manner. For example, other servers on a system can be protected from malicious connections using wrappers or other filters to control when they are open and who can connect to them. Detecting Open Ports ==================== To see what ports are open on a system, use the following command in a terminal window, netstat -a Note that systems often have many ports in place that are not open to the outside world. In the sample output below, the ports whose local address starts with localhost are not accessible externally. There are three open tcp ports in the example: ssh, ftp, and 3639. On the udp side, ports 137, 138, 855, 2222, syslog, and 49156 are open. Ports with names defined in the /etc/services file are listed with their name instead of a port number. root# netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 localhost.1033 localhost.887 ESTABLISHED tcp 0 0 localhost.887 localhost.1033 ESTABLISHED tcp 0 0 *.ssh *.* LISTEN tcp 0 0 *.ftp *.* LISTEN tcp 0 0 *.3639 *.* LISTEN tcp 0 0 localhost.815 localhost.1033 ESTABLISHED tcp 0 0 localhost.1033 *.* LISTEN udp 0 0 *.2222 *.* udp 0 0 *.138 *.* udp 0 0 *.137 *.* udp 0 0 *.49156 *.* udp 0 0 localhost.49155 localhost.855 udp 0 0 localhost.49154 localhost.855 udp 0 0 *.855 *.* udp 0 0 localhost.1033 *.* udp 0 0 *.syslog *.* . . . Another way to detect open tcp ports (not udp) is to use the Network Utility and do a port scan of localhost. This shows you all the ports that are accessible by the outside world. Start the Network Utility and choose the Port Scan tab. Set localhost as the machine name and click Scan. All open tcp ports will be listed. To scan the udp ports, you will need to run a utility like nmap from another machine and scan for open ports. Protecting the Open Ports ========================= The open ports are not under the control of the user so their security cannot be directly controlled. This creates a difficult situation for the user who must use the Office applications to get work done but who also must insure that his machine is protected from external attack. The options left to the user are to find a different application or to block access to the ports in some way. The first place to block the ports is at your external firewall or router. Block incoming udp connections to port 2222 and incoming tcp connections to ports greater than 3000. If you have a firewall in place, you are probably already blocking incoming connections to ports greater than 1024 and most ports below 1024 as well. To block the ports on individual machines, use the firewall built into OS X. The rule control program for the built-in firewall is ipfw. Some options are: ipfw list -- list the current rule set. ipfw show -- list the rule set and the counters associated with the rules. ipfw flush -- delete all but the last rule. ipfw delete -- delete a rule. ipfw add -- add a rule. A rule is created in the following form, [number] action [log] proto from src to dst [via name | ipno] [options] number is an integer between 1 and 65534 which determines the location of the rule in the rule set. Rules are tested from the top down and the first rule to hit is executed. Rules without a number are added to the bottom of the list above the last rule. The last rule is usually, allow ip from any to any action = allow, deny proto = udp, tcp, icmp src, dst = source and destination addresses and optional port numbers. address/mask [ports] For example: 192.168.5.1/24 for all addresses on the 192.168.5.x subnet. name = The name of the interface (en0). ipno = The ip address associated with the interface. options = in -- incoming packet, out -- outgoing packet, setup -- open connection packet. More information and options are available on the ipfw man page. To create a set of rules to block udp port 2222 and tcp ports 3000 and above, 1. Open a terminal window. 2. Change to the root user (the root user must be enabled and have a password). su root ______________________________________________________________________________ Note: The root account is enabled with the Netinfo Manager. Choose the Domain, Security, Enable Root User command. Give root a password with the Domain, Security, Change Root Password command. ______________________________________________________________________________ 3. Replace with the ip address and mask of the local subnet, replace with the actual name of your Ethernet interface (probably en0), and execute the following commands in order. ipfw add allow udp from to 2222 via ipfw add allow tcp from to 3000-65535 via ipfw add deny udp from any to any 2222 via ipfw add deny tcp from any to any 3000-65535 in setup via The first two commands create rules that allow the antipiracy detector to continue to work on the local subnet by allowing connections from anyone on the local subnet. The third command creates a rule that blocks all incoming and outgoing udp packets to port 2222. The fourth blocks all incoming tcp connections to ports greater than or equal to 3000. These last two commands completely block the listed ports. The rules work because connections from machines on the same subnet will trigger one of the first two rules before the last two blocking rules take effect. ______________________________________________________________________________ Note: If you have other rules already in place or need specific, high-numbered ports to be open, you will need to add additional rules to this set. ______________________________________________________________________________ Firewall rules created in this way are active until the system is rebooted. To make the rules always active, they need to be inserted as startup items. Assuming you do not have any firewall rules installed on your system, perform the following steps to install some. If you already have firewall rules as startup items, add these rules to the existing set. 1. Open a terminal window 2. Change to the root user su root 3. Change to the StartupItems directory cd /System/Library/StartupItems 4. Create a Firewall directory mkdir Firewall 5. Change to the Firewall directory cd Firewall 6. Create a file named Firewall containing the following commands (insert the correct values for the subnet and interface). #!/bin/sh ipfw add allow udp from to 2222 via ipfw add allow tcp from to 3000-65535 via ipfw add deny udp from any to any 2222 via ipfw add deny tcp from any to any 3000-65535 in setup via 7. Make it executable by root chmod 755 Firewall 8. Create the file StartupParameters.plist with the following content (it is easiest to copy a StartupParameters.plist file from one of the other StartupItems directories and then modify it). { Description = ("Firewall"); Provides = ("Firewall"); Requires = ("Portmap","Resolver"); OrderPreference = "None"; Messages = { Start = "Starting Firewall"; Stop = "Stopping Firewall"; }; } 9. Reboot the system, login again as root and check the firewall rules with the following command ipfw list Your system should now install the firewall rules and protect access to udp port 2222 and tcp ports greater than or equal to 3000 whenever your system is booted. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-061: HP VVOS Web proxy Vulnerability M-062: Double Free Bug in zlib Compression Library M-063: Microsoft Internet Explorer Vulnerabilities CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code M-064: Cisco web interface vulnerabilities in ACS for Windows M-065: Red Hat Race Conditions in "logwatch" M-066: Microsoft Cumulative Patch for Internet Information Services (IIS) Vulnerabilities M-067: SGI Mail, mailx, sort, timed, and gzip Vulnerabilities M-068: Microsoft IE and Office for Macintosh Vulnerabilities M-069: Microsoft SQL Server Unchecked Buffer Vulnerabilities