FA Profile: Rain Forest Puppy, Security Specialist

 
Mar 13, 2000
by J. Dinowitz and S.M. Cohen

Most developers who are diligent about the security of their sites have come across the pseudonym "Rain Forest Puppy" (known affectionately as "RFP" in many circles) at one point or another. Among his past exploits was the uncovering, analysis and publication of information on important security holes in ColdFusion. RFP is very diligent in maintaining his anonymity, a standard practice among hackers. Despite this, he agreed to talk to Fusion Authority about his security work. We are pleased to present this overview of RFP.

Who is Rain Forest Puppy?

When asked to describe his work, Rain Forest Puppy told us, "Basically, I sit here and do fun, weird, bizarre computer stuff on my free time." His real name is not associated with his freetime security research. Apart from his "day" job doing security-related consulting, RFP says he has no financial reimbursement for his security research and advisory publications that he does on his own free time. "The motivation of money is definitely not at the forefront ... I don't mind putting monetary resources into it, but I do this for fun; I don't expect anyone to pay me for it."

Increasingly, over the last four and half years, his security research has led to a steady stream of security advisories. RFP is heavily involved with computers, doing audits, writing for security publications and taking on consulting projects. Supported by contracted writing and "interesting" consulting projects, he continues to extend his range of experience. "It's nice to take a three-week project, have that learning experience, then say, OK, that project's over, then later take on a totally different project and get the experience from that, as well."

As a result of his well-written, meticulously researched advisories, RFP has been compared to "Hobbit," another hacker who wrote a landmark paper called CIFS, a "really cool, really technical" paper with lots of information that had not yet been published. The advisory was well accepted throughout the security community, even though it was written by a hacker and, in some eyes, "evil" and "tainted."

Hackers and Crackers: An RFP Perspective

RFP says that fortunately, the common image of hackers is changing. Hacking started out innocently enough: The true geeks of the 70's got together, working with freedom-of-information and exchange information, using pseudonyms, seeking fun and following their own curiosity. Then, sometime in the 80's, the concept turned criminal for a small, very visible few, with identity masking to hide breaking into machines and stealing information. And now, in the 90's, ordinary people are beginning to realize that, rather than a threat, hackers are a source of information, and they're not going away.

"Outside of the security/IT industry," RFP says, "many people still think that hackers are evil, because that's how they are portrayed in the media -- showing off on the latest and greatest hacked sites with some non-spell-checked, unintelligible message written by a twelve year old who hacked into the latest hole to put up a "Free Kevin" page." That's the bad side of the hacker underground. But, he notes, there are really TWO groups: A group of malicious, mischievous 12-20 year olds, breaking into web sites and servers, and the actual security professionals, the consultants like L0pht, Hobbit, himself and others. They don't break into sites and leave weird political messages. They simulate vulnerabilities in a private network or lab on their own free time. They do it for the pure thrill and challenge of finding information, and then give it away to people.

What most people forget is that hackers and security professionals alike have to buy computers, software licenses, access services. Some receive fees that help keep their efforts self-sustaining, in addition to putting their own monetary resources into it, but most do this for fun; they don't expect anyone to pay them for it.

How RFP became RFP

RFP started programming with the very first QBasic that came with DOS, then moved on to C++ about eight years ago. His first experiences were with BBS' and X25 networks, using on-line services such as Delphi, and Genie. He had not even heard of the Internet, and his first contact with the Web waited until he got to college, when he switched his focus to networks.

RFP describes himself as "the type that doesn't just sit there and let something happen." An electronics buff from his early teens, "building radios and fixing stuff, analog and digital," his first computer was a classic "break it and make it" experience. He got four elderly 286's and "completely and totally just broke two of them beyond all repair in the process of learning, taking them apart and putting them back together again, trying whatever I thought of. I had gotten these old computers for free and had free rein to break them and experiment and try. What happens when I put this in backwards? What if I try this or that?"

He then spent two years as a head technician in a computer repair shop doing computer hardware. Around the same time, he also started learning operating systems and software, as well. As he got more into networking, again he felt compelled to look "underneath the hood." He wanted not just to understand how the Web worked but how it gets broken and how to fix it. RFP got his first experience networking his own equipment in his college dorm room, linking a Pentium, an 386 and his two old but still reliable 286's.

Network security today is usually client server remote, not necessarily on a single host. RFP notes that, "to do any kind of security, or to understand anything, you have to understand it more on a user level before you start understanding it on an administrator's or hacker's level. It's really hard to find a hole in a product if you don't know how to use [the product]."

The Web has always been one of RFP's stronger points. He worked as head Webmaster and head developer for a Midwestern company for four years, pushing out over three dozen sites. He insisted on doing all the custom back-end, "home-brewed," as he calls it. Even the most basic, standard run-of-the-mill programs were created from scratch, to make them more customized to the individual site's needs, and in order for him to gain experience.

In the process, he taught himself a lot of the underlying concepts of the Web: The HTTP protocol, how web servers work, web server configuration, NT, UNIX, Apache...

While working on an article on NT Web stuff, RFP noticed the popularity of Allaire's ColdFusion package. When he downloaded a 3.1 beta and checked out the sample script, he found a lot of problems. Going into the Allaire Forums and checking the Allaire site, it seemed to RFP that no one was actually looking at ColdFusion from a security perspective.

RFP Examines ColdFusion

Up to that point, the only thing in the Phrack article that had been offered to a vendor was an approach to Microsoft on the "SQL Appension" bug. The problem arises on a Microsoft SQL server, when multiple SQL queries go through in the same submission. One could have, literally all on one line, "Select * from Table 1; Select * from Table 2" and have it return two record sets. If there was "Select *" from a user-input variable of a table name, and also "Select * from Table 2," it is possible to add extra queries in there. This is definitely a security risk.

Microsoft's response was to recommend the use of a pull-down box, to limit the information that can be submitted. Unfortunately, it is quite possible to bypass the drop-down box, make your own Web page with your own kind of drop-down box and submit the information wanted.

With Allaire, there were sample page problems, for which the solution was very simple: Delete them.

The article was published in Phrack 54, on December 25th, 1998, based on about three months of research. Allaire read the Phrack article and issued an advisory on it: Number 9904, "Multiple SQL Statements and Dynamic Queries."

In late January or early February, RFP was contacted by someone in the ColdFusion community, asking for permission to post the information to the ColdFusion Forums and to let the ColdFusion development community know about them. Of course, RFP agreed.

Curious, RFP followed it on the Allaire site to see what the response would be. People on the forums saw the post, realized just how bad the problem was, and asked Allaire for a response. But Allaire didn't seem to be answering.

RFP then downloaded ColdFusion 4.0, and found and posted another half dozen problems to the forum, mostly problems with sample scripts. Some two or three days after that posting, the Allaire Security Zone was announced, with four advisories and several white papers. It has been stated by Allaire that the Zone was already well under development when the Phrack posting went up, but that Allaire had been delaying implementation, for logistical or legal reasons of its own. Its initialization, on the heels of RFP's postings and the clear requests of the users and developers in the Allaire forums, indicate that Allaire was attempting to be responsive to the perceived problems.

RFP continued his research and began to find other problems. He downloaded forums and found that some situations went far beyond easily-deleted sample apps. Among the problems RFP identified was the "Get File" template in forums, an integral part of forums that could not be deleted. Again, Allaire was responsive, posting a fix for it, Number 9905, "Allaire Forum Security Issues," for forums 204 or earlier.

Eventually, Adam Berry, product marketing director for Allaire, contacted RFP and thanked him on behalf of Allaire for alerting them to these problems. RFP continues to exchange e-mail with both Berry and Allaire Head of Security Damon Cooper.

Unfortunately, as RFP noted in his ODBC advisory, Allaire's responses have been slowing down. For instance, he posted an advisory on the RDS as a courtesy gesture, noting that ColdFusion and NT users are going to be affected by this, even though it isn't a ColdFusion problem. At first, Allaire's response was that it wasn't going to affect ColdFusion, but key people on Team Allaire made it clear that it was indeed a problem. Eventually, Allaire researched it further and put out bulletins on the problem, but over a week later, a very long time in security issues. The ColdFusion community has been very enthusiastic about RFP's work and quick to implement it.

Stay tuned next week for the rest of the RFP profile, where RFP gives us his tips on improving your security.


Privacy | FAQ | Site Map | About | Guidelines | Contact | Advertising | What is ColdFusion?
House of Fusion | ColdFusion Jobs | Blog of Fusion | AHP Hosting