Potential Vulnerability

General technological topics without their own forum go here

Potential Vulnerability

Post by WallShadow on Mon Jun 25, 2012 11:16 pm
([msg=67519]see Potential Vulnerability[/msg])

Good afternoon everyone,

Over the course of the previous year, I have been exploring my schools network for various interesting artifacts. One thing that me and a friend found, was a remote computer system / server on the network which was used to host programs used for certain specialized classes. Although we found many directories in it with such programs, 2 directories stood out because they were publicly writable as well as readable will the others were only readable.

I have theorized that it would be possible to insert my own program and edit the .lnk file in the folders to run my program and install a rootkit onto any system attempting to run the associated program. I estimate that I can probably infect from a quarter of the school up to half or more of the school in the period of the year, possibly even rooting several teachers, and with a small chance to root one of the network administrators.

What I am asking is for your assessment of this vulnerability; what would it actually do, how fast would it infect, how fast it would be detected, and if you were carrying this out, what would you do differently?

Note: I am not planning any such malicious deed with this, as it would be simply foolish on my part, however I have no intention of informing the admins about this as they may and chances are will think badly of me due to this.

-WallShadow <3
User avatar
WallShadow
Contributor
Contributor
 
Posts: 628
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Potential Vulnerability

Post by mShred on Tue Jun 26, 2012 1:15 am
([msg=67521]see Re: Potential Vulnerability[/msg])

Well I suppose this really kinda depends. The box that you have writable access on would have to have either admin or root privileges to carry out any good virus/infecting operations. I like the idea of making some .lnk files too. But you would have to have someone with those privs call onto that file, which can be tricky if you just have user access. I guess in that situation, a little social engineering is always fun. And in my experience, I've seen a lot of stupid, gullible teachers who know nothing about computers. Also, your malicious file would have to be either a compiled program or a batch file (assuming it's windows). So the know-how would also be a biggy. Post back with any other information. And let us know how it goes! Considering we all know that the whole 'non-malicious purposes' are usually bull shit.. ;)
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1767
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Potential Vulnerability

Post by RiptideTempora on Tue Jun 26, 2012 7:46 am
([msg=67525]see Re: Potential Vulnerability[/msg])

I would contact them and inform them of the vulnerability, with a zip of a C/C++ source code that would run the intended program as well as a function called malicious() that just returns true (placeholder for whatever).

If they can't connect the dots, do not try to help them more. Otherwise this will happen: https://ssl.alpha7f.com/rt/p/of-bleache ... -hypocrisy
RiptideTempora
New User
New User
 
Posts: 23
Joined: Sun May 06, 2012 3:36 pm
Blog: View Blog (0)


Re: Potential Vulnerability

Post by WallShadow on Tue Jun 26, 2012 11:03 am
([msg=67526]see Re: Potential Vulnerability[/msg])

As for privileges, I don't think that it will pose any sort of problem. When a hapless student double clicks the .lnk on his desktop he will start the program with his own credentials and a clear reference his personal C: drive. It would take only a small compiled C++ program to write a few files to his user Startup folder so the next time he starts his computer, the rootkit can start collect any necessary information and then open up to an Inet address on the school network, listening for any possible instructions that I might send it's way. The network administrators wouldn't notice the additional traffic, I've done it before with simple chat clients with friends.

It would be simple to figure out who is who because our school usernames are always <first name><last name>. This even applies to teachers and administrators, something I just realized and will take into account while brute-forcing their passwords in the coming days.

The reason that I am not going to report this to the administrators under any circumstances is that they are the kind of IT guys that hate their jobs. They are NEVER excited to see students at their door, but I really can't blame them. You'd be surprised how poorly people can treat their school laptops. Broken screens, missing keys, missing touch-pen, or just blue screens are quite common for many students. If I come up to them, claiming that I can hack their school network, I'll find myself kicked out of their school faster than a rapist.

-WallShadow <3
User avatar
WallShadow
Contributor
Contributor
 
Posts: 628
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Potential Vulnerability

Post by RiptideTempora on Wed Jun 27, 2012 10:05 pm
([msg=67578]see Re: Potential Vulnerability[/msg])

WallShadow wrote:As for privileges, I don't think that it will pose any sort of problem. When a hapless student double clicks the .lnk on his desktop he will start the program with his own credentials and a clear reference his personal C: drive. It would take only a small compiled C++ program to write a few files to his user Startup folder so the next time he starts his computer, the rootkit can start collect any necessary information and then open up to an Inet address on the school network, listening for any possible instructions that I might send it's way. The network administrators wouldn't notice the additional traffic, I've done it before with simple chat clients with friends.

It would be simple to figure out who is who because our school usernames are always <first name><last name>. This even applies to teachers and administrators, something I just realized and will take into account while brute-forcing their passwords in the coming days.

The reason that I am not going to report this to the administrators under any circumstances is that they are the kind of IT guys that hate their jobs. They are NEVER excited to see students at their door, but I really can't blame them. You'd be surprised how poorly people can treat their school laptops. Broken screens, missing keys, missing touch-pen, or just blue screens are quite common for many students. If I come up to them, claiming that I can hack their school network, I'll find myself kicked out of their school faster than a rapist.

-WallShadow <3

Tormail.org -- Don't identify yourself.
RiptideTempora
New User
New User
 
Posts: 23
Joined: Sun May 06, 2012 3:36 pm
Blog: View Blog (0)


Re: Potential Vulnerability

Post by WallShadow on Wed Jun 27, 2012 10:31 pm
([msg=67580]see Re: Potential Vulnerability[/msg])

RiptideTempora wrote:Tormail.org -- Don't identify yourself.



Ok, ok, assuming I will send them a message about this, what would I say?

"Hey guys, your server "A" is vulnerable because it is publicly writtable, you should fix it!" ?


-WallShadow <3
User avatar
WallShadow
Contributor
Contributor
 
Posts: 628
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Potential Vulnerability

Post by centip3de on Thu Jun 28, 2012 1:08 am
([msg=67585]see Re: Potential Vulnerability[/msg])

WallShadow wrote:Ok, ok, assuming I will send them a message about this, what would I say?

"Hey guys, your server "A" is vulnerable because it is publicly writtable, you should fix it!" ?


-WallShadow <3


Pretty much. However, you might want to tack on screenshot's/proof of the vulnerability (with your account name/any other identifier edited out) so they won't blow you off.

Troll note: I'm thinking an ultimatum would work, no? "Either you dipshit's fix this, or your servers won't work soon...". Make sure to put lots of death threats in there too.
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1467
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: Potential Vulnerability

Post by mShred on Thu Jun 28, 2012 3:43 pm
([msg=67597]see Re: Potential Vulnerability[/msg])

Well I'm sure you'd want to know that it is vulnerable before sending them a threat note. Just because something is writable doesn't mean it's vulnerable.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1767
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Potential Vulnerability

Post by WallShadow on Thu Jun 28, 2012 3:55 pm
([msg=67601]see Re: Potential Vulnerability[/msg])

Ya, but if i try changing anything on the drive, then the author properties would reflect my identity in it, wouldn't it? Ive already tested by writing text files to it and deleting them, I doubt they would make separate permissions for every single file in the folder.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 628
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Potential Vulnerability

Post by mShred on Thu Jun 28, 2012 4:05 pm
([msg=67604]see Re: Potential Vulnerability[/msg])

Shit, yeah. Damn, I kinda wish I had some remote access to this bitch just so I could look around a bit. It's never as fun being in the background.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1767
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Next

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests