Potential Vulnerability

[WallShadow]

Good afternoon everyone,

Over the course of the previous year, I have been exploring my schools network for various interesting artifacts. One thing that me and a friend found, was a remote computer system / server on the network which was used to host programs used for certain specialized classes. Although we found many directories in it with such programs, 2 directories stood out because they were publicly writable as well as readable will the others were only readable.

I have theorized that it would be possible to insert my own program and edit the .lnk file in the folders to run my program and install a rootkit onto any system attempting to run the associated program. I estimate that I can probably infect from a quarter of the school up to half or more of the school in the period of the year, possibly even rooting several teachers, and with a small chance to root one of the network administrators.

What I am asking is for your assessment of this vulnerability; what would it actually do, how fast would it infect, how fast it would be detected, and if you were carrying this out, what would you do differently?

Note: I am not planning any such malicious deed with this, as it would be simply foolish on my part, however I have no intention of informing the admins about this as they may and chances are will think badly of me due to this.

-WallShadow <3

[mShred]

Well I suppose this really kinda depends. The box that you have writable access on would have to have either admin or root privileges to carry out any good virus/infecting operations. I like the idea of making some .lnk files too. But you would have to have someone with those privs call onto that file, which can be tricky if you just have user access. I guess in that situation, a little social engineering is always fun. And in my experience, I've seen a lot of stupid, gullible teachers who know nothing about computers. Also, your malicious file would have to be either a compiled program or a batch file (assuming it's windows). So the know-how would also be a biggy. Post back with any other information. And let us know how it goes! Considering we all know that the whole 'non-malicious purposes' are usually bull shit..

[RiptideTempora]

I would contact them and inform them of the vulnerability, with a zip of a C/C++ source code that would run the intended program as well as a function called malicious() that just returns true (placeholder for whatever).

If they can't connect the dots, do not try to help them more. Otherwise this will happen: https://ssl.alpha7f.com/rt/p/of-bleache ... -hypocrisy

[WallShadow]

As for privileges, I don't think that it will pose any sort of problem. When a hapless student double clicks the .lnk on his desktop he will start the program with his own credentials and a clear reference his personal C: drive. It would take only a small compiled C++ program to write a few files to his user Startup folder so the next time he starts his computer, the rootkit can start collect any necessary information and then open up to an Inet address on the school network, listening for any possible instructions that I might send it's way. The network administrators wouldn't notice the additional traffic, I've done it before with simple chat clients with friends.

It would be simple to figure out who is who because our school usernames are always <first name><last name>. This even applies to teachers and administrators, something I just realized and will take into account while brute-forcing their passwords in the coming days.

The reason that I am not going to report this to the administrators under any circumstances is that they are the kind of IT guys that hate their jobs. They are NEVER excited to see students at their door, but I really can't blame them. You'd be surprised how poorly people can treat their school laptops. Broken screens, missing keys, missing touch-pen, or just blue screens are quite common for many students. If I come up to them, claiming that I can hack their school network, I'll find myself kicked out of their school faster than a rapist.

-WallShadow <3

[RiptideTempora]

As for privileges, I don't think that it will pose any sort of problem. When a hapless student double clicks the .lnk on his desktop he will start the program with his own credentials and a clear reference his personal C: drive. It would take only a small compiled C++ program to write a few files to his user Startup folder so the next time he starts his computer, the rootkit can start collect any necessary information and then open up to an Inet address on the school network, listening for any possible instructions that I might send it's way. The network administrators wouldn't notice the additional traffic, I've done it before with simple chat clients with friends.

It would be simple to figure out who is who because our school usernames are always <first name><last name>. This even applies to teachers and administrators, something I just realized and will take into account while brute-forcing their passwords in the coming days.

The reason that I am not going to report this to the administrators under any circumstances is that they are the kind of IT guys that hate their jobs. They are NEVER excited to see students at their door, but I really can't blame them. You'd be surprised how poorly people can treat their school laptops. Broken screens, missing keys, missing touch-pen, or just blue screens are quite common for many students. If I come up to them, claiming that I can hack their school network, I'll find myself kicked out of their school faster than a rapist.

-WallShadow <3

Tormail.org -- Don't identify yourself.

[WallShadow]

Tormail.org -- Don't identify yourself.

Ok, ok, assuming I will send them a message about this, what would I say?

"Hey guys, your server "A" is vulnerable because it is publicly writtable, you should fix it!" ?


-WallShadow <3

[centip3de]

Ok, ok, assuming I will send them a message about this, what would I say?

"Hey guys, your server "A" is vulnerable because it is publicly writtable, you should fix it!" ?


-WallShadow <3

Pretty much. However, you might want to tack on screenshot's/proof of the vulnerability (with your account name/any other identifier edited out) so they won't blow you off.

Troll note: I'm thinking an ultimatum would work, no? "Either you dipshit's fix this, or your servers won't work soon...". Make sure to put lots of death threats in there too.

[mShred]

Well I'm sure you'd want to know that it is vulnerable before sending them a threat note. Just because something is writable doesn't mean it's vulnerable.

[WallShadow]

Ya, but if i try changing anything on the drive, then the author properties would reflect my identity in it, wouldn't it? Ive already tested by writing text files to it and deleting them, I doubt they would make separate permissions for every single file in the folder.

[mShred]

Shit, yeah. Damn, I kinda wish I had some remote access to this bitch just so I could look around a bit. It's never as fun being in the background.