GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


archive:bbs:security
                          WILDCAT!(tm) BBS system
                             Security Emergency
                               Documentation
                              January 2, 1989
                             Richard B. Johnson
                              PROGRAM EXCHANGE
                               (303) 440-0786
        There exists within the WILDCAT!(tm) external protocol pro-
        cedures the considerable possibility that somebody who is
        familiar with the system could execute a copy of COMMAND.COM
        and have full control of your computer, erasing or format-
        ting disks, and creating all kinds of havoc. Basically, any-
        thing that you could do from the keyboard can be done by the
        remote-user if he knows how to do it.
        Please read all the ".DOC" files in this archive and the
        archives included within. I also suggest that you implement
        LOG (LOG.ARC) if you haven't already done so. I was able to
        detect an attempt at breaching security on my own system.
        The only thing that prevented the hacker from getting to the
        DOS level was he didn't know what the "upload" filename was
        on my system. The LOG utility was what first called my
        attention to this problem.
        Note that I was able to log onto a system in Colorado as a
        new user and, within 60 seconds I was at the 'DOS' level. It
        had taken me only 20 seconds on my own system but I knew the
        names of the "upload" batch files and the communications
        adapter port being used.
        The problem is that the external protocol setup, as advised
        by Mustang Software, will allow an "upload" batch file to be
        replaced by a batch file of the same name during an upload!
        If your communications adapter port is COM1, and you use a
        batch file called JUP.BAT for JMODEM uploads, the hacker
        could upload the following JUP.BAT file:
        REM * hacker's special
        REM
        REM
        REM
        REM
        REM
        REM
        REM
        IF %3 == HACKER.TXT GOTO BREAK
        GOTO END
        :BREAK
        @ECHO OFF
        CTTY COM1
        COMMAND
        :END
  1. 1 -
        It works this way. The first "upload" is a file called
        JUP.BAT. JMODEM (could be ZMODEM or any external protocol)
        dutifully overwrites the existing JUP.BAT and exits with no
        errors.
        COMMAND.COM, when executing a ".BAT" file opens then closes
        the file for each line in the file. COMMAND.COM "knows" that
        the last line was, perhaps, line 4. It therefore looks at
        line 5 for its next instruction. It executes one of the
        several "REM" statements, then exits at the ":END" label
        since the filename (%3) was not HACKER.TXT.
        The BBS system software regains control and, finding no file
        transferred, simply continues like nothing happened.
        The hacker then attempts to upload HACKER.TXT using the
        JMODEM protocol. JUP.BAT has been replaced with the hacker's
        new version. Since the %3 parameter is now HACKER.TXT, the
        batch file branches to label ":BREAK". The console input is
        redirected to the COM1 port and an additional copy of
        COMMAND.COM is loaded with its I/O having been redirected to
        the COM1 port.
        Of course the hacker has not executed any external protocols
        on his system. He's just sitting there in terminal-mode in
        full control of your system.
        Caveat modulus carborundum.
  1. finis -
  1. 2 -
/data/webs/external/dokuwiki/data/pages/archive/bbs/security.txt · Last modified: 1999/10/29 06:40 (external edit)