Table of Contents
Synchronet/DSZ "Hack" of 1993
In August of 1992, I began to hear rumors that there was a known vulnerability in Synchronet and some Synchronet BBSes were suspected to have been “hacked” (using dial-up modems as was the means of the day). It wasn't until my good friend King Drafus' BBS (The Beast's Domain) was penetrated using this vulnerability that he and I were able to get to the bottom of it. This is that story.
A dubious and not-very-well documented feature of DSZ (a popular file transfer program for BBSes of the time) allows the sender of a file to specify a path prefix to be be prepended onto the filename being stored on the receiving system thus allowing the sender to create or overwrite files outside of the intended destination directory (the intended destination directory is usually an upload or temporary directory not containing any sensitive system files). Adding a simple “re” (or “restrict”) command-line option disables the “PREFIX” feature and eliminated the vulnerability. In hindsight, it really had nothing to do with Synchronet other than Synchronet had a dependency on external file transfer protocol drivers and this particular one (DSZ) had a significant security weakness in its default configuration.
To be fair, the DSZ documentation (DSZ.DOC) does contain these notes about the
4. BULLETIN BOARD CONSIDERATIONS Note to the wise BBS operator: be sure you understand the restrict command, how and WHY to use it!
restrict Restrict incoming pathnames (YMODEM/ZMODEM) to the current disk and directory tree, and disallow modification or overwriting of existing files. This command is vital for bulletin boards uploading files. The restrict command causes partially received files to be deleted. When DSZ is restricted, it will refuse to transfer files containing the string autoexec.bat and command.com in upper or lower case. This provides some defense from malicious uploaded files. EXAMPLE: dsz restrict rz
The default Synchronet configuration at the time used DSZ for X/Y/ZMODEM file transfers, but did not include the
restrict command-line option for DSZ because I was not aware of its necessity to defeat the PREFIX option which is not really documented in any kind of detail in the same DSZ.DOC file.
I don't recall any great damage to KD's BBS, but since we knew that his user database had been downloaded by an unauthorized user (the “hacker”), he had to delete all the user accounts. He had every user log-in as
new again to recreate their user accounts and made sure they knew that they were to use a new/unique password (and to change their password on other systems if they had used the same password on The Beast's Domain).
KD and I conducted some investigation into the attack and tried to determine who were the most likely culprits. Apparently some word of our investigation got out and motivated the attacker to send me an “admission of guilt”.
On January 28, 1993, I posted this vulnerability disclosure to all Synchronet sysops (with a more detailed analysis/description here):
Subject: DSZ restrict parameter Due to an unfortunate feature in DSZ, ALL Synchronet sysop must add the 'restrict' parameter to their DSZ batch upload command lines. Example command lines for versions before v1b r1: You temp directory for each node should be set to "TEMP\" (the default). Placing the temp directory on another drive will not work. DSZ Ymodem Batch UL: %!dsz portx %u,%i est 0 %e re rb %g DSZ Zmodem Batch UL: %!dsz portx %u,%i est 0 %e re rz %g DSZ Ymodem-G Batch UL: %!dsz portx %u,%i est 0 %e re rb -g %g Example command lines for Version v1b rev 1 (no %g): Temp directly can be on any drive or directory. DSZ Ymodem Batch UL: %!dsz portx %u,%i est 0 %e re rb DSZ Zmodem Batch UL: %!dsz portx %u,%i est 0 %e re rz DSZ Ymodem-G Batch UL: %!dsz portx %u,%i est 0 %e re rb -g Quite unfortunately, some Synchronet sysops have known about this DSZ feature and have kept it a secret so they could hack other Synchronet systems. What's more sad is that they didn't even know the solution to protect their own BBSs. If you suspect that your board has been hacked, call me voice and I'll help you find out if it has or hasn't. DM
Sometime later, an anonymous user created an account on Vertrauen (which was *not* hacked) and uploaded a file (
ADDMIS.ZIP) which reportedly contained an “addmission of guilt” [sic]. Here were the contents of the ZIP file:
12/13/1901 12:45 PM 21,979 NOTE.BIT 12/13/1901 12:45 PM 1,796 RUNME.COM 12/13/1901 12:45 PM 971 SAY.COM 12/13/1901 12:45 PM 128,398 VOICE.BIT 12/13/1901 12:45 PM 44,016 VOICE1.BIT 12/13/1901 12:45 PM 58,472 VOICE2.BIT 12/13/1901 12:45 PM 61,042 VOICE3.BIT 12/13/1901 12:45 PM 46,181 VOICE4.BIT
I was wary of running any executuables uploaded by an admitted “hacker”, but out of curiosity I decided to run them on a completely isolated system. Upon running the
RUNME.COM program, it displayed the following short blurb:
An Anonymous addmission of guilt. Sound card not required
And then a crackly monotone voice screeched from my PC's speaker (I didn't have a “sound card” in those days). The voice eerily said:
Give credit where credit is due. Mithrandir, Disk Killer, Dirtbag, St. Elmo, The Zipper, The Sidewinder, and Nighthawk, had absolutely nothing what-so-ever to do with the hacking of the Synchronet boards in this area. All me. No, I'm not going to tell you who I am. You'll find out someday, I'm sure. Though I don't really give a shit. All of their accounts have been used on various other boards. The object was to gain information: phone numbers and addresses basically. I could care less about passwords. I'm not into downloading files under their names. Nothing like that. I'm also not into crashing boards or deleting anything that you've got going right now. Completely passive. I've been doing this for months... and I would have continued to do it if I wouldn't have gotten caught by King Drafus. Who would have known that he would have been up at 4 o'clock in the morning. Geeze. Has he no life? Who am I to talk? I was up at 4 o'clock in the morning doing it. Ah, I've been into almost every board in the area. With the exception of Seth Friedman's board. By the time I found out he was running a Synchronet board, he wasn't running a Synchronet board. ha ha ha. ohhh.. You'll hear from me again. Cause that little re code isn't the only way you're gonna have to fix it to keep me out. But I'm only doing it for fun and for information. Like I said, not to do any damage. Tell ya what, next time I get into a Synchronet bulletin boards, I'll let you guys know how I did it. Then you can fix it. Then I'll find another one. Hey, this could be fun. Take it easy. And don't be so damn paranoid. Oh yeah, and a special note to King Drafus, he he.. I see you've had a little fun yourself: ha ha ha
The next part was actually displayed on the screen:
This came from Beast Domain's 1.2Gb Hard Drive Directory of C:\MODEM\QM41\UPLOAD COMM BAT 22 12-08-90 9:49p DLZ BAT 49 12-08-90 9:49p DONATE ZIP 1229 10-31-90 1:51p DSZ EXE 7568 08-07-90 7:48p DUH ZIP 17306 02-14-91 6:41p HACK BAT 20 12-28-90 6:30p LEPROSYB COM 1112 09-13-90 11:21p MODS1 ZIP 7531 02-15-91 6:51a NETNEWS ZIP 7406 02-17-91 12:21a NETWORK COM 19740 08-03-90 8:24p NETWORK OBJ 752 07-26-90 5:18p PROG ZIP 5022 02-20-91 4:38p PROG2 ZIP 5004 02-17-91 4:49a TEST ZIP 4428 01-01-91 6:56p USERFILE ZIP 846 10-31-90 1:59p CHKLIST CPS 81 02-24-92 2:15a 16 file(s) 78116 bytes
Since the “hacker” created a user account on Vertrauen, I decided to reply to that user account with my own transcript of the digitized voice files. Here is my reply with the quoted transcript:
Curiosity over-took me, so I put your upload onto floppy and ran it on a diskless workstation. I found your message (specifically, the delivery medium) very entertaining. Since I don't have a PC sampler, I can't reply in voice. So, I've quoted your message in text and am replying in text. > An Anonymous addmission of guilt. > Sound card not required What can I say? I don't play games. > Give credit where credit is do. Mithrandir, Disk Killer, Dirtbag, St. Elmo, > The Zipper, The Sidewinder, and Nighthawk, had absolutely nothing > what-so-ever to do with the hacking of the Synchronet boards in this area. The only person that was ever accused of any association with the Beast's Domain hack was Disk Killer and Beemer, both privately accused - never publicy. Both Disk Killer and Mithrandir had their beta licenses taken away because they KNEW of the DSZ PREFIX hack method and never disclosed it to me. I can't prove Disk Killer's involvement with the Beast's Domain hack, but I do have proof that he knew about the hacking method and intentionally kept it a secret from me. Mithrandir admitted knowing about the DSZ hack method and understood why his beta license was removed - he then later protested, saying "I just found out last week", which was just more lies. I never suspected Dirtbag, St. Elmo, The Zipper (never heard of this guy. You don't mean The Zapper, do you?) or The Sidewinder of having any involvement with the Domain hack. Nighthawk was one of the users online at the time of the hack, but the logs didn't indicate that account was used to download the user data file, so he was removed from the suspect list soon after the hack. I've never even mentioned these names in the same sentance, paragraph, or message in regards to any Synchronet system hack. Don't know why they're so paranoid. I got a couple messages from Nighthawk, saying "I'm innocent. I didn't have anything to do with it." Actually, it was Beemer's (Bill Wagstaff) account that was used to download the user data file from Domain. And this account had a forced random password. So I've been assuming that Bill Wagstaff was the actual hacker or let his account be used by a hacker. Bill is an accomplished programmer and D Killer is more on the "end-user" side of computer intelligence, so I'd say it was Bill Wagstaff that was the prime suspect. Though he was never publicy accused of anything. What would be the point? Also, the tools used in the hack (GIFDIR.COM, TELIX.BAT, etc.) were obviously created by someone with some degree of programming experience and these tools were found in the hands of Disk Killer (he was "testing" them out on a fellow sysop). Whether he used them to really hack any systems or not, or created them, or whatever, is irrelevant. He knew they existed, that there was a way in, and didn't tell me. This, for obvious reasons, violated our beta license agreement. > All me. No, I'm not going to tell you who I am. You'll find out someday, > I'm sure. Though I don't really give a shit. All of their accounts have been > used on various other boards. Who you are isn't really important, unless you were a beta site or someone else that I specifically trusted and had an agreement with. In my eyes, you have every right to try and hack boards. I more or less, invite it. I'd rather find out that it was possible sooner than later. I don't want Sychronet to get the reputation of being easily hacked. This DSZ thing had gotten around pretty good. I had been hearing about it (with no details) since August of '92. Only after the Domain hack, did I know exactly what was happening and how. Perhaps you didn't know that so many people were hip to it? > The object was to gain information: phone numbers and addresses basically. > I could care less about passwords. I'm not into downloading files under > their names. Nothing like that. I'm also not into crashing boards or > deleting anything that you've got going right now. Completely passive. That's respectable. > I've been doing this for months... and I would have continued to do it if > I wouldn't have gotten caught by King Drafus. Who would have known that he > would have been up at 4 o'clock in the morning. Geeze. Has he no life? Who > am I to talk? I was up at 4 o'clock in the morning doing it. You should know that we computer-dudes never sleep. > Ah, I've been into almost every board in the area. With the exception of > Seth Friedman's board. By the time I found out he was running a Synchronet > board, he wasn't running a Synchronet board. ha ha ha. You've never been into Vertrauen. Thank god. Seth lost his beta license just because he was such a flakey sysop and never ran his system according to the beta agreement (multinode, FidoNet, etc.). > ohhh.. You'll hear from me again. Cause that little re code isn't the only > way you're gonna have to fix it to keep me out. But I'm only doing it for > fun and for information. Like I said, not to do any damage. Are you implying that you already know of other ways in? It's a pain in the ass trying to find the gay "features" that are available in the BBS related utilities (DSZ, PKZIP, etc.). Internal protocols, doors, etc. would eliminate all those variables, but would also limit the functionality and extensibility of the BBS software. It's a lose-lose situation. If you're running Global War (for example), and it has a back-door, it doesn't matter how secure the BBS software is. But if the stock configured package has a way in, that is bad and certainly must be avoided at all costs. > Tell ya what, next time I get into a Synchronet bulletin boards, I'll let > you guys know how I did it. Then you can fix it. Then I'll find another one. > Hey, this could be fun. And Synchronet would become an even more secure product. I would appreciate the information. Not all hackers are as cordial and "nice" as you are. I'm sure you can appreciate the amount of time and effort put into Synchronet. With back-doors, it kind of makes the whole thing feel like a waste of time. Why put in all the random passwords, uniqueness checking, etc. when some external program has some stupid "feature" that lets you write whereever you like on the current drive? Silly Chuck... > Take it easy. And don't be so damn paranoid. I take it very easy. And I'm not paranoid. > Oh yeah. > and a special note to King Drafus, he he.. I see you've had a little fun > yourself: ha ha ha > This came from Beast Domain's 1.2Gb Hard Drive > Directory of C:\MODEM\QM41\UPLOAD > COMM BAT 22 12-08-90 9:49p > DLZ BAT 49 12-08-90 9:49p > DONATE ZIP 1229 10-31-90 1:51p > DSZ EXE 7568 08-07-90 7:48p > DUH ZIP 17306 02-14-91 6:41p > HACK BAT 20 12-28-90 6:30p > LEPROSYB COM 1112 09-13-90 11:21p > MODS1 ZIP 7531 02-15-91 6:51a > NETNEWS ZIP 7406 02-17-91 12:21a > NETWORK COM 19740 08-03-90 8:24p > NETWORK OBJ 752 07-26-90 5:18p > PROG ZIP 5022 02-20-91 4:38p > PROG2 ZIP 5004 02-17-91 4:49a > TEST ZIP 4428 01-01-91 6:56p > USERFILE ZIP 846 10-31-90 1:59p > CHKLIST CPS 81 02-24-92 2:15a > 16 file(s) 78116 bytes What are we supposed to be angels? I'm sure those files were just for testing the security of his own system when he was running WWIV, back in 1990. ;) Keep this account open for communications (God forbid you would want to use your REAL account here) between you and I. Let me know if you won't be calling much with this account, and I'll give it the (P)ermanent exemption (keep it from being auto-deleted after 90 days of inactivity). Or call voice at 714-529-6328. Later, Rob
This episode remains the widest Synchronet security penetration event to date, but if it weren't for the bizarre “admission of guilt” I likely would have forgotten all about it by now (21 years later).
I never did hear from the “hacker” again, nor did I ever figure out who it was, for sure.