Synchronet/DSZ "Hack" of 1993

In August of 1992, I began to hear rumors that there was a known vulnerability in Synchronet and some Synchronet BBSes were suspected to have been “hacked” (using dial-up modems as was the means of the day). It wasn't until my good friend King Drafus' BBS (The Beast's Domain) was penetrated using this vulnerability that he and I were able to get to the bottom of it. This is that story.

The Vulnerability

A dubious and not-very-well documented feature of DSZ (a popular file transfer program for BBSes of the time) allows the sender of a file to specify a path prefix to be be prepended onto the filename being stored on the receiving system thus allowing the sender to create or overwrite files outside of the intended destination directory (the intended destination directory is usually an upload or temporary directory not containing any sensitive system files). Adding a simple “re” (or “restrict”) command-line option disables the “PREFIX” feature and eliminated the vulnerability. In hindsight, it really had nothing to do with Synchronet other than Synchronet had a dependency on external file transfer protocol drivers and this particular one (DSZ) had a significant security weakness in its default configuration.

To be fair, the DSZ documentation (DSZ.DOC) does contain these notes about the restrict option:

4.  BULLETIN BOARD CONSIDERATIONS

         Note to the wise BBS operator: be sure you understand the restrict
         command, how and WHY to use it!
restrict Restrict incoming pathnames (YMODEM/ZMODEM) to the current disk
         and directory tree, and disallow modification or overwriting of
         existing files.  This command is vital for bulletin boards
         uploading files.  The restrict command causes partially received
         files to be deleted.  When DSZ is restricted, it will refuse to
         transfer files containing the string autoexec.bat and command.com
         in upper or lower case.  This provides some defense from malicious
         uploaded files.

         EXAMPLE: dsz restrict rz

The default Synchronet configuration at the time used DSZ for X/Y/ZMODEM file transfers, but did not include the restrict command-line option for DSZ because I was not aware of its necessity to defeat the PREFIX option which is not really documented in any kind of detail in the same DSZ.DOC file.

The Fallout

I don't recall any great damage to KD's BBS, but since we knew that his user database had been downloaded by an unauthorized user (the “hacker”), he had to delete all the user accounts. He had every user log-in as new again to recreate their user accounts and made sure they knew that they were to use a new/unique password (and to change their password on other systems if they had used the same password on The Beast's Domain).

KD and I conducted some investigation into the attack and tried to determine who were the most likely culprits. Apparently some word of our investigation got out and motivated the attacker to send me an “admission of guilt”.

The Disclosure

On January 28, 1993, I posted this vulnerability disclosure to all Synchronet sysops (with a more detailed analysis/description here):

Subject: DSZ restrict parameter

Due to an unfortunate feature in DSZ, ALL Synchronet sysop must add the
'restrict' parameter to their DSZ batch upload command lines.

Example command lines for versions before v1b r1:

You temp directory for each node should be set to "TEMP\" (the default).
Placing the temp directory on another drive will not work.

DSZ Ymodem Batch UL:	%!dsz portx %u,%i est 0 %e re rb %g
DSZ Zmodem Batch UL:	%!dsz portx %u,%i est 0 %e re rz %g
DSZ Ymodem-G Batch UL:	%!dsz portx %u,%i est 0 %e re rb -g %g

Example command lines for Version v1b rev 1 (no %g):

Temp directly can be on any drive or directory.

DSZ Ymodem Batch UL:	%!dsz portx %u,%i est 0 %e re rb
DSZ Zmodem Batch UL:	%!dsz portx %u,%i est 0 %e re rz
DSZ Ymodem-G Batch UL:	%!dsz portx %u,%i est 0 %e re rb -g

Quite unfortunately, some Synchronet sysops have known about this DSZ feature
and have kept it a secret so they could hack other Synchronet systems. What's
more sad is that they didn't even know the solution to protect their own BBSs.

If you suspect that your board has been hacked, call me voice and I'll help
you find out if it has or hasn't.

DM

The Admission

Sometime later, an anonymous user created an account on Vertrauen (which was *not* hacked) and uploaded a file (ADDMIS.ZIP) which reportedly contained an “addmission of guilt” [sic]. Here were the contents of the ZIP file:

12/13/1901  12:45 PM            21,979 NOTE.BIT
12/13/1901  12:45 PM             1,796 RUNME.COM
12/13/1901  12:45 PM               971 SAY.COM
12/13/1901  12:45 PM           128,398 VOICE.BIT
12/13/1901  12:45 PM            44,016 VOICE1.BIT
12/13/1901  12:45 PM            58,472 VOICE2.BIT
12/13/1901  12:45 PM            61,042 VOICE3.BIT
12/13/1901  12:45 PM            46,181 VOICE4.BIT

I was wary of running any executuables uploaded by an admitted “hacker”, but out of curiosity I decided to run them on a completely isolated system. Upon running the RUNME.COM program, it displayed the following short blurb:

An Anonymous addmission of guilt.
Sound card not required

And then a crackly monotone voice screeched from my PC's speaker (I didn't have a “sound card” in those days). The voice eerily said:

Give credit where credit is due. Mithrandir, Disk Killer, Dirtbag, St. Elmo,
The Zipper, The Sidewinder, and Nighthawk, had absolutely nothing
what-so-ever to do with the hacking of the Synchronet boards in this area.

All me. No, I'm not going to tell you who I am. You'll find out someday,
I'm sure. Though I don't really give a shit. All of their accounts have been
used on various other boards.

The object was to gain information: phone numbers and addresses basically.
I could care less about passwords. I'm not into downloading files under
their names. Nothing like that. I'm also not into crashing boards or
deleting anything that you've got going right now. Completely passive.

I've been doing this for months...  and I would have continued to do it if
I wouldn't have gotten caught by King Drafus. Who would have known that he
would have been up at 4 o'clock in the morning. Geeze. Has he no life? Who
am I to talk? I was up at 4 o'clock in the morning doing it.

Ah, I've been into almost every board in the area. With the exception of
Seth Friedman's board. By the time I found out he was running a Synchronet
board, he wasn't running a Synchronet board. ha ha ha.

ohhh.. You'll hear from me again. Cause that little re code isn't the only
way you're gonna have to fix it to keep me out. But I'm only doing it for
fun and for information. Like I said, not to do any damage.

Tell ya what, next time I get into a Synchronet bulletin boards, I'll let
you guys know how I did it. Then you can fix it. Then I'll find another one.
Hey, this could be fun.

Take it easy. And don't be so damn paranoid.

Oh yeah, and a special note to King Drafus, he he.. I see you've had a little fun
yourself: ha ha ha

The next part was actually displayed on the screen:

This came from Beast Domain's 1.2Gb Hard Drive

Directory of C:\MODEM\QM41\UPLOAD

COMM     BAT        22 12-08-90   9:49p
DLZ	 BAT        49 12-08-90   9:49p
DONATE   ZIP      1229 10-31-90   1:51p
DSZ	 EXE      7568 08-07-90   7:48p
DUH	 ZIP     17306 02-14-91   6:41p
HACK     BAT        20 12-28-90   6:30p
LEPROSYB COM      1112 09-13-90  11:21p
MODS1    ZIP      7531 02-15-91   6:51a
NETNEWS  ZIP      7406 02-17-91  12:21a
NETWORK  COM     19740 08-03-90   8:24p
NETWORK  OBJ       752 07-26-90   5:18p
PROG     ZIP      5022 02-20-91   4:38p
PROG2    ZIP      5004 02-17-91   4:49a
TEST     ZIP      4428 01-01-91   6:56p
USERFILE ZIP       846 10-31-90   1:59p
CHKLIST  CPS        81 02-24-92   2:15a
16 file(s)      78116 bytes

The Reply

Since the “hacker” created a user account on Vertrauen, I decided to reply to that user account with my own transcript of the digitized voice files. Here is my reply with the quoted transcript:

Curiosity over-took me, so I put your upload onto floppy and ran it on a
diskless workstation.  I found your message (specifically, the delivery
medium) very entertaining. Since I don't have a PC sampler, I can't reply in
voice. So, I've quoted your message in text and am replying in text.

 > An Anonymous addmission of guilt.
 > Sound card not required

What can I say? I don't play games.

 > Give credit where credit is do. Mithrandir, Disk Killer, Dirtbag, St. Elmo,
 > The Zipper, The Sidewinder, and Nighthawk, had absolutely nothing
 > what-so-ever to do with the hacking of the Synchronet boards in this area.

The only person that was ever accused of any association with the Beast's
Domain hack was Disk Killer and Beemer, both privately accused - never publicy.
Both Disk Killer and Mithrandir had their beta licenses taken away because they
KNEW of the DSZ PREFIX hack method and never disclosed it to me. I can't prove
Disk Killer's involvement with the Beast's Domain hack, but I do have proof
that he knew about the hacking method and intentionally kept it a secret from
me. Mithrandir admitted knowing about the DSZ hack method and understood why
his beta license was removed - he then later protested, saying "I just found
out last week", which was just more lies.

I never suspected Dirtbag, St. Elmo, The Zipper (never heard of this guy. You
don't mean The Zapper, do you?) or The Sidewinder of having any involvement
with the Domain hack. Nighthawk was one of the users online at the time of the
hack, but the logs didn't indicate that account was used to download the user
data file, so he was removed from the suspect list soon after the hack. I've
never even mentioned these names in the same sentance, paragraph, or message
in regards to any Synchronet system hack. Don't know why they're so paranoid.
I got a couple messages from Nighthawk, saying "I'm innocent. I didn't have
anything to do with it."

Actually, it was Beemer's (Bill Wagstaff) account that was used to download the
user data file from Domain. And this account had a forced random password. So
I've been assuming that Bill Wagstaff was the actual hacker or let his account
be used by a hacker. Bill is an accomplished programmer and D Killer is more on
the "end-user" side of computer intelligence, so I'd say it was Bill Wagstaff
that was the prime suspect. Though he was never publicy accused of anything.
What would be the point? Also, the tools used in the hack (GIFDIR.COM,
TELIX.BAT, etc.) were obviously created by someone with some degree of
programming experience and these tools were found in the hands of Disk Killer
(he was "testing" them out on a fellow sysop). Whether he used them to really
hack any systems or not, or created them, or whatever, is irrelevant. He knew
they existed, that there was a way in, and didn't tell me. This, for obvious
reasons, violated our beta license agreement.

 > All me. No, I'm not going to tell you who I am. You'll find out someday,
 > I'm sure. Though I don't really give a shit. All of their accounts have been
 > used on various other boards.

Who you are isn't really important, unless you were a beta site or someone
else that I specifically trusted and had an agreement with. In my eyes, you
have every right to try and hack boards. I more or less, invite it. I'd rather
find out that it was possible sooner than later. I don't want Sychronet to
get the reputation of being easily hacked. This DSZ thing had gotten around
pretty good. I had been hearing about it (with no details) since August of '92.
Only after the Domain hack, did I know exactly what was happening and how.
Perhaps you didn't know that so many people were hip to it?

 > The object was to gain information: phone numbers and addresses basically.
 > I could care less about passwords. I'm not into downloading files under
 > their names. Nothing like that. I'm also not into crashing boards or
 > deleting anything that you've got going right now. Completely passive.

That's respectable.

 > I've been doing this for months...  and I would have continued to do it if
 > I wouldn't have gotten caught by King Drafus. Who would have known that he
 > would have been up at 4 o'clock in the morning. Geeze. Has he no life? Who
 > am I to talk? I was up at 4 o'clock in the morning doing it.

You should know that we computer-dudes never sleep.

 > Ah, I've been into almost every board in the area. With the exception of
 > Seth Friedman's board. By the time I found out he was running a Synchronet
 > board, he wasn't running a Synchronet board. ha ha ha.

You've never been into Vertrauen. Thank god. Seth lost his beta license just
because he was such a flakey sysop and never ran his system according to the
beta agreement (multinode, FidoNet, etc.).

 > ohhh.. You'll hear from me again. Cause that little re code isn't the only
 > way you're gonna have to fix it to keep me out. But I'm only doing it for
 > fun and for information. Like I said, not to do any damage.

Are you implying that you already know of other ways in? It's a pain in the ass
trying to find the gay "features" that are available in the BBS related
utilities (DSZ, PKZIP, etc.). Internal protocols, doors, etc. would eliminate
all those variables, but would also limit the functionality and extensibility
of the BBS software. It's a lose-lose situation. If you're running Global War
(for example), and it has a back-door, it doesn't matter how secure the BBS
software is. But if the stock configured package has a way in, that is bad
and certainly must be avoided at all costs.

 > Tell ya what, next time I get into a Synchronet bulletin boards, I'll let
 > you guys know how I did it. Then you can fix it. Then I'll find another one.
 > Hey, this could be fun.

And Synchronet would become an even more secure product. I would appreciate
the information. Not all hackers are as cordial and "nice" as you are. I'm
sure you can appreciate the amount of time and effort put into Synchronet.
With back-doors, it kind of makes the whole thing feel like a waste of time.
Why put in all the random passwords, uniqueness checking, etc. when some
external program has some stupid "feature" that lets you write whereever you
like on the current drive? Silly Chuck...

 > Take it easy. And don't be so damn paranoid.

I take it very easy. And I'm not paranoid.

 > Oh yeah.
 > and a special note to King Drafus, he he.. I see you've had a little fun
 > yourself: ha ha ha
 > This came from Beast Domain's 1.2Gb Hard Drive
 > Directory of C:\MODEM\QM41\UPLOAD
 > COMM     BAT        22 12-08-90   9:49p
 > DLZ	    BAT        49 12-08-90   9:49p
 > DONATE   ZIP      1229 10-31-90   1:51p
 > DSZ	    EXE      7568 08-07-90   7:48p
 > DUH	    ZIP     17306 02-14-91   6:41p
 > HACK     BAT        20 12-28-90   6:30p
 > LEPROSYB COM      1112 09-13-90  11:21p
 > MODS1    ZIP      7531 02-15-91   6:51a
 > NETNEWS  ZIP      7406 02-17-91  12:21a
 > NETWORK  COM     19740 08-03-90   8:24p
 > NETWORK  OBJ       752 07-26-90   5:18p
 > PROG     ZIP      5022 02-20-91   4:38p
 > PROG2    ZIP      5004 02-17-91   4:49a
 > TEST     ZIP      4428 01-01-91   6:56p
 > USERFILE ZIP       846 10-31-90   1:59p
 > CHKLIST  CPS        81 02-24-92   2:15a
 > 16 file(s)	   78116 bytes

What are we supposed to be angels? I'm sure those files were just for testing
the security of his own system when he was running WWIV, back in 1990. ;)

Keep this account open for communications (God forbid you would want to use
your REAL account here) between you and I. Let me know if you won't be calling
much with this account, and I'll give it the (P)ermanent exemption (keep it
from being auto-deleted after 90 days of inactivity).

Or call voice at 714-529-6328.

Later,
	Rob

Epilogue

This episode remains the widest Synchronet security penetration event to date, but if it weren't for the bizarre “admission of guilt” I likely would have forgotten all about it by now (21 years later).

I never did hear from the “hacker” again, nor did I ever figure out who it was, for sure.

See Also

history/hack93.txt · Last modified: 2016/02/29 18:36 by deuce
Back to top
CC Attribution 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0