Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
history:hack93 [2014/12/27 01:19] – created (more gold found in an backup of Vert) digital manhistory:hack93 [2016/02/29 18:36] (current) – [The Admission] Grammar 2.0 deuce
Line 1: Line 1:
 ====== Synchronet/DSZ "Hack" of 1993 ====== ====== Synchronet/DSZ "Hack" of 1993 ======
  
-In August of 1992, I began to hear rumors that there was a known vulnerability in Synchronet and some Synchronet BBSes were suspected to have been "hacked" (usually dial-up modems as was the means of the day). It wasn't until my good friend King Drafus' BBS ([[bbs:The Beast's Domain]]) was penetrated using this vulnerability that he and I were able to get to the bottom of it.+In August of 1992, I began to hear rumors that there was a known vulnerability in Synchronet and some Synchronet BBSes were suspected to have been "hacked" (using dial-up modems as was the means of the day). It wasn't until my good friend [[person:King Drafus]]' BBS ([[bbs:The Beast's Domain]]) was penetrated using this vulnerability that he and I were able to get to the bottom of it. This is that story.
  
 ===== The Vulnerability ===== ===== The Vulnerability =====
  
-A dubious and not-very-well documented feature of [[http://omen.com|DSZ]] allows the sender of a file to specify a path prefix to be be prepended onto the filename being stored on the receiving system thus allowing the sender to create or overwrite files outside of the intended destination directory (the intended destination directory is usually an upload or temporary directory not containing any sensitive system files). Adding a simple "re" (or "restrict") command-line option disables the PREFIX feature and eliminated the vulnerability. In hindsight, it really had nothing to do with Synchronet other than Synchronet had a dependency on external file transfer protocol drivers and this particular one (DSZ) had a significant security weakness in its default configuration.+A dubious and not-very-well documented feature of [[http://omen.com|DSZ]] (a popular file transfer program for BBSes of the time) allows the sender of a file to specify a path prefix to be be prepended onto the filename being stored on the receiving system thus allowing the sender to create or overwrite files outside of the intended destination directory (the intended destination directory is usually an upload or temporary directory not containing any sensitive system files). Adding a simple "re" (or "restrict") command-line option disables the "PREFIXfeature and eliminated the vulnerability. In hindsight, it really had nothing to do with Synchronet other than Synchronet had a dependency on external file transfer protocol drivers and this particular one (DSZ) had a significant security weakness in its default configuration.
  
 To be fair, the DSZ documentation (DSZ.DOC) does contain these notes about the ''restrict'' option: To be fair, the DSZ documentation (DSZ.DOC) does contain these notes about the ''restrict'' option:
Line 36: Line 36:
  
 KD and I conducted some investigation into the attack and tried to determine who were the most likely culprits. Apparently some word of our investigation got out and motivated the attacker to send me an "admission of guilt". KD and I conducted some investigation into the attack and tried to determine who were the most likely culprits. Apparently some word of our investigation got out and motivated the attacker to send me an "admission of guilt".
 +
 +===== The Disclosure =====
 +
 +On January 28, 1993, I posted this vulnerability disclosure to all Synchronet sysops (with a more detailed analysis/description [[ftp://vert.synchro.net/main/sbbs_arc/sbbshack.txt|here]]):
 +
 +<code>
 +Subject: DSZ restrict parameter
 +
 +Due to an unfortunate feature in DSZ, ALL Synchronet sysop must add the
 +'restrict' parameter to their DSZ batch upload command lines.
 +
 +Example command lines for versions before v1b r1:
 +
 +You temp directory for each node should be set to "TEMP\" (the default).
 +Placing the temp directory on another drive will not work.
 +
 +DSZ Ymodem Batch UL: %!dsz portx %u,%i est 0 %e re rb %g
 +DSZ Zmodem Batch UL: %!dsz portx %u,%i est 0 %e re rz %g
 +DSZ Ymodem-G Batch UL: %!dsz portx %u,%i est 0 %e re rb -g %g
 +
 +Example command lines for Version v1b rev 1 (no %g):
 +
 +Temp directly can be on any drive or directory.
 +
 +DSZ Ymodem Batch UL: %!dsz portx %u,%i est 0 %e re rb
 +DSZ Zmodem Batch UL: %!dsz portx %u,%i est 0 %e re rz
 +DSZ Ymodem-G Batch UL: %!dsz portx %u,%i est 0 %e re rb -g
 +
 +Quite unfortunately, some Synchronet sysops have known about this DSZ feature
 +and have kept it a secret so they could hack other Synchronet systems. What's
 +more sad is that they didn't even know the solution to protect their own BBSs.
 +
 +If you suspect that your board has been hacked, call me voice and I'll help
 +you find out if it has or hasn't.
 +
 +DM
 +</code>
  
 ===== The Admission ===== ===== The Admission =====
  
-An anonymous user created an account on [[bbs:Vertrauen]] (which was *not* hacked) and uploaded a file (''ADDMIS.ZIP'') which reportedly contained an "addmission of guilt" [sic]. Here were the contents of the ZIP file:+Sometime later, an anonymous user created an account on [[bbs:Vertrauen]] (which was *not* hacked) and uploaded a file (''ADDMIS.ZIP'') which reportedly contained an "addmission of guilt" [sic]. Here were the contents of the ZIP file:
  
 <code> <code>
Line 52: Line 89:
 </code> </code>
  
-I was weary of running any executuables uploaded by an admitted "hacker", but out of curiosity I decided to run them on a completely isolated system. Upon running the ''RUNME.COM'' program, it displayed the following short blurb:+I was wary of running any executuables uploaded by an admitted "hacker", but out of curiosity I decided to run them on a completely isolated system. Upon running the ''RUNME.COM'' program, it displayed the following short blurb:
  
 <code> <code>
Line 62: Line 99:
  
 <code> <code>
-Give credit where credit is do. Mithrandir, Disk Killer, Dirtbag, St. Elmo,+Give credit where credit is due. Mithrandir, Disk Killer, Dirtbag, St. Elmo,
 The Zipper, The Sidewinder, and Nighthawk, had absolutely nothing The Zipper, The Sidewinder, and Nighthawk, had absolutely nothing
 what-so-ever to do with the hacking of the Synchronet boards in this area. what-so-ever to do with the hacking of the Synchronet boards in this area.
Line 285: Line 322:
  
 ===== See Also ===== ===== See Also =====
 +  * [[https://www.youtube.com/watch?v=XLmxJ8oleZI|Video of hacker's confession with transcription and explanation of audio restoration performed by Deuce]]
   * [[:person:King Drafus]]   * [[:person:King Drafus]]
   * [[http://omen.com|Omen Technology (maker of DSZ and inventor of ZMODEM)]]   * [[http://omen.com|Omen Technology (maker of DSZ and inventor of ZMODEM)]]
Line 290: Line 328:
  
 {{tag>}} {{tag>}}
- 
history/hack93.1419671999.txt · Last modified: 2014/12/27 01:19 by digital man
Back to top
CC Attribution 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0