Post Tue Dec 04, 2007 4:37 pm

Skillz Oct 07 Winning Entry - Technical

Dan Roberts

"Worst. Ethical. Hacker. Challenge. Ever."
Hacker Challenge Submission

Response by: Dan Roberts

Stolen customer records


At 19:03:58, the host 195.228.240.177 began harvesting customer information by calling the userreport.pl program with Lynx for each customer record specified by the uid parameter in the HTTP GET parameters.  71 requests were issued, 53 returned information (return code 200) and the remainder failed due to an internal server error (return code 500). 

The uid's are derived from pi (3.141592653589...), which I suppose one could call "less rational" since it is the best known irrational number.  The first uid is 141592, next is 653589, and so on.. the attacker simply had to try these numbers in sequence until he ran out of valid uid's.  The internal server errors were caused by the invalid uid's.  The hacker may have guessed Comic Book Guy's numbering scheme, since he all but gave it away in his response to Troy McClure's comment about the broken random number generator.

(There was also another clue to this, CBG had a "one million digits of PI" Firefox tab open while viewing Lisa's winning score - Kevin)

Impossible scores

Where does one begin?  First, the game trusts user input.. a cardinal sin.  In addition, the correct choice is coded into the webpage's JavaScript, so the user has only to look at the source for the answer.  What's worse is that the timer is coded on the client-side as well.  The attacker could either create his own HTML to submit with the correct answer and a zero value for TimeTaken.  Alternatively, he could use a proxy to intercept and alter the values in flight.

Bill Gates a mutant

The attacker utilized script injection on the comment page to replace the mutant image of UrukHai with a Bill Gates image.  The following script can be found under a posting by "Anonymous Coward" at 3:07:52 pm.  <script language="JavaScript"> document.MutantImage.src="http://www.lapooh.com/Mutant/gates2.gif";</script>

According to the log, the attacker came from 216.34.109.192.

How to fix it

1. Find a better way to produce uid's.. these should not be predictable, else this challenge demonstrates what can happen.

2. Implement game logic on the server side instead of placing it in the hands of the client.. and never ever trust user input.

3. Validate user input to avoid mischief such as the DOM-based XSS attack seen in the challenge.

Hidden message

Using the pass phrase "Frisky Dingo" with STOOLS (both clues left in the game comments), I was able to reveal the secret message inside gates2.gif:

Dear Comic Book Guy -
Your amateur coding skills, demonstrated by your buggy, non-secure web application, do not demonstrate the level of intellect we would expect from a member of the Springfield MENSA chapter.  We met and voted to give you one last chance to remain in the club.
By finding this message, you have demonstrated some skills, and may remain a member.  But remember, Our Kung Fu is the Best.

Principal Skinner, Dr. Hibbert, Lisa Simpson, Professor Frink, Lindsey Naegle.


Congrats from all of us at EH-Net,
Don
CISSP, MCSE, CSTA, Security+ SME