If it's good enough for the men's room



  • While cleaning old (hopefully) unused tables out of the database, I encountered a table called: accessflush. It's only referenced in the initialization code of the application, so I look at the table description and find:

      > describe ACCESSFLUSH;
    Name Null Type
    ---- ---- ----
    ACCESSCODE NUMBER

    > select * from user_col_comments where table_name='ACCESSFLUSH';
    TABLE_NAME COLUMN_NAME COMMENTS
    ---------- ----------- --------
    ACCESSFLUSH ACCESSCODE This is secure enuf for the mens room

    > select * from ACCESSFLUSH;
    ACCESSCODE
    ----------
    1234 // OP: annonymized, but this is the code to get into the men's room on our floor

    Naturally, the coder of this is long gone. I decide to see if it's really used, so since this is just development, I rename the table and launch the app. It crashes even before it gets going. There are no stack dumps, but the last line of the log is: you are flushed.

    A quick grep shows no such text anywhere in our source tree.

    Now I get out the microscope and start digging. 

    He didn't capture the exception and swallow the error message silently. He brought down the app - hard, by dynamically constructing the error string from a byte-array, dumping it to the log, and then exec'ing a "kill -9" to terminate the application without any of the shutdown handlers getting a chance to run.

    And the point of all of this? To replace a back door that was taken away from him during a previous audit.

    I just have to know, so I give it a try in the appropriate input field and sure enough, I get admin privileges without even entering a login.

    Although my boss is hopelessly honest, I tell him anyway. He bucks it up until the auditors at MegaCorp get wind of it and decide to come in for another, closer look at WTF Inc's applications.

     



  • Imagine if he hadn't created a special table for it. Like, suppose he just stuck it in some configuration table under some inscrutable-but-innocuous-sounding name like "Flush attempt count before cache purge." Considering the part about dynamically constructing an error string from a byte array, I have no doubt he could have hidden the code to retrieve it well. Put the privilege-escalation payload into a binary library file that's used in a lot of places (say, a library full of utility functions) and mask the configuration names with XOR or some similar arithmetic scheme to break Ada Pro and similar analysis tools.

    It would never be found.



  • Not only a wtf but a security wtf.  Rather impressive, but he was no match for snoofle.



  • @Anketam said:

    Not only a wtf but a security wtf.  Rather impressive, but he was no match for snoofle.

    If it wasn't for the thrill of the hunt, I'm not sure I'd be so willing to dig into these things, mostly out of fear.

    What scares me the most is that the folks who do stuff like this are out there, driving cars, voting, ...


  • @snoofle said:

    @Anketam said:

    Not only a wtf but a security wtf.  Rather impressive, but he was no match for snoofle.

    If it wasn't for the thrill of the hunt, I'm not sure I'd be so willing to dig into these things, mostly out of fear.

    What scares me the most is that the folks who do stuff like this are out there, driving cars, voting, ...

    ... procreating ...

     



  • @snoofle said:

    What scares me the most is that the folks who do stuff like this are out there, driving cars, voting, ...

    To be fair this one at least managed to hide the message so that it wasn't completely obvious when looking for it.  I don't see why you are scared of people like this being out in society, I mean yeah they didn't do their job properly but they recognized that they should hide this fact.  Now if only someone could show them it takes less effort to do things properly...



  • @zelmak said:

    @snoofle said:

    What scares me the most is that the folks who do stuff like this are out there, driving cars, voting, ...

    ... procreating ...

     

    Often all at the same time.

     



  • The 80 year old widow manning the polling station was quite shocked.



  • @zelmak said:

    @snoofle said:

    What scares me the most is that the folks who do stuff like this are out there, driving cars, voting, ...

    ... procreating ...

    That's why stupidity perpetuates. Fucking it up is how that one works.

    More or less.



  • @snoofle said:

    Although my boss is hopelessly honest, I tell him anyway. He bucks it up until the auditors at MegaCorp get wind of it and decide to come in for another, closer look at WTF Inc's applications.

     

    Something good came of it, then. Assuming .... Well, do auditors tend to be competent? I can see reasons for auditors to work on the "Let's see how we can blaim this on the one who reported it" philosophy. After all, it's not a problem until someone reports it, right?

     



  • @snoofle said:

    What scares me the most is that the folks who do stuff like this are out there, driving cars, voting, ...
    ...having the constitutional right to bear arms...

     



  • @blakeyrat said:

    The 80 year old widow manning the polling station was quite shocked.
     

    After the dust settled, they had to scrape together money to rebuild the wall he drove through.



  • @dhromed said:

    @blakeyrat said:

    The 80 year old widow manning the polling station was quite shocked.
     

    After the dust settled, they had to scrape together money to rebuild the wall he drove through.

    Luckily, no one was hurt, because they were the only two people at the polling station.



  • @Ibix said:

    @zelmak said:
    @snoofle said:
    What scares me the most is that the folks who do stuff like this are out there, driving cars, voting, ...
    ... procreating ...

    That's why stupidity perpetuates. Fucking it up is how that one works.

    More or less.

    There was an honorable mention once from Darwin Awards where a couple went to a doctor complaining she could not get pregnant.  Turns out they were doing it all wrong.  Unfortunately the doctor explained to them how to properly procreate so they only got an honorable mention.

    @Severity One said:

    @snoofle said:
    What scares me the most is that the folks who do stuff like this are out there, driving cars, voting, ...
    ...having the constitutional right to bear arms...
    This is actually a good thing, since they are likely going to shoot themselves, and thus remove themselves from the gene pool (and maybe even get a Darwin Award if they are creative enough).



  • @curtmack said:

    and mask the configuration names with XOR or some similar arithmetic scheme to break IDA Pro and similar analysis tools.
    FTFY.

    Snoofle, although you say they pay you handsomely there, somehow every day you convince us there's no way they can pay you enough. Your honor and dedication is a shining example to us all.



  • @blakeyrat said:

    The 80 year old widow manning the polling station was quite shocked.

    I was just trying to prevent hanging chads.



  • @TwelveBaud said:

    @curtmack said:
    and mask the configuration names with XOR or some similar arithmetic scheme to break IDA Pro and similar analysis tools.
    FTFY.
     

    Thanks, I always get it confused with the programming language for some reason...



  • @Anketam said:

    There was an honorable mention once from Darwin Awards where a couple went to a doctor complaining she could not get pregnant.  Turns out they were doing it all wrong. 
     

    Weird. This a "reverse Darwin"? An award for not actually increasing the size of the gene pool through stupidity?



  • @Cassidy said:

    @Anketam said:

    There was an honorable mention once from Darwin Awards where a couple went to a doctor complaining she could not get pregnant.  Turns out they were doing it all wrong. 
     

    Weird. This a "reverse Darwin"? An award for not actually increasing the size of the gene pool through stupidity?


    Wouldn't that be an un-reverse not-un-Darwin?



  • @curtmack said:

    @TwelveBaud said:

    @curtmack said:
    and mask the configuration names with XOR or some similar arithmetic scheme to break IDA Pro and similar analysis tools.
    FTFY.
     

    Thanks, I always get it confused with the programming language for some reason...


    Or this



  • @Ben L. said:

    @Cassidy said:

    @Anketam said:

    There was an honorable mention once from Darwin Awards where a couple went to a doctor complaining she could not get pregnant.  Turns out they were doing it all wrong. 
     

    Weird. This a "reverse Darwin"? An award for not actually increasing the size of the gene pool through stupidity?

    Wouldn't that be an un-reverse not-un-Darwin?
     

    Yes, it wouldn't.

     



  • @Cassidy said:

    @Ben L. said:
    @Cassidy said:
    @Anketam said:
    There was an honorable mention once from Darwin Awards where a couple went to a doctor complaining she could not get pregnant.  Turns out they were doing it all wrong. 
     Weird. This a "reverse Darwin"? An award for not actually increasing the size of the gene pool through stupidity?
    Wouldn't that be an un-reverse not-un-Darwin?
     Yes, it wouldn't.
    Hence why they only got an honorable mention and not a Darwin Award.  Personally I would give the doctor an anti-Darwin Award for stupidily adding two idiot people back into the genepool.



  • @Anketam said:

    Personally I would give the doctor an anti-Darwin Award for stupidily adding two idiot people back into the genepool.
     

    "What's that?"

    "It's an Anti-Darwin Award, which I'm going to give to you."

    "It looks remarkably like a clue-by-four with spikey nails"

    "Yes. Yes, it does.. doesn't it?"


Log in to reply