/* SBBSHACK.TXT */ The real story behind hacking Synchronet via DSZ ------------------------------------------------ by Digital Man 01/28/93 Sorry about the support of the continued misuse of the term "hack", but it appears the definition of the term has been altered permanently. I wanted to make sure that everyone knew what I was talking about and "hack" seems to be the best description using the common terminoloy of today. This information actually pertains to ANY BBS software that allows external protocols (specifically DSZ). How To ~~~~~~ Hacking in general always comes down to one loop-hole that allows the hacker to either read or write some information somewhere that causes a security breech. In the case of the Synchronet/DSZ loop-hole, it is a writing loop-hole. DSZ allows a path prefix to be sent inside the Ymodem/Zmodem header block that contains the file name, file length, etc. This is the "PREFIX=" parameter. For detailed information see DSZ.DOC. What this means is that if someone uploads a file to a system using "PREFIX=..\" as one of the DSZ command line parameters, DSZ on the receiving end will try to place the file in the previous directory instead of the current directory of the specified download path. ************* * Example 1 * ************* Sender: dsz port 2 sz PREFIX=..\ test.zip Receiver: dsz port 1 rz This would create "..\test.zip" on the receiver's end (in the previous dir). ************* * Example 2 * ************* If the full path and filename is specified on the receiving end, this doesn't work. Sender: dsz port 2 sz PREFIX=..\ test.zip Receiver: dsz port 1 rz c:\dl\test.zip This would try to create "..\c:\dl\test.zip" which of course, isn't a valid path. ************* * Example 3 * ************* But, if only a download directory is specified, then the PREFIX parm works. Sender: dsz port 2 sz PREFIX=..\ test.zip Receiver: dsz port 1 rz c:\dl\ This would create "c:\dl\..\test.zip" (c:\test.zip). Individual uploads to Synchronet have the complete path specified, so the PREFIX loop-hole doesn't work with individual uploads. But, batch uploads on Synchronet (prior to v1b r1) specifiy the receive directory only (the temp directory). So hackers using DSZ (with the PREFIX argument) and batch uploads can write to any directory of the drive where the node's temp directory is located (by default, this is the same drive as the NODE directory). Example, if each node has the default temp directory configured ("TEMP\" which means "TEMP" off of the node directory (example: "C:\SBBS\NODE1\TEMP"), then the hacker could write a file to say, "..\..\EXEC" or "..\..\..\DOS" or anywhere else on the current drive. Once this freedom to write anywhere on the drive is established, the hacker can overwrite common executables (PKUNZIP, GIFDIR, COMMAND.COM, etc) and have these programs shell the hacker to DOS, transfer the user data base, format the drive, or whatever. Of course, this assumes that the temp directory is on the same drive as the other BBS directories or other vulnerable executables. Hot to Patch the Hole ~~~~~~~~~~~~~~~~~~~~~ There are several ways to defeat this hacking method. The simplest way is to include the "restrict" parameter (abreviated "re") on the DSZ batch upload command lines. This disallows receiving files to any drive other than the current or any directory higher (closer to root) than the current directory. This works pefectly with the default temp directory ("TEMP\") since it is lower than the current directory. Another silly side effect of the restrict parameter is that COMMAND.COM and AUTOEXEC.BAT cannot be received. Another dumb thing about the restrict parameter is that it won't write to another drive or higher directory EVEN if it was specifed on the LOCAL side. This means that the sysop must use the default temp directory "TEMP\" (with versions before 1b rev 1 of Synchronet). There are more complicated methods of defeating the DSZ loop-hole (such as subst'ing your temp directory to a root directory), but none provide any better protection than the above method. Version 1b rev 1 ~~~~~~~~~~~~~~~~ With version 1b rev 1 and later, Synchronet actually changes the current drive and directory to the temp directory and receives files into the current directory. So the temp directory can reside on any drive or directory tree. A side effect of this modification is that unregistered versions of DSZ can now use batch uploading! Of course, Ymodem-G still requires registered DSZ. The dsz batch upload command lines are also a bit different with this release because they now receive into the current directory. The temp directory (%g) is now NOT specified on the batch uploads. Possible Defamation ~~~~~~~~~~~~~~~~~~~ There were some Synchronet sysops who have known about this DSZ loop-hole for many months and have chosen to keep it a secret from the author (me). What's really funny is that these guys didn't even know how to protect their own BBSs from the loop-hole, but still chose to not notify me. Wierd. Anyway, some of these secretive sysops were beta sites. Needless to say, they have lost their beta licenses and some are not too thrilled about it and still emphatically deny any knowledge of this loop-hole. So, if you hear or read anything outrageously negative about me or Synchronet from any former beta sites, you'll know why. /* End of SBBSHACK.TXT */