I don’t write much in my blog because I don’t have some interesting stories to share. Today I am kind a bored and want to talk about some old story. I want to talk about some crypto, security and Gangnam style in a single post. As you know, Gangnam style video was my inspiration to prank students. After I have pranked them in their presentation, I was looking something big. It had to be something that should affect everybody in the school and yet it shouldn’t be tracked back to me. Challenge accepted!
Our school has a main computer which deals with everything such as database, and bell ringing. So I had to access to that computer to plant my software so that It would play Gangnam style song during the exam. I couldn’t ask for permission because I knew that the answer would be no. I couldn’t physically access the computer because it was locked in the administration. I had to access it remotely. Since that computer is regularly updated, remote exploits were no go. How administrators were managing that computer? They were managing the computer by using VNC. VNC is remote controlling software that allows you control other computers. Stop here if you think VNC is a magical software to control every computer. VNC is a software that must be installed to a server to server computer so that you can use a client software to control the machine. I need to find the password of the VNC so that I could connect to server computer.
Trying every password by brute forcing would take so much time and also it could increase the load in our network. I had to do it clean and neatly. I have to find another way to get access to the computer enough access to get at least the password of VNC. Server has Windows XP and runs Apache, PHP and MYSQL. Because no one would bother to download Apache, PHP, and MYSQL separately, most of the Windows users use WAMP or its derivatives. I checked WAMP vulnerabilities and found a candidate for the attack. WAMP creates WebDAV directory named /webdav with username: wampp and password: xampp. I have downloaded WebDAV client and checked if the default username and password was there. YES! I could upload any file to WebDAV directory. Because server has PHP installed, I have the remote code execution.
I have downloaded RealVNC software and checked how it is storing server password. RealVNC is storing encrypted server password in HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver key by using Password. I have searched the internet and found out that it is encrypted by DES algorithm with key 23,82,107,6,35,78,88,7
I needed to get the content of that registry key so that I could decrypt and get hold of VNC server. It sounds easy :) I wrote a simple PHP code to get the key from registry. I first tried by using registry class of PHP but it didn’t work. So I just executed reg.exe and dumped the content of registry key to file and read the file and showed as a password. The code was messy but it worked. I had the encrypted server password. I could code my own DES decrypter but why reinvent the wheel. There are couple of DES decrypter and I used one of it that I don’t remember. I put my encrypted password and hit decrypt and I got the key. I tried to connect the server and wrote my password. BOOM! Wrong password!
I have the password how it could be wrong. I have tried different decrypter but the result was same password and it was still not accepted. I have stopped for a while and tried different things on my test environment with VNC server and tried different authentication mechanisms and different passwords. However it was still not working. Finally I have checked the contents of encrypted key again. It was not 8 bytes long. That means server had a long password. So I have divided encrypted key to blocks and decrypted them and add them together. It worked because VNC was using DES in ECB mode. In ECB mode blocks are independent from each other and they can be decrypted separately. As a side note using ECB in block ciphers are bad. However for this implementation it wouldn’t matter because we have the key of DES. For more information about cipher modes please check Wikipedia article.
I had the password of VNC and it was working. Next thing was setting up the program so that it would run during the chemistry exam and play the music. The program had to leave no traces and shouldn’t be visible. Therefore I coded a simple application which was running in the background and checking the time and when the time was right (17/11/2012 8:30) it played 11 seconds of Gangnam Style song. After the song is played, executable first deleted the MP3 and then it deleted itself.
Even though some students suspected, nobody from teachers suspected about me. The funny thing is one of the teachers asked what happened and Administrator said that workers were testing speakers so they played that song to test. I said, yeah, damn workers :) Students asked me whether I did or not, of course I couldn’t tell a lie so I told them.
Lessons Learned and Notes
- I wrote this post in hurry. Therefore grammar Nazis can email me for my mitsakes.
- All the bugs I mentioned were closed after I report. So kids don’t try this at home.
- Always check the documentation (RTFM) for any kind of default password and change them immediately.
- There is nothing more dangerous than a bored person.
- I think next term I will be pretty bored :)