UCSB Packet Captures

1
UCSB Packet Captures

• LCDR Chris Eagle

2
Password Exposures

• Be careful with your passwords
• Many teams used their own passwords to try to get
  into other teams similar services
• Luckily in most cases, the other team did not
  notice

3
Examples

• 10.30.10.99 advertised its own guestbook key to
• 10.40.0.99,
• turned around and used it in a number of attempts
  against other teams
• but only against the query service
• 10.20.10.99,
• 10.10.10.99,
• 10.50.10.99
• 10.30.10.99 advertised its query key to
• 10.50.10.99 twice

4
Defcon XI - rootfu

• LCDR Chris Eagle

5
Ads Service

• Flag location
• Team flags were appended to the end of JPG data
  stored in BLOB format within the ads database
• Attack via mysql and ads database
• Must understand BLOB manipulation
• For my team, the wrong flag was in place at the
  start of the competition

6
Portal Service

• Flag hidden in Careers area under job Flag
• Attack through mysql and portal database

7
News Service

• Flag in the news area of the website
• Content of article entitled Flag
• Attack through mysql ghnews database

8
MySql

• Many flags stored in mysql databases
• Database configuration knowledge was essential

9
Other Attacks

• Buffer overflow in search.cgi
• Advisory published 6/11/03
• WITH EXPLOIT CODE!
• Accessed from main portal page
• Invoked by httpd so
• Gains user www access
• But this is enough to login to mysql databases
• IF you know the user/passwords

10
Search.cgi

• I have yet to track this problem down
• search.cgi is an a.out binary
• Compiled C code
• Mnogosearch-3.1.20 directory in /home/portal
  contains source
• Many uses of strcpy and sprintf
• Vuln described at
• http//www.derkeiler.com/Mailing-Lists/Securiteam/
  2003-06/0018.html