Wednesday, 25 January 2017

Administrator : Friend Still in Failure

Can you  hear a banging noise?... No... Are you sure?... I can.. Oh no wait, that's my head slamming into the desk.

A few weeks ago I posted about a friend for whom I uncovered a security loop hole for, the python script being run as root...

Well, it seems the same person, on their main "enterprise windows server" has been similarly hacked by the same chap, but the trick was this one.... http://megalomaniacbore.blogspot.co.uk/2016/04/windoze-security-loop-hole.html

Yes, a loophole I had mentioned and blogged about.

The loophole was exposed by a C# program the chap had written for them, I'm not sure what it did, but it was run as a service, and could spawn other programs under the same user, he'd written it so that it ran any program in a sub-folder then before he'd left he made it run a VLC remote desktop and another small program which opened a "Save As" dialog.

It opened this way way off screen, at something like location 20000 x 4500.  So the only indication it was there was a small twitch to the task bar, but he used the mouse to the browse the dialogue to the command executable and opened himself  a prompt as the administrator user.

I didn't spot this, I didn't even look at this machine for my mate, instead over the weekend I had a machine at home I was using as a network routing test, and I asked for some space on a remote server with a fat pipe to do a slow-loris type attack on my software.

I set up my end and set up their end, expecting to get something like 200mb/sec attacking me and swamping my little 64K buffer (I could then scale and tune my software to defeat this kind of attack, was the plan).

What I noticed was that I only got around 8mb/sec coming to me, so with my remote session I did a little digging and saw the disk activity was around 34%, with no-one in the office?!??!

The developer they'd let go was running a torrent service from the machine!  He was downloading and seeding several video streams of dubious merit and origin.

I didn't change anything, I just called my friend and explained... And I left it there, I'm yet to hear what was going on.

However, I think my friend will be having a word with the IT Admin he's had in place for nearing a month for not spotting that out of hours and weekends this persistent idiot is still infiltrating and using their systems as his own repository.

I've told them three times now to unplug everything and to put a secure router between their switch and the outside world, something brand new and only set up by them, pfSense perhaps, but they've not listened.

No comments:

Post a Comment