/* SBBSHACK.TXT */

	      The real story behind hacking Synchronet via DSZ
	      ------------------------------------------------
			   by Digital Man  01/28/93


Sorry about the support of the continued misuse of the term "hack", but it
appears the definition of the term has been altered permanently. I wanted to
make sure that everyone knew what I was talking about and "hack" seems to be
the best description using the common terminoloy of today.

This information actually pertains to ANY BBS software that allows external
protocols (specifically DSZ).


How To
~~~~~~
Hacking in general always comes down to one loop-hole that allows the hacker
to either read or write some information somewhere that causes a security
breech. In the case of the Synchronet/DSZ loop-hole, it is a writing loop-hole.

DSZ allows a path prefix to be sent inside the Ymodem/Zmodem header block that
contains the file name, file length, etc. This is the "PREFIX=" parameter.
For detailed information see DSZ.DOC. What this means is that if someone
uploads a file to a system using "PREFIX=..\" as one of the DSZ command line
parameters, DSZ on the receiving end will try to place the file in the previous
directory instead of the current directory of the specified download path.

*************
* Example 1 *
*************

Sender: 	dsz port 2 sz PREFIX=..\ test.zip

Receiver:	dsz port 1 rz

This would create "..\test.zip" on the receiver's end (in the previous dir).

*************
* Example 2 *
*************

If the full path and filename is specified on the receiving end, this doesn't
work.

Sender: 	dsz port 2 sz PREFIX=..\ test.zip

Receiver:	dsz port 1 rz c:\dl\test.zip

This would try to create "..\c:\dl\test.zip" which of course, isn't a valid
path.


*************
* Example 3 *
*************

But, if only a download directory is specified, then the PREFIX parm works.

Sender: 	dsz port 2 sz PREFIX=..\ test.zip

Receiver:	dsz port 1 rz c:\dl\

This would create "c:\dl\..\test.zip" (c:\test.zip).

Individual uploads to Synchronet have the complete path specified, so the
PREFIX loop-hole doesn't work with individual uploads. But, batch uploads
on Synchronet (prior to v1b r1) specifiy the receive directory only (the temp
directory). So hackers using DSZ (with the PREFIX argument) and batch
uploads can write to any directory of the drive where the node's temp directory
is located (by default, this is the same drive as the NODE directory).

Example, if each node has the default temp directory configured ("TEMP\" which
means "TEMP" off of the node directory (example: "C:\SBBS\NODE1\TEMP"), then
the hacker could write a file to say, "..\..\EXEC" or "..\..\..\DOS" or
anywhere else on the current drive.

Once this freedom to write anywhere on the drive is established, the hacker
can overwrite common executables (PKUNZIP, GIFDIR, COMMAND.COM, etc) and have
these programs shell the hacker to DOS, transfer the user data base, format
the drive, or whatever. Of course, this assumes that the temp directory is
on the same drive as the other BBS directories or other vulnerable executables.

Hot to Patch the Hole
~~~~~~~~~~~~~~~~~~~~~
There are several ways to defeat this hacking method. The simplest way is to
include the "restrict" parameter (abreviated "re") on the DSZ batch upload
command lines. This disallows receiving files to any drive other than the
current or any directory higher (closer to root) than the current directory.
This works pefectly with the default temp directory ("TEMP\") since it is lower
than the current directory. Another silly side effect of the restrict parameter
is that COMMAND.COM and AUTOEXEC.BAT cannot be received. Another dumb thing
about the restrict parameter is that it won't write to another drive or
higher directory EVEN if it was specifed on the LOCAL side. This means that
the sysop must use the default temp directory "TEMP\" (with versions before
1b rev 1 of Synchronet).

There are more complicated methods of defeating the DSZ loop-hole (such as
subst'ing your temp directory to a root directory), but none provide any better
protection than the above method.

Version 1b rev 1
~~~~~~~~~~~~~~~~
With version 1b rev 1 and later, Synchronet actually changes the current
drive and directory to the temp directory and receives files into the current
directory. So the temp directory can reside on any drive or directory tree.
A side effect of this modification is that unregistered versions of DSZ can now
use batch uploading! Of course, Ymodem-G still requires registered DSZ.
The dsz batch upload command lines are also a bit different with this release
because they now receive into the current directory. The temp directory (%g)
is now NOT specified on the batch uploads.

Possible Defamation
~~~~~~~~~~~~~~~~~~~
There were some Synchronet sysops who have known about this DSZ loop-hole for
many months and have chosen to keep it a secret from the author (me). What's
really funny is that these guys didn't even know how to protect their own
BBSs from the loop-hole, but still chose to not notify me. Wierd.

Anyway, some of these secretive sysops were beta sites. Needless to say, they
have lost their beta licenses and some are not too thrilled about it and still
emphatically deny any knowledge of this loop-hole. So, if you hear or read
anything outrageously negative about me or Synchronet from any former beta
sites, you'll know why.

/* End of SBBSHACK.TXT */


