Penetration Testing...from the inside...

[embro1001]

I work for a retail store which caters to many of the western states. Our main goal is to "provide entertainment to mid-sized communities."

The company, hereafter reffered to as the Company, uses all manners of technology to expedite the sales process. Computers control inventory, till audits, payroll, scheduling, price control, POS, timeclock, and inter/intra-store email.

PART ONE:
Each associate is assigned a PID (Payroll ID) and with that a set of security permissions. The Company system is a custom frontend sitting on top of SCO. Each cash register and floor computer is networked the the store server in the back room. That computer in turn is connected the Home Office, in a undisclosed state.

The interesting part about our system is that it is one system on top of another. This means that one way of bypassing the security is to bypass the system all together.

When the server starts up, it automaticallly logs itself in as "manager", the equivalent to root in the Company system, since all files have the Unix permissions of "manager". From there you are landed into the main screen, where you would log in with your PID to each of the submenus.

One of the options on the submenu is the Lynx Browser, used by us to browse the corporate intranet site. (You may wonder how one could come by this option, as it is located in a password protected submenu, but the eployees frequently leave this menu open.) One of the glorious features of Lynx is that, by pressing the ! key, you are dropped into a shell. Normally, this would not be such a big deal, since one would typically have the same permissions, but in this case, it is very BAD.

This little feature, overlooked by the corporate programmers, allowed one to browse the store server in complete Unix power. One could change till audits (which could lead to un-noticed theft), change inventory (which would lead to un-noticed theft), change payroll info (which would lead to un-noticed theft) EVERYTHING.

In theory, since the systems are all networked, one could transfer their session over to the corporate server (same permissions, no password) and send out nation wide commands. You know what shutting down every computer in 30 states could do for a business? A lot of damage.

Thankfully, my ambitions are not so evil. After some browsing around (and finding out I am the least paid employee there), I reported the flaw to corporate, who in turn fixed the exploit (on a temporary basis - more later) and quietly shushed me. Just goes to show how even big businesses can let stupid things go past them.

Part Two will be written upon review of the comments made about this post.

~Em

P.S. - I am still the lowest paid employee.

[MrLinus]

Moved from Security Tutorials to Misc Security Discussions. This is not a tutorial.

[Spyder32]

And I thought my "tut" was bad embro1001 I suggest you read the forum descriptions or post a little more info on your topic. Trust me, I know

[Negative]

Is this a question... or the title of a book? Or umm...

[Tiger Shark]

If, by the phrase "from the inside", you mean from the inside of the perimeter to the outside, (ie. public network), I would suggest that would be a lot like cleaning your teeth from the "wrong" end.......

Are you referring to an internal security audit which provides information about the ease an attacker could move through the network of he penetrated the trusted zone, or how easy it is to move and elevate priviledges if you start in the trusted zone. Or are you referring to testing the egress rules your perimeter devices place on outgoing traffic?

[Spyder32]

Originally posted here by Negative
Is this a question... or the title of a book? Or umm...

If it help's, I'm more confused than you are Neg

[embro1001]

No patience...jeez

[MrLinus]

embro1001, for future reference, why not write the tutorial up in Notepad or some other editor and then post it?

[Tiger Shark]

Ahh.... The meat.....

They "shushed" you..... That was nice of them..... Do you have a review coming up? I'd be inclined to have a little "whine session" if you do not receive an excellent review and pay raise.

[embro1001]

Written on a Pocket PC during English class....my bad.