Impulse 9

Let's do a calculation in a commission way. No. Does it work? The question is whether the slip returns 0 or 1. Who bets? Who bets that it will work? Okay, we'll see. It will turn out that on Mac it's time in minutes, not seconds. There will be a problem. In American minutes, yes. I have stickers from the Radare project to distribute. I have a unique collector's edition pad. And three T-shirts, Two XLs and one is also from the collector's edition, 2XL. This is probably the last one. You can make it into a tent or whatever. In the meantime, I will switch, because there was a little confusion in the agenda. My name is Warys Bącki. I work in Logical

Trust every day. Unfortunately Mateusz couldn't be here with us. I'll try to replace him. He left me weird slides made in Chrome, which is also interesting, because this technology looks more or less like this, that there are cards here. Some of the pictures are enigmatic, I will improvise at the most. The whole technology is interesting in the meantime. It's done, so we'll start. I'll show you how professional presentation looks like. Unfortunately, I have a microphone in my hand, so the writing speed is a bit limited. But I'd like to keep it in my hands. So it looks like... If I accidentally closed it, Mateusz would have prepared a backup with notes. Here are notes that nobody

is going to read, especially... funny and funny from B-Sides. I'll enlarge the console and let the last row tell if it's visible or not. OK? I mean, enlarge or not? I have poor eyesight and I can't see you, so I'm expecting a sound message. OK, let's start. Also, because it's Chrome, it doesn't work to change the slides. There are some weird shortcuts to change the slides. If I got it wrong, I'm sorry. And the question is: does anyone know how to change the card? Control + Tab. Bravo. I'm pressing CTRL+Tab, yes. The first slide is not standard because these applause should go to the security besides organizers who organize it for the sixth time, taking everything on their own shoulders. Also huge applause

for all presenters, lecturers, whatever, yes, because they do it pro publico bono and share with the community, so also great applause.

And the forgotten actor... Well, there's a person here who doesn't pay attention to what I'm saying because he doesn't know Polish. So I'll just say: Cooper, this one is for you. Thank you for streaming. If you remember, besides the era of Cooper, you remember the quality of the stream and the videos on YouTube. We also managed to do a completely different conference with Afriko than the Black Hat one. A little bit about Mateusz. He is my guru. The best security expert in Poland. He has his blog. He agrees with everything he says. Who knows this blog? Someone knows it. Three people know it. At least we won't be sorry for him. He also clicks in open source projects. in PHP and

NetBSD, but I won't ask you who knows NetBSD and what you think about PHP, because he will be sorry when he watches the stream. And he lives in an interesting city. Who will guess where this photo is from? Not Katowice. Sosowiec. Someone said. Bytom. Bytom, yes. The shortest tram line in Europe and the oldest. Another interesting fact. In Bytom, if someone has billions of bitcoin or carding, it shows you where to invest in lofts. Exactly. A year ago, there was a talk about BSD. But I told him that he doesn't care about BSD. He wanted to show remote code execution on openBSD, installed from the box. But we decided to expand our story about red teaming. And the question is:

who saw my presentation at 1:30 p.m.? Someone saw it. I'm a little bit pale now, so I look a little bit different. The glasses are not broken, so everything is fine. And this will be the story about... And this is the first riddle. Where does this photo come from? From a specific portal? BadSector, who said BadSector? Since... If you can hide it from someone, I assume that 2xL doesn't interest you. So, the XL goes to... Sorry, give it to the back, thank you. Rocket Science won't be, if someone watches the presentation, especially Poles from various conferences, I will not mention one of them, whose presentation style we will do here. The story is that There was a red-teaming order, which included a medium-sized company of

up to 30 employees. The boss said: "Do what you want, but don't pick more than two members of the board, because there will be no representation. Don't pick seniors, because no one will raise the production. Besides that, the sky is the limit. Mateusz has put this slide out of anger. So, what does a red-teaming order look like? Usually we have a console where we observe how someone enters the location. The most important point of this observation when someone enters the console is our colleague. There is an observation whether the man has not filled in. But apart from observing the trunk, we also scan We run other intelligent and dangerous programs in the port. In this case, we have TOP. So

what did we get from these scans? It turned out that this company has an infrastructure composed of one IP address, which had an Apache server with a static HTML page, an SSH server, from the newest patched version It turned out that the employees of this company are fans of Quake World, Quake 1. The question is: which of the options should we attack? Apache, which had its last error 15 years ago on RCE. OpenSSH, also 15 years ago, a well-known American error. discoverer or Quake? What would you choose? So we looked at the client and said that here is Apache, the analysis will cost about 2 million dollars. He nodded a little bit, that maybe Quake. We reluctantly agreed

We got into Quake, especially because I'm a huge fan of this game. I play with people here in the anonymous room almost every day. He is one of the best Quake players, some would say, in every country. Russia, very good. That was too easy. What's interesting, Russians play with 100-150 ping and they let everyone in the West go crazy. I was looking for that word, thank you. Pay attention to the typical round backs of the players, which you probably Maciej, because I have already traveled on the spine, take care of the spine, because it is important. It is also the case that other countries are involved in Quake, and in Poland there is a scene

I think it's even more intense than the last 5 or 10 years. Scandinavia, Brazil, USA, other strange countries. A quick question: who thinks that Quake is for Bunny and Duke Nuke is... I'll remember you, because you won't get the T-shirt. It was a surprise. I will show you how Quake looks like. I was supposed to have internet but I prepared a backup plan. Currently Quake is ported to many platforms. One of the most popular clients is SQuake. Let's turn it on. We will turn it on on Mac. and connect to the server I prepared earlier. It listens to the localhost, but it's actually a virtual machine I've just started up here. I've just forwarded the connections. Oh, something's stuck.

Oh no, okay. So we connect to our server. It looks like this. I don't know if you can see it. The game hasn't changed in the last 20 years. It was released in 1996 or 1997. It was a revolution at the beginning, not in the context of multiplayer games, but in the context of single player games. but it's still alive thanks to multiplayer. It's also the first game where all objects are 3D. For those who like Duke Nukem, the information was darkened in 3D. monsters were flat sprites. So if someone didn't like it, they played Duke Nukem, if someone was one of the best, they played Quake. I can, as a curiosity, while I'm loading, turn on the single player. Let's

go out. Who? Someone played this game? Someone passed, okay. And the current record, as I watched on YouTube, is 17 minutes on speedrun. But the guy there really makes such stories that your head will explode. Like, he jumps on grenades. The game is obviously brutal and caused controversy. You shoot dogs, you shoot guards. You can shoot an attacker and kill yourself. Or not? Well, it's hard. They killed me. But let's go back to our red teaming example. Is there anyone in the room who hasn't played? And at least one person won't admit. This is a game from the series that Gimbus don't know. But you played in three. Who told you that? I will show you the one I used after

the lecture. So it's fine. Ok, let's go back to the presentation. Ok, I respect that. Question for... Ok, let's assume that the shirt ended quickly. How old is this man in the picture? I'm laughing because someone guessed it already. Who said that it was Carmack? How do you know if you haven't played? So, this is John Carmack, one of the most well-deserved characters in terms of graphics. They came up with amazing hacks from PC's and other platforms to pull out the latest features. They came up with formats trees for faster rendering, etc. Another interesting fact is that one of the few people who had a 3 or 2 inch telescope monitor in 1997 He is

a great figure, he left ID Software. His grades have dropped a bit. He worked in Oculus. He left him and was accused of stealing the intellectual property of Oculus, so it is possible that he will soon end up where Adam's acquaintances from the presentation. It is also interesting that he had such a "train to the computer" that at the age of 14 he broke into school to steal a computer and spend a year So if your child breaks in the age of 14, don't beat him, but stab him. And the question is: who is this man in the middle? Who said that? This is for the shirt. This is also XL, right? Not 2XL? Oh,

wow, listen. At least it's a cover. Yes, he's also a great character in the industrial scene. This dog is interesting. Why does he have red eyes? I don't know. I don't know if he has allergies or... Yes, from the flash. Okay, so... There's no magic here, and I don't know who this lady is. Maybe... Oh, it's not her! I suspect she could be the partner of this man, but I'm not sure. And if you see in Quake, which I'll show you live, on DM4, when we go to DM4... or mapdem4, as long as it works here. Yes? Okay. Here you can see the logo, that the team logo hit the nail. So, the ammunition for the weapon. We go from

here, we get the cursor and we come back here. Okay. The answer is: the pseudonym of the person who published the classic art in the Frac magazine. Aleph Juan. XL or 2XL? Aleph Wan published it in July, and Quake was published in late June, so in theory Carmack didn't know about the fillings of the buffer and how dangerous they are. There is a book that I highly recommend, it's called "Masters of Doom" which tells the story of ID Software. I read it with tears in my eyes. One of the best books I've read in the last decade. If someone likes to cry in a pillow, I recommend it. And that's why the engine was revolutionary in many places, because the

game is easy to play, hard to master. And it turns out that when players played Rock 2.5 or 2.20 they started hacking the game in a way that discovered that, for example, a game misplaced a speed vector when jumping with strafe, which I won't show you here, I'll leave the video on YouTube, the speed of the player magically increases. The same mistake was in Half-Life, and I think Half-Life used the CS engine. to the classic one. And it seems that in 1.6 the strafe jumping was removed and the players were offended and turned away. It was a mistake to the game. It's a curiosity from a weird category. At the moment there are Quake players who can accelerate to

cosmic speeds in the air, but I, despite playing for a few years, can't do it. Maybe it's because of my mobility. Quake also has a policy that when the game was already on the lamous, the game code was available, which allowed mods and fixing errors. It was also a nice gesture, because thanks to that the game was not filled with Windows 95, but is still portable. The doubt here is only that it is a GPL license, which I do not like, because it is known that every sensible project uses BSD very well. Yes, and there was a time when, as I mentioned, the game was singleplayer. One day Carmack decided that he has an idea how to speed it up. Because until then, to play

sensibly on the Internet, you had to meet in one room. Here again, the gimbals don't know, but in fact, it was about friends with computers, monitors, keyboards. Even a person who, when getting out of the tram, dropped a kinescope monitor. So these were big actions. But he came up with the idea that it's not worth carrying a computer from a friend to a friend. I will do it so that it will be possible to play through the Internet, through modem, etc. Here is another dry joke. Mateusz, so let's move on. There are still players who actually play it. As I mentioned, servers are in different countries, like the United States, Brazil, etc. But let's go back to... If you connect to

the server, I showed you. The last curiosity. It turned out that ID Software was running its own blog. And it was running it in such a way that... Who knows the Finger service? And FingerD? There was a .plan file and we could ask the user's server for the user name, so ID Software used it as a replacement for WordPress, which was supposed to be created in 10 years. So they managed to do it, and let's go back to our red-teaming example. Well, one of the ways, I'll just mention one thing here, that each today's, relatively modern Quake server consists of two basic modules: the MV-DSV server and the KTX server, which makes it possible to game modes and makes 150 things

easier. And this is a de facto standard. And this client server also used this software. One way is to read it from A to Z, finding all the errors and exploiting them. But as we know, using memory corruption through a network, a binar, which we don't know much about, is complicated and risky in this case, because this server worked in one There was no fork per client in the process so when we put it out, the administrator... I hope that when you make a core file on the disk, you will analyze it. So we decided to try not to look for memory cores that are in this code and are exceptionally - that it wasn't really programming, but if someone added

one line to the client, they could run any command on the server and that was exactly what we wanted to achieve. The problem was that there were no details. So what to do? We took Hello? Can you hear me? Continuing, this patch looks at least a bit weird, because there are some white spaces fixed, and here we fix something, and there we fix something. In fact, it's not really known where the error was, but there is a line that lights up the red light. I'll just find it here. Here it is. Warning full access to server console. Well, it sounds suspicious that someone has got attached to this commit. We analyzed it and it wasn't known where the error was. When you analyze

this function, it turns out that the code is triggered only when the player is the administrator of the Quake server. We weren't the administrator of Quake, so how could we do it? To understand what will happen in a moment, you need to understand that when a player joins the server, he sends a package containing information about what I am called, if I have red trousers, etc. In addition, some special variables are selected, which are marked by prefix with a star. And it turns out that when we read this code and wanted to become an administrator, Here is the code responsible for verification. At first glance it is just a dummy, because here is a comparison of the secret with what the

user has given, which is not permanent. So it can be exploited via the network, sending 2 billion attempts at the password. What do you think, did we use this error or another? Of course, there were other errors. The server has the option to set the last mode in which the player was. And the bad thing is that when we connected, we could declare that my last type was administrator type. And notice that there was a clever check that checked if someone was trying to make us into a horse, but someone happily commented on it. So whether it's backdoor or not, we don't know. But if we set the appropriate variable mm to the mMode_rcon, we will become an administrator. I know

it sounds a bit cosmic, but when you go to bed at home, you will analyze it. And we wrote a simple patch that added the variable ml to So my last mode was equal to 4, so we have recopiled aircon, we have received a client that works in the following way: I will connect to the server again, connect 127, and interestingly, pv6 is working. No. Quake will stop working soon. Because we know that IPv6 is behind the belt. So when we connect to the server, we use a patched Quake. If we type in the M_MODE_LAST, we should become an administrator, i.e. have this aircon mode. But to check if we have it, let's use the status command.

I don't have any information here because I'm not an administrator. Let's run our complicated exploit, mModeLast. And suddenly it turns out that we have become an administrator of Quake. Because here the administrative commands are issued in a server-to-server mode. If we type here "say status" I already have information about the player and so on. And that's cool, because we could have put the client on the server, dig out all the players and play alone. But I suspect that if we gave it to the client, he would wave his hand and say that he takes the risk for the chest. And he would probably take it, so we sat down again to the code. because we didn't know

how to get to Shell. I decided to read it from A to Z, file after file, and read. Until, in Mateusz's eyes, there was a command in the program: "Who finds the error, receives a penalty". This is a typical error that is shown in internet cameras. When you type instead of IP "shell injection" who said it? Two, okay, great. So you have a sticker from the radar. Indeed, here is a shell injection that could only be started by the administrator. So it turns out that Quake server has magical scripts that are used to compress DMs or other stories and the person who clicked on it went to the easy way and accepted everything that was going on from the player. Apart from the averages

that are checked on another level. Let's see if we can actually get to Shell. I would like to check the averages. If I run the "say" script... No, it's... I could run it... It's an experiment right now.

Improvisation doesn't work. We pour it and try to use it to make Shell. It was a server for Debian. We decided to take good old NC, NetGata. And make a shell. Let's do it. I have to type say script here. Here we type anything pipe nc -e bin sh. So we bind on the port l -p 9999. Shell, which we will connect to. I also forwarded it before, I will show you that I am not lying. Port 999 to the server immediately. I'm showing it already. Network. Interestingly, forwarding ports is in the Advanced tab. And indeed, 9.9.9 is switching to a virtual machine for 9.9.9. If I try to connect it now, it probably won't work,

at least I hope so. We connect, 001, 9999, we got that... There shouldn't be a sexit here. Aha, because the connection is taken by VirtualBox, but VirtualBox connects there and claims that it falls and doesn't disconnect. Attention! We'll start this and see what happens. According to what Kamil said, the demos on the presentations don't work. So who says it won't work? Two people. Okay, attention. This? Terminal? Just a second. Attention. 3, 2, 1. I started. I enter the magic ID command. Tada! It's a shell. And this is what happened with the client. I'll tell you about the script in a moment. But here I'll also show you the demo. It's like this. Attention, I'm turning on something like this. And it's like

this. But this is the topic I prepared for the need of another conference. This is a regular file, a suite, which I don't know if I have it or not. I'll show it right away. So, well. Exactly. Postscriptum is a patch we made, which we pushed into the project almost two and a half years ago. When I announced it to the developer, he said: "Oh, that's serious. So, listen, make a patch and commit it so that nobody knows." And that's what happened. The problem is that there is no one great repository that everyone uses, it's not installed from a package in Ubuntu or any other system, so the only option The first thing we did was to visit the post office. I

assume that for 2,5 years the servers were already being patched and that's why we're talking about it. So it was a simple patch. a huge discussion was started, what are we doing here, some hardening of quake, why, what for, who, that we can still break it with other methods. And attention, if anyone knows a Brazilian, he found this comet. So if you are listening to us now, then I would like to Greetings. Who knows, maybe he can already program. On the server it was like this, the server had a separate machine and it worked happily with the root permissions. The good thing was that there was nothing besides Quake, besides the ELDA service. And from this LDAP we went to other servers.

We talked about the problem with the abandoned programming. If you have any idea how to fix anything in the abandoned programming, I would like to hear it. One option is YOLO and breaking into all servers and patching them. And who set Quake server on insulin pump and we will kill anyone. So we gave up the idea, waited 2 years, we take the body out of the closet, so if you manage Quake server, fix it. What can this story teach us? First of all, let's not start services as root, because it's 2017, so everyone probably knows about it. Anyway, if someone once connected to the root's ircnet, by default, they got irc-ed K-line as root. There is another interesting story,

which was mentioned by Borys. It is a story with an administrator who decided to take this whole and he treated it personally. So here's a small appeal that if you do something wrong and we'll prove it, it's not to show incompetence, but to make the world better for all of us. Who agrees with this statement? Please, the sticker. I also have a T-shirt. It will be in a moment. I will either come up with questions or not, but first I will ask you if there are any questions. Listen, there is an interested person. For the courage and the first question. Okay, let's hold on for a moment. Thanks for the presentation, great. I notice some

similarities. Although your glasses are a bit confusing, but I wanted to know if you and Borys are brothers? If someone has watched Twin Peaks, it's more or less a combination between the White House and the Black House. So, a little bit yes, a little bit no. Plus it's... Or not important. I won't tell you on the forum. No, no, no. After the stream. Are there any other questions? There's a friend in the back who's a bit shy. When was Quake 2? When was Quake 2? So Quake 2 was the biggest failure of the ID Software. The slowest game for slugs, simply boring. We won't take care of it for any amount. There's no... I will go around for a while. Thank you for your attention.