Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What happened behind the closed doors at MS

10 views

Published on

Dimitri van de Giessen in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

What happened behind the closed doors at MS

  1. 1. How MS responded when they were hacked A real life POV story by @DimitriNL
  2. 2. Last email Quote “Microsoft Security Response Center” 2018.04.28 “The team is asking that you not use the SAM information or Microsoft's name. Ultimately the decision is yours.
  3. 3. What you will see in this DefCamp talk 2018 - Drama - Mystery - Action - and some NSFW As far as I know this is not available on:
  4. 4. Who Am I now Dimitri - 37 years Married - A baby girl 11 months Living in The Netherlands My hobbies: Snowboarding & cooking EC Council CHFI (Computer Hacking Forensic Investigator) System Engineer Working/worked for Dutch Government, Healthcare, Multinationals and …..
  5. 5. My dog “Rada”
  6. 6. WHAT I WILL DISCUSS Who was I What did I do Why go to the press How MS responded What happened next
  7. 7. BACK TO THE YEAR 2000 LET’S STEAL MICROSOFT’S MOJO
  8. 8. Who was I Age 19 years Living At my parents house Work ICT Service Company Playing with firewalls Freelance pentester Studie System Engineer Hobbies Wing Chun Kung Fu & ...
  9. 9. My hobbies Discovering new and using existing ways of hacking: Microsoft Internet Information Server, Site Server, Frontpage extensions, Commerce Server & Index Server. For example: CVE-2006-1257 Microsoft Commerce Server: Authentication bypass https://vuldb.com/?id.29228 2002 Found - 2003 Reported 2003 Fixed - 2006 Full disclosure
  10. 10. Online & Offline activities Newsgroups: Buqtraq & more Websites: Securityfocus, Attrition & Packetstorm Books books books Networking & Red Hat & Windows books To be in contact: IRC (DUH) Playing games: Delta Force
  11. 11. EXTRA EXTRA READ ALL ABOUT IT
  12. 12. Contact with “Microsoft Security Response Center" 2000.05.30 First contact Sample files were used on www.microsoft.com Fourth contactSecond contact Third contact
  13. 13. First Security Notice Report to Microsoft 2000.05.30: Sample files on Microsoft.com (Source code disclosure ASP files) http://www.microsoft.com/indon esia/MBICC/search/query.htm
  14. 14. Contact with “Microsoft Security Response Center" 2000.05.30 First contact Sample files were used on www.microsoft.com Fourth contact 2000.05.31 Second contact Standard installed servers: forum.microsoft.com & windowsce.microsoft.com Third contact
  15. 15. Second Security Notice Report to Microsoft 2000.05.31: Standard installation of IIS 4 (Everything was possible) http://forum.microsoft.com https://windowsce.microsoft.co m
  16. 16. Contact with “Microsoft Security Response Center" 2000.05.30 First contact Sample files were used on www.microsoft.com Fourth contact 2000.05.31 Second contact Standard installed servers: forum.microsoft.com & windowsce.microsoft.com 2000.08.15 Third contact Database passwords found on *.microsoft.com
  17. 17. Third Security Notice Report to Microsoft 2000.08.30: Passwords found on several servers of *.microsoft.com (Source code disclosure ASP/ASA files)
  18. 18. Contact with “Microsoft Security Response Center" 2000.05.30 First contact Sample files were used on www.microsoft.com 2000.10.22 Fourth contact Access to several *.microsoft.com servers. 2000.05.31 Second contact Standard installed servers: forum.microsoft.com & windowsce.microsoft.com 2000.08.15 Third contact Database passwords found on *.microsoft.com
  19. 19. Fourth Security Notice Report to Microsoft 2000.10.22 Access to several *.microsoft.com servers.
  20. 20. Fourth Security Notice Report to Microsoft 2000.10.23 Second email to microsoft
  21. 21. No answer after 4 days
  22. 22. Possible scenarios what they were thinking
  23. 23. 1 NOVEMBER 2000 11 days no answer Time to do something
  24. 24. Why go to the press Reason 1:
  25. 25. Why go to the press Reason 2: Microsoft doesn’t update their systems.
  26. 26. The press wanted proof So what do you post as proof for the world to see? https://youtu.be/Cipc8EowshY?t=12s
  27. 27. 7 NOVEMBER 2000 News article goes online
  28. 28. Some quotes from the first news article “The latest breach was minor by comparison and was fixed almost immediately, the company said” The server, which was nearing its scheduled retirement age, suffered from not having received a new software update, or "patch," that was issued Oct. 17, Sohn said. Microsoft has corrected the problem, he added. "It's a challenge when you run a major network with many servers. Even though this server was near retirement, we would have preferred that it had the patch. It's certainly the exception and not the rule; this one fell through the cracks
  29. 29. After a few days What do you post when you see the post is gone but the servers are still not patched? https://youtu.be/CduA0TULnow?t=1m28s Oopsididitagain.htm Patching your systems is very hard huh MSG to Britney: I loved your concert in the Netherlands
  30. 30. Some quotes from the second news article "We want to start a dialog with Dimitri” “We would like to know why Dimitri feels he needs to challenge us this way."
  31. 31. Meeting at Microsoft in The Netherlands What did my welcome look like
  32. 32. What we discussed The well known Unicode Directory Traversal Exploit. 2000.10.18 Rain Forest Puppy's investigated the anonymous forum post on Packetstorm and made a perfect explanation about the vulnerability. 2000.10.18 2000.10.18 The same evening me and some friends also posted on NT bugtraq with details on what you can do with it. For example you don’t need to use only the “scripts” folder but you can also use “MSADC”folder which is default installed on the C drive. More often used. The Scripts were usually installed on the D drive.
  33. 33. Access on the following servers Windowsupdate.microsoft.com 128download.microsoft.com Events.microsoft.com Insider.microsoft.com Library.microsoft.com & More
  34. 34. The Damage control questions from MS: Did you do any damage? No Did you upload viruses? No Did you create backdoors? No Why did you do this? Updating systems is a difficult task for system admin. Also for MS.
  35. 35. My recommendations to MS in the year 2000 Start a Microsoft Security Response Center in Europe. Features & samples in IIS (and Windows in general) default “off” and not “on”
  36. 36. Microsoft last words at the meeting If you find more vulnerabilities in the future let us know. Keep in touch at Microsoft The Netherlands.
  37. 37. Email quotes “From MS spokesman with love” “All press contacts about your activities that concern Microsoft are now over. All communication about hacking Microsoft through you to press goes through Microsoft."
  38. 38. Email quotes “From MS spokesman with love” "If we are approached by the press, our comments will be that we have indeed spoken to each other, but that we will not make further statements about this conversation."
  39. 39. Email quotes “From MS spokesman with love” "From the US they have responded with approval to our conversation. I think - and I mean that - that you'll getting away with this too easy without charges."
  40. 40. What did my employer think about it I should have gone to my manager before exposing my findings to say that I had access on *.microsoft.com. They could have Microsoft as customer. They planned a meeting at the airport behind customs with Compaq.
  41. 41. What happens if you refuse?
  42. 42. I needed a break What is the best place to work and have fun?
  43. 43. Working in the club scene
  44. 44. My workspace
  45. 45. My workspace
  46. 46. But what happened in 2003?
  47. 47. But what happened in 2003? I found a vulnerability in Microsoft Commerce Server: CVE-2006-1257
  48. 48. Timeline vulnerability 2003.03.10: Meeting at Microsoft The Netherlands with Proof of Concept 2003.03.31: Official Escalation Vulnerability. Microsoft is busy for a fix. 2003.04.15:
  49. 49. Timeline vulnerability 2003.03.10: Meeting at Microsoft The Netherlands with Proof of Concept 2003.03.31: Official Escalation Vulnerability. Microsoft is busy for a fix. 2003.04.15: Fix in Service pack. 2003.04.26:
  50. 50. Timeline vulnerability 2003.03.10: Meeting at Microsoft The Netherlands with Proof of Concept 2003.03.31: Official Escalation Vulnerability. Microsoft is busy for a fix. 2003.04.15: Fix in Service pack. 2003.04.26: Microsoft: No call call out reporter 2003.04.27: No “call out” then I will not give my support 2003.04.28:
  51. 51. Timeline vulnerability 2003.03.10: Meeting at Microsoft The Netherlands with Proof of Concept 2003.03.31: Official Escalation Vulnerability. Microsoft is busy for a fix. 2003.04.15: Microsoft: Fix in Service pack. 2003.04.26: Microsoft: No call call out reporter 2003.04.27: Me: No “call out” then I will not give my support 2003.04.28: Microsoft: bla bla, customers bla bla 2003.04.28:
  52. 52. Timeline vulnerability 2003.03.10: Meeting at Microsoft The Netherlands with Proof of Concept 2003.03.31: Official Escalation Vulnerability. Microsoft is busy for a fix. 2003.04.15: Microsoft: Fix in Service pack. 2003.04.26: Microsoft: No call out reporter 2003.04.27: Me: No “call out” then I will not give my support 2003.04.28: Microsoft: bla bla, customers bla bla 2003.04.28: Me: Only the sun rises for free I’m only asking for a “call out” 2003.05.06: Microsoft: KB article in service pack will have the “call out” 2003.08.26: Microsoft released Service Pack & security bulletin regarding the vulnerability.
  53. 53. Top questions Most asked: “Did you hack Microsoft?! Are you rich?” “Can you hack somebody’s hotmail for me?” “Can you hack a bank for me?” Strange questions: “Can you crash a train for us to make a documentary about hacking?” “Can you hack a pigeon breeder website for me?”
  54. 54. Bucket list Hack Microsoft Receive call out in Microsoft Product Meet Britney Spears Going worldwide with my talk DefCon Skytalks (USA, Las Vegas) - Sec-T (Sweden, Stockholm) - Kaz’Hack’Stan (Kazakhstan, Almaty) - UISGCON (Ukraine, Kiev) DefCamp (Romania, Bucharest) & More to be confirmed
  55. 55. THANK YOU Twitter: @DimitriNL

×