Your Free MacWorld Expo Platinum Pass (valued at $1,695)

Happy new year everybody! Here's a little secret for web developers: client-side verification of user data is sometimes ok, but back it up with a server verification AND don't give important/secret stuff to the client.

I wanted to head over to MacWorld this week and obtained a "PC" code for a free Expo pass. That's cool and all but it doesn't get me access to see Jobs' keynote unless I sneak in. Plus if I got a regular badge I wouldn't have priority seating, something you really need since everyone and their goat flocks to hear Jobs say "One more thing..." But, alas, I'd only receive an Expo pass.

I plug in the register URL and start inserting my information. The second screen is where your Priority Code gets entered. Being the curious person I am I took a peek at the source code. Much to my chagrin I find this:


Well huh. These look like MD5 hashes. Lets look a little deeper in the code. On line 2515 there's a javascript function named "check_password" which is called any time the Priority Code field changes. Let's see what it does:

1. Convert the cleartext to upper-case and strip invalid characters
2. Calculate the MD5 of the new cleartext
   
3. Check the list of valid_codes for the MD5(cleartext)
4. Pop an alert box if the code isn't found
   

So what we need to do is crack the MD5 passwords with what we know about our keyspace: All upper case, most likely keyboard ASCII characters and numbers only. We can probably rule out non-printable ASCII so now we're just looking at A-Z0-9. Just an educated guess.

A quick conversion of the javascript to "code#:md5hash" and a quick addition to John The Ripper's rules:

[List.External:AlNum_Upper]
void filter()
{
int i, c;

i = 0; // Convert to uppercase
while (c = word[i]) {
if ((c < 'a' || c > 'z') &&amp; (c < '0' || c > '9')) {
word = 0; return;
} else {
if (c >= 'a' &&amp; c <= 'z') word[i] &= 0xDF; } i++; } }

We begin the crack:

$ john --format=raw-MD5 --incremental=alnum --external=alnum_upper macworld.codes
Loaded 897 password hashes with no different salts (Raw MD5 [raw-md5])
CREDIT           (1183)
guesses: 1  time: 0:00:00:09  c/s: 20372K  trying: ADRY

Less than 10 seconds and I've already cracked a code that looks interesting. Lets see what we get:



A Platinum Pass for $0.00? Special line access to the Keynote! Alright!

So it looks like a combination of client-side authentication with all data being delievered to the end user. OWASP has a very good description of this vulnerability here. Utlimately you don't want to give the client everything they need to gain access to something they shouldn't. Validate on the server rather than the client and keep the keys secret. Of course you also shouldn't use a very easy key that will provide discounted access (CREDIT ? Hmmmpf!)

But did it work? You need a government ID or credit card to receive your badge at the conference. Not a very hard thing to forge but no need to as I used my real initials. The badging people gave me an odd look at the pick-up window but everything matched and voila:


This was discovered and verified on Monday, 1/8/07 by picking up the above badge. On Tuesday I e-mailed IDG to report it and met with the web support team at MacWorld to say hi, hows it going, yeah this didn't take long to figure out, you gave me everything I needed to know in the code, etc. They're very nice people and were happy to discuss this issue and about web security in general. They'd spent most of the day looking back over their logs and found that others also had found this vulnerability and used it but I was the only one to report it.

Given what's mentioned in this article from CSO Online I can understand why that is. This experience helped me feel that it's not always a strong-arm, FBI jackbooted thug response for finding a web application vulnerability. Then again I only learned how to defraud a company of $1,695 (per instance) and didn't try to access a database containing credit cards, social security numbers, etc.

I made a video of the hack but it was after I talked to IDG so the final page doesn't show $0.00 anymore. Oh well, it'll give you the general idea of the vulnerability and how long it could take to figure out. As soon as it's finished I'll post it.