How Classified DND Information Was Easily Compromised - By PsychoSpy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------- Beginning of Disclaimer --------- This information is for educational use only. By continuing to read this file, all legal responsibility for any damage done, or any other illegal activity is bestowed upon you, the reader. If you don't agree with this, than don't read the file. --------- End of Disclaimer ---------- As you may have noticed, I just recently (along with this file) released a few files on the DND network. You're probably wondering how I got so much great information on DWAN and various other DND computer information. To answer this pondering which many probably have, I am writing about the problem which I recently found in the DND, or more like the Government Canada's servers. This problem allowed me to gain much information which allowed me to write those files. So, here's the scenario. After talking to The Clone about AGNPAC (the Alberta Government Packet Switching Network), I decided to see of there was an Ontario version of this. To check, I booted up my computer and zipped my trusty web browser over to www.gc.ca, Government Canada's main site. I saw the Search link on the main page there and followed it. I type in a few keywords to search for information on there possibly being an Ontario Gov't Packet Switching Network. However, I didn't find anything of importance no the subject. What I did notice was the url which was in my url box after I hit the search button. It was something like this: http://search-recherche.gc.ca/cgi-bin/query?mss=canada%2Fem%2Fsimple& pg=q&enc=iso88591&site=main&bridge=&lowercaseq=&what=web&user=searchintranet &kl=XX&op=a&q=Ontario+Government+Packet+Switch+Network&x=44&y=2 (url is wrapped) There one thing which caught my eye when I saw this. It was the part that said "user=searchintranet". Wow.. This is interesting. I wonder what kind of files I can access. Is this really an intranet search? Well, you guessed it folks! It sure is. It's quite humorous actually. See, a couple days before I had tried to access a directory listing on the CSE's server but wasn't able to do so as the server was marked as forbidden. Oooo... Forbidden.. Damn I can't help my curious mind. Of course I want to see all that which is forbidden! So, I found the url for the directory I wanted to get a listing for, and clicked search. Then, POW right there on the screen was what basically amounted to a directory listing of this supposedly forbidden directory. Of course, it's the government, so they wouldn't put a password on the folder. I guess they figure that if it's marked forbidden people wouldn't be able to see the files inside. However, now that I have the full path names for the files, I could easily (with the click of a mouse) access these files. In fact, it turned out that I could access many files which are considered sensitive by the Canadian Government. These "sensitive" files where mostly seen on the CSE and DND servers. What I believe happened was that the method in which the trusts between the servers where setup, coupled with the manner in which the search script searched for sites, allowed a person to search through every directory on all government agency web servers which where above the root web directory. So, if the main page of a server resided on: /usr/cse_web/html/ Then anything inside of that HTML directory, including all sub-folders, was accessible and could be searched through. This also means that the passwd files etc. on the servers could not be accessed. However, due to the discovery of this, I found that there are many other vulnerabilities which various Government Agency servers are open too. Hopefully in the near future I will be able to write about these vulnerabilities on the various agency servers, however I do not feel that it would be in my best interest to do so right now. This really demonstrates how insecure these servers really are. It seems that the government has great planning for their security of servers, however, the implementation is just not there. Maybe more files like this will send a strong enough message to the gov't that they really should wake up. Well, that's it for today guys, and please try to stay out of trouble. Also, do NOT try any of the things mentioned within this file, we have delayed the release of this file to allow the administrators of the networks time to correct the issue at hand. -- PsychoSpy psychospy@hushmail.com ICQ#: 5057653 2000