$natch
DESCRIPTION
#phdays 2013TRANSCRIPT
![Page 1: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/1.jpg)
![Page 2: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/2.jpg)
$NATCH
Sergey Scherbel& Yuriy DyachenkoPositive Technologies
Positive Hack Days 2013
![Page 3: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/3.jpg)
Some history
The competition took place for the first time at PHDays 2012.$natch aims at demonstrating typical vulnerabilities of the online bank systems.
Positive Technologies performs security tests of the online bank systems on the regular basis. We are really into this.
The most interesting, dangerous and simply typical vulnerabilities are integrated into PHDays iBank right away.
![Page 4: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/4.jpg)
Last year results― 9 participants― 4 winners― biggest prize of 3.500 roubles
― Some winners got into positive community
after an extremely scary interview of course
![Page 5: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/5.jpg)
PHDays iBank 2
PHDays iBank 2 is NOT a real online banking system that is used by actual banks.
System had been developed exclusively for the PHDays 2013 competition.
PHDays iBank 2 employs typical vulnerabilities of the online banking systems.
![Page 6: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/6.jpg)
Competition rules
― 100 bank clients― 10 participants― 20.000 roubles of prize money― 1 day for source code analysis― 30 – 40 minutes of the actual competition― a participant will get as much money as he will
manage to transfer to his or her account― Participants can steal money from each other
![Page 7: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/7.jpg)
At the workshop
― You will be able to examine each vulnerability in detail
― Exploit vulnerabilities by yourself
― Exploit vulnerabilities with tools
― All is done on a special copy of the competition system
![Page 8: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/8.jpg)
Accounts
100001:PKAC1y
100002:RNrlO9
100003:Ndl1Ix
100004:hQPuJw
100005:kpgtCI
![Page 9: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/9.jpg)
Authentication
Code on the image needs to be entered
![Page 10: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/10.jpg)
Mobile bank authentication
The code is not needed, thus account bruteforce is possible
![Page 11: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/11.jpg)
Accounts with simple passwords
100011:password
100012:phdays
100013:qwerty
100014:password
100015:123456
100016:12345
100017:11111
100018:ninja
100019:123123
100020:sex
100021:asdzxc
100022:654321
100023:iloveyou
100024:root
100025:master
100026:superman
...
![Page 12: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/12.jpg)
Transaction confirmation
![Page 13: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/13.jpg)
Confirmation bypass in mobile bank
![Page 14: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/14.jpg)
Payment templates modification
![Page 15: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/15.jpg)
Payment templates modification
A template is not checked if it is owned by the current user
![Page 16: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/16.jpg)
Payment templates modification
$$
![Page 17: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/17.jpg)
Payment templates modification
$$
![Page 18: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/18.jpg)
Contacts import
Most online banks have a feature that allows to import/export data
![Page 19: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/19.jpg)
XML External Entity
External entities loading is not disabledhttp://php.net/libxml_disable_entity_loader
![Page 20: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/20.jpg)
XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE contact [<!ENTITY x SYSTEM "php://filter/read=convert.base64-encode/resource=logs/changePassword.log">]><contacts> <contact> <name>name</name> <account>90107430600712500003</account> <description>&x;</description> </contact></contacts>
http://www.php.net/manual/en/wrappers.php.php
![Page 21: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/21.jpg)
XML External Entity
File contents in base64
![Page 22: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/22.jpg)
Debug mode
![Page 24: $natch](https://reader036.vdocuments.net/reader036/viewer/2022081414/54b774174a795921738b4583/html5/thumbnails/24.jpg)