A Simple Ticketmaster Hack

Written 2017-02-20

Tags:Ticketmaster 

Everyone seems to have their own reasons for hating ticketmaster.

Here is mine - ticketmaster tries to optimize house filling. At first glance, this is great, since otherwise there would be a single-seat gap between every group at a show. However, this plan breaks down as the seats fill. I was recently presented with the following empty seat options for a show. I could either buy three seats in a row so that the two of us could sit together, or seat two attendees in different sections.

Seat in another section not shown below.
ticketmaster_0

Attempting either of the two-seat pairs of the three seats below...
ticketmaster_1

...yields:
ticketmaster_2

Thanks Bucko. In fact, selecting one seat here and one in another section is fine, like this:
ticketmaster_3

Once you select it, ticketmaster temporarily reserves your seat and takes you to a holding area:
ticketmaster_4

Interestingly enough, opening a private tab at this stage shows that the seats in the holding area are no longer available.
ticketmaster_5

Now, you can reserve the two seats you wanted in the first place, and buy them
ticketmaster_6

In retrospect, we should have started with the normal tab, and used the private tab to do the switcheroo. So, to wrap this up cleanly into some sensible instructions, the steps needed are:

  1. Log into ticketmaster in normal tab
  2. Find the seats you want
  3. Find the seats in the way of the seats you want
  4. Open a private tab, and fill out an order for the unwanted seats, but do not order
  5. Refresh the normal tab, confirm unwanted seats no longer available.
  6. Order the seats you wanted in the first place.
  7. Close the private tab
  8. Have a wonderful night at the opera

Absurdity Of It all

Written 2017-02-13

Tags:absurdity blender 

A man removes a crock-pot from a cupboard.
A cat sprints across the kitchen.
The cat crashes into the cord hanging back into the cupboard.
A blender hangs mid-air, yanked by the cord by the cat.
I sweep the shards of blender into a dustpan.
And pour the blender into the garbage.

I'm speaking at SecKC February 2017

Written 2017-01-13

Tags:DroneView Security WiFi SecKC KansasCity 

At SecKC's February 7th meeting, come see me present This one time, I bought a drone. I'll also introduce a new, ESP8266-based countermeasure, named DronePwn.

MadSax

Written 2017-01-05

Tags:XML MadSax Expat BeyondThunderDom LoadWarrior 

Expat Sax Parsing

Expat is a SAX-Parser for XML documents. However, parsing documents directly with Expat is a little cumbersome - Expat triggers a callback for every start and end XML tag, along with a string belonging to that tag, but it is left to the developer to convert this stream of named tags into usable events for processing. Various methods exist for this, including keeping a list of known tag-identifying-strings in the program, and scanning this list per tag to see what should be done. Commonly, this results in a string table that maps to an enumeration, and a switch-case.

MadSax works a little differently.

MadSax sits directly between Expat and higher level logic. Instead of a callback API for arbitrary tags, MadSax is built at compile-time with a list of tags the application is interested in. These tags are used to compile a minimal perfect hashmap using gperf.

Example MadSax Usage

This MadSax Definition File:

/svg/rect
/svg/circle

Generates the following hash-indexed tag-handlers, which are used to trigger the higher-level application logic. These intentionally mirror the API of Expat, except that the element name need not be parsed, and may be removed in the future.

static void handle_tag_start__svg__rect(void *data, const char *el, const char **attr){}
static void handle_tag_end__svg__rect(void *data, const char *el){}
static void handle_tag_data__svg__rect(void *data, const char *content, int length){}
static void handle_tag_start__svg__circle(void *data, const char *el, const char **attr){}
static void handle_tag_end__svg__circle(void *data, const char *el){}
static void handle_tag_data__svg__circle(void *data, const char *content, int length){}

What comes after MadSax?

Two more XML-parsing related projects are planned after MadSax.

The Load Warrior

The first, The Load Warrior, will be a thin layer on top of MadSax, and will support tagging MadSax definition lines with types. For most cases, this will remove the abstract the current three-step parsing(start/data/end) into a simpler API consisting of a single callback for a single XML Element. Start and End callbacks will still be used to delineate more complex objects, but single callbacks will be used to represent simple tags that enclose a single value.

Beyond ThunderDom

Beyond ThunderDom will sit above The Load Warrior, and serve to aggregate objects converted by The Load Warrior into structures directly usable by higher level application logic. For example, our above example for rectangles becomes:

struct
{
float x;
float y;
float width;
float height;
const char * style;
}svg_rect;

static void handle_object__svg__rect(void *data, const struct svg_rect * rect){}

DroneView Security Problems

Written 2017-01-01

Tags:DroneView Security 

WiFi Password

The WiFi uses an open network. This should be replaced with a default password printed on the device label.

Everything Runs as Root

This means any command-injection in the web UI would lend itself to immediate system compromise.

No Shadowfile Support

Password hashes are stored in /etc/passwd. If normal processes ran as something other than root, they would be restricted from fetching password hashes.

Telnet identifies non-users

If attempting to log in over Telnet with an invalid username, Telnet displays 'getpwnam returned null'. This allowed me to quickly exclude a list of common username and password combinations used in IP camera devices. Also telnet should be replaced with SSH.

Poor Password Choices

By sharing a short alphanumeric password, ev1324, across all drones, the compromise of a single drone(mine), combined with telnet, allows wireless bricking of devices.

Weak password hashing algorithms

The root password is hashed with MD5. This took only about 20 minutes to brute-force. Since it is not common for someone to log into this device, there is little downside to using a much slower algorithm.

Unlocked Bootloader

This one I have mixed feelings on, but a bootloader password would have prevented me from extracting password hashes from the firmware. However, if the bootloader were locked, I then would have extracted it from the SPI flash. And then you need disk encryption.

Older