_ | \ | \ | | \ __ | |\ \ __ _____________ _/_/ | | \ \ _/_/ _____________ | ___________ _/_/ | | \ \ _/_/ ___________ | | | _/_/_____ | | > > _/_/_____ | | | | /________/ | | / / /________/ | | | | | | / / | | | | | |/ / | | | | | | / | | | | | / | | | | |_/ | | | | | | | | c o m m u n i c a t i o n s | | | |________________________________________________________________| | |____________________________________________________________________| ...presents... Hacking PC/Payroll for Windows by Tarkin Darklighter 09/01/1997-#340 __///////\ -cDc- CULT OF THE DEAD COW -cDc- /\\\\\\\__ \\\\\\\/ Everything You Need Since 1986 \/////// ___ _ _ ___ _ _ ___ _ _ ___ _ _ ___ |___heal_the_sick___raise_the_dead___cleanse_the_lepers___cast_out_demons___| I. Introduction Automated Data Processing (ADP) is the nation's largest provider of computerized payroll transaction processing. PC/Payroll for Windows is ADP's client/server front end for AutoPay, which is in use by over 225,000 clients and 20 million employees (per ADP's 1996 annual report). With PC/Payroll, you can either connect to a SQL server or use their run-time SQL server engine to access a local database. If the company in question is using either option the security is quite trivial. When you execute PC/Payroll, you are asked for a user name and password. The natural inclination in a case like this is to just "brute force" your way into the program via a word list. Fortunately, there are some major security flaws in their database structure. So, let's get to it. II. Tools A. PC Payroll and its configuration The first thing you'll need is a copy of PC/Payroll for Windows. If you can't obtain the installation CD, you'll need to copy the \PCPW directory from the user's hard drive or from the server. Also, be sure and copy the MFCOLEUI.DLL file from the \WINDOWS\SYSTEM directory or you won't be able to execute the program. The actual payroll database file is usually stored in a subdirectory of \PCPW. The default directory name is PAY4WIN and the default database name is PAY4WIN.DBS. This database can get very large, so make sure you have a lot of storage space available. There are two INI files in the \PCPW directory that may be important: SQL.INI and PAY4WIN.INI. Make sure that the entries in this file point to the correct drive letter and directory on your system. B. Disk editor You'll also need a good disk editor to examine the database file. I prefer Norton Disk Editor (DOS version 8.0), but remember that a lot of these old editors won't work properly with the Win95's new FAT32 system. You can really screw up your hard drive if you're not careful III. Methodology We're going to perform a basic "cut-and-paste" operation on the password fields in the database. This is easily accomplished by creating a user with a known password and copying their password field to the SYSADMIN's password field. The next question is exactly HOW to create a new user without actually getting into the program first. Fortunately for us, ADP provides a SQL database utility that will do just exactly that! We're going to create a new database and then create a new user/password within that database: To create a new database: 1. Start up the WINTALK.EXE utility. 2. Select Admin/Install Database. 3. Check the "Local" box. 4. Check the "New" box. 5. The Password field is not important. Just put whatever you want in here. 6. Type in the name of a new database. (We'll use NEWDB in this example.) 7. Click OK. The new database should now be created. If you're having problems, check the entries in the SQL.INI file. Now, to create the user and password: 1. Select Session/Connect from within WINTALK.EXE. 2. Select NEWDB from the box on the left and click OK. 3. Select Security/New User from the menu bar. 4. Create a new user named SYSADMIN with password "PASSWORD" (it's not case-sensitive) with DBA privileges and click OK. 5. Exit WINTALK. The next step is to copy your new password into the original database file. Let's take a look at the database: Open the NEWDB.DBS file with your disk editor and search for the SECOND instance of SYSADMIN. This is the Master User account that has full access to everything in PC/Payroll. The password field is located immediately after the user name. It's made up of 16 hex numbers, beginning after a 10h. In our example above, the hex numbers should read: 45 45 4B 46 4D 4B 46 48 4D 49 48 47 42 42 48 4B You should get the same string of numbers if you used a password of "PASSWORD". Write these numbers down. Now, use your disk editor to open PAY4WIN.DBS. Search for the SECOND instance of SYSADMIN again and locate the password field. If you can't find a SYSADMIN user, locate the second instance of another user (like the name of your payroll clerk) with sufficient privileges in PC/Payroll. All you have to do is to copy the string you created into the SYSADMIN's password field, starting after 10h. Save your changes. Start PAY4WIN.EXE, and login using SYSADMIN and PASSWORD. You should have full access. IV. Additional Notes This hack has also been proven to work on Novell servers running SQL. Just copy the database and log files from the server to your local machine and proceed as above. Note that you will have to unload the SQL NLM in order to grab the files. (You can copy them at will if the server is running a utility like St. Bernard's Open File Manager). V. Conclusion I must admit, this is pretty weak security, especially for something as important as payroll. Most companies guard their payroll information VERY closely. There are a lot of ways ADP could have made this more difficult. Simply encrypting the passwords using a unique number in each database file would have been enough to make things much more difficult! .-. _ _ .-. / \ .-. ((___)) .-. / \ /.ooM \ / \ .-. [ x x ] .-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\- /lucky 13\ / \ / `-(' ')-' \ / \ /lucky 13\ \ / `-' (U) `-' \ / `-' the original e-zine `-' _ Oooo eastside westside / ) __ /)(\ ( \ WORLDWIDE / ( / \ \__/ ) / Copyright (c) 1997 cDc communications and the author. \ ) \)(/ (_/ CULT OF THE DEAD COW is a registered trademark of oooO cDc communications, PO Box 53011, Lubbock, TX, 79453, USA. _ oooO All rights reserved. Edited by Grandmaster Ratte'. __ ( \ / ) /)(\ / \ ) \ \ ( \__/ Save yourself! Go outside! Do something! \)(/ ( / \_) xXx BOW to the COW xXx Oooo .