Admin. rights on library pc's.

[moonlit]

The only ways I can think of to exploit analog audio in/out is either by some fluke involving the audio stack and some meticulously crafted sound, or via some app which uses audio input as data (for example an audio editing suite or an app which takes audio data and interprets it as sensor data or perhaps translates it into digital data like data over radio), the latter being the more likely scenario but still extremely difficult if it could be done at all. Of course, I'm no expert and I could be missing something obvious, but it wouldn't be easy any way you slice it.

[Netshroud]

An audio buffer overflow?

[NUSHOR]

just logmein your machine at home :P

[KGONEPOSTL]

***double post

[KGONEPOSTL]

OK kids

As a library network admin for a major library in the NY area i can attest that myself and other Library network admins lock down the boxes for reason. The computers at a library are for the enjoyment of every patron for the sake of doing research not for your personal enjoyment.

We spend many many hours locking down every nuance on a patron access system so script kiddies and even experienced computer users cant get past the basic account that is on a desktop and in more cases than not those accounts are monitored so we do know when someone gets shell or script access and don't be surprised if someone comes and taps you on the shoulder and asks you to leave because he saw what you were doing

Most libraries are working off domain based systems where everything is locked down at the server level so even if you did get past the local lockouts there is a small chance that you can get past the server blocks that are in place such as blocking CD rom and USB access as well as saving ANYTHING on the HDD

In the library that i work for they also make sure that you sign a computer user agreement that in most cases informs you that YOU are responsible for any damage sustained to the computer while you are using it and take my word for it they WILL sue you or turn you over to the cops as a hacker. I have had to deal with and provide forensic evidence for 2 such occasions

As posted several times in this post there is NO REASON whatsoever for you to have root or admin rights on a library patron access box

So man up and stop wasting peeps time with something that you aren't going to be able to do in the first place

Hi, I'm trying to download a 30kb file from my gmail but there's too many fuk1n lockouts to let me plug in my usb and download something so simple.

Turns out it's in rar format and that's evil

Thanks for the reply

Angry dude who hates library's

Btw, never test a hackers resolve. Now you got people goin with proof of concepts.

........your doomed

[Wetwork]

Are you just looking for proof of concept or must we perform a crack on a fully protected system? Also: which ports? Do we get access to a fully loaded card or just the mic/in speakers/out ports? Post motherboard/card restrictions if any.

I'm not saying I can do it but dang...that got my noodle burnin.

the only physical port that is accessible is an audio out port connected to a 6' extension cable that is used for headsets so we don't hear peoples jungle music and disturbing peeps. So audio out is the only port in and from my understanding that particular port is one way.

barry99705 Posted Fri, 28 Aug 2009 22:44:30 +0000

"Hahahahahahaha!!

We set up the library computers in one of our schools to be thin clients, no hard drives, no optical drives, and no floppies. After a month we had to go in and jbweld the blanking panels back in place, we also glued the cases shut."

I was thinking of setting up a multi VM system that has no HDD and after a set time, the client sided VM's are reset but that is an evolution that is going to be about a year in the making. Hopefully VMWare will get on board and use my library as a proof-of-concept to sell to other libraries to eliminate the need for HDD's in patron access systems or some sort of telnet type of network where it pulls the drive images from a main server. networks that i have seen in other libraries that use this type of system are fraught with bugs and with very high network latency

KGONEPOSTL

"Hi, I'm trying to download a 30kb file from my gmail but there's too many fuk1n lockouts to let me plug in my usb and download something so simple.

Turns out it's in rar format and that's evil

Thanks for the reply

Angry dude who hates library's

Btw, never test a hackers resolve. Now you got people goin with proof of concepts.

........your doomed"

Who's testing a hackers resolve?........as a CEH pen tester myself, i try to look at every angle that someone who is more nefarious than myself could use to access the network.

I invited the forum to look at a possibility of an audio port hack to see if it could be done..

And if you hate libraries that much then man up and get a system or laptop of your own and stop whining about that you cant download porn from your gmail and put on a USB drive so you can beat off to it later. Just about every library in the US (unless your zip code is E-I-E-I-O and live in nosenugget Nebraska somewhere has some sort of wireless access where you can connect your OWN wireless enabled device to the net

[Minus-Sign]

An audio buffer overflow?

Thats something along the lines of what I was thinking, but with only the audio out port accessible it wouldn't work. frankly, I'm stumped on it. The only thing I could remotely think to do with only that port would be...I dunno. Try and use it to short out CMOS with an electric shock? High probability of permanent damage to the board, definitely fry the card in the process, but if you were dead set on trying to break in and that was the only way...how crazy is that? Even if you pushed it all the way to the point of frying it, results would be doubtful.

@ KGONEPOSTL

Frankly, some good old fashioned social engineering would provide better results for the purposes of access. This is speculation only. I don't think Wetwork has anything to fear from this conjecture.

[Wetwork]

Thats something along the lines of what I was thinking, but with only the audio out port accessible it wouldn't work. frankly, I'm stumped on it. The only thing I could remotely think to do with only that port would be...I dunno. Try and use it to short out CMOS with an electric shock? High probability of permanent damage to the board, definitely fry the card in the process, but if you were dead set on trying to break in and that was the only way...how crazy is that? Even if you pushed it all the way to the point of frying it, results would be doubtful.

@ KGONEPOSTL

Frankly, some good old fashioned social engineering would provide better results for the purposes of access. This is speculation only. I don't think Wetwork has anything to fear from this conjecture.

Nah i have no fears along those lines ....as a pen tester myself i think that i would break out laughing if someone tried to social engineer me

[Keltha]

You can't buffer overflow the audio in because the analog to digital converter physically can't output values large/long enough to overflow. I might be wrong tho, my knowledge of buffer overflows isn't that great.

[moonlit]

You can't buffer overflow the audio in because the analog to digital converter physically can't output values large/long enough to overflow. I might be wrong tho, my knowledge of buffer overflows isn't that great.

That was my thought after considering it for a while, you can't give the driver values that the physical hardware can't create, not from the input side of the hardware at least, you could in software, but that's a little useless here. If the driver's written properly, there shouldn't be any data that comes out of the hardware which can't be handled.

[Wetwork]

That was my thought after considering it for a while, you can't give the driver values that the physical hardware can't create, not from the input side of the hardware at least, you could in software, but that's a little useless here. If the driver's written properly, there shouldn't be any data that comes out of the hardware which can't be handled.

Doesn't the driver stacks for audio on most motherboards made in the last 3 years have an auto sense capability to what port a cable is plugged into and then will translate what the purpose of that port is such as a a cable plugged into audio out will only push audio out?? how would that work when trying to buffer overflow on a port that is outbound only. If it were a USB audio device or a device emulator that works over the USB stack i could see the overflow suggestion have a little more weight but a old fashion 2.5mm audio jack i cant really wrap my head around the possibility of that working

[Zimmer]

Um does it not have to be a buffer overflow that IS executable?

[jobdone]

whoa , just had a thought! if I could get a job working for the library IT department , and work my way up then I could get Admin rights. hope this works for you too...

[Wetwork]

whoa , just had a thought! if I could get a job working for the library IT department , and work my way up then I could get Admin rights. hope this works for you too...

Ummmm.....Ya.....Sure....it will just take a few years.....but why not! that way when they catch you playing World of Warcrack at work they will question if you should be doing the job at all but go for it

[Jason Cooper]

I don't know how many computers you have in your library but I would suggest that you check to see if you boot from USB/CD on each of them (assuming you have access to the USB ports and CD drives) as anyone who deals with a large number of PCs will tell you there is always the chance that one of the BIOS's have not been locked down. (This happens more on the BIOSs that don't let you have a locked down boot menu so you have to add in the option to boot from CD or USB whenever you are reinstalling the machine). The more machines the better your chances of finding one that has slipped through, though don't just sit at one machine then the next and then the next, take your time and try them over the period of a couple of months.

Of course if you do try and do this you will probably draw the attention of those people responsible for them and so at best you should assume that you will be banned from using the machines and at worst find yourself in court.

For those of you reading this who maintain a large number of PCs then it is worth going round them all checking the BIOS settings every now and again (And if the BIOS supports it putting a password protected boot menu in place on them as that will reduce the need to change the BIOS settings in the future.)

[Wetwork]

I don't know how many computers you have in your library but I would suggest that you check to see if you boot from USB/CD on each of them (assuming you have access to the USB ports and CD drives) as anyone who deals with a large number of PCs will tell you there is always the chance that one of the BIOS's have not been locked down. (This happens more on the BIOSs that don't let you have a locked down boot menu so you have to add in the option to boot from CD or USB whenever you are reinstalling the machine). The more machines the better your chances of finding one that has slipped through, though don't just sit at one machine then the next and then the next, take your time and try them over the period of a couple of months.

Of course if you do try and do this you will probably draw the attention of those people responsible for them and so at best you should assume that you will be banned from using the machines and at worst find yourself in court.

For those of you reading this who maintain a large number of PCs then it is worth going round them all checking the BIOS settings every now and again (And if the BIOS supports it putting a password protected boot menu in place on them as that will reduce the need to change the BIOS settings in the future.)

I have my team do an audit on our library access systems every 90 days like clockwork. This is for several reasons including exploits, hacks, new key logging products, innovative kids who spend hours and hours sitting on sites like hak5 and Google and for the most part give my staff something to do. Since all the computers are identical for the patron access systems its easy to script most of the lock downs where no computer gets left behind. Patron monitoring is also part of it where i get notifications when a patron restarts the system, logs off the user acct, makes any sort of change to the system outside of the norm and there is also the video aspect where if someone looks like they are attempting to break into the locked desk to try to access the tower

The 2 techs out of my staff of 5 that are assigned to do the quarterly audit are required to do written reports for my review and then that report is given to the director of the library who i sit down with and go over it line by line. In turn the director then presents that report to the board of directors on a monthly basis as part of the meeting. In situations where there is something amiss that computer users PC privilege are taken under consideration for future use. Every patron who uses the computer is required to not only present ID but give name and address to hold them responsible. Every patron that signs in to one of the systems automatically has there library barcode logged as well as time signed on and off for this before mentioned audit Most people would consider this very big brother like but this is what patron access users must succumb to use a patron access system as well as the terms of agreement that they have to check on when sitting down at the system. All monitoring resources are laied out in this ToA and nothing is hidden from view.

I also tend to hire techs who take security to heart and know that the security on library computers is for the safety of all patrons that visit the library and outside of the library IE Child molesters and child porn pushers that you will have to admit libraries are good places for these guys to work from because of the annominity of the nature of library computers

I hope that this goes along way to helping other library administrators lock down there patron access systems to prevent scumbags from exploiting patron access systems for there own personal fu*ked up reasons. If you have any questions please feel free to PM me on library access controls and i will do what i can to help