Dhiraagu is currently running a promotion to mark the rollout of their new wifi hotspots around Male'. The hotspots, which are setup in some of the popular cafe's and restaurants, lets customers at these joints enjoy speedy access to internet via laptops, pocket pc's and smartphones. Access is to be granted with the purchase of vouchers but I am not sure if the access offered is time based or data transfer based. However, it would probably be a safe bet that it would not be cheap.

The great thing about this wifi promotion is that they are giving FREE access for the duration of the promotion. That means people in the vicinity of the hotspots can get high speed free internet! The signal is strong and easy to catch atleast around the block and recievable even further off if a wifi antenna is used to boost the signal reception. If you are really desperate for internet and want to cash in on this opportunity, quickly slap up a bi-quad or cantenna for 2.4Ghz use, connect to your wifi card and surf away. Making an antenna certainly makes for an interesting project to while away the afternoon and access to such a antenna has the additional benefit of letting you connect to one of the numerous (unprotected) wifi networks around.

Stay connected!

Ah. Data back up disks are always nice - especially those with older snaps of work. You find things that you've totally forgotten about. Perhaps it is a photo, a document or maybe that song you used to play all the freaking time. As for me, I just stumbled across a hasty log and an interesting screenshot I had taken around mid 2005.

There is a litter of articles dedicated to Dhiraagu on my blog - there is one about their E-Bill system, another on the WWW proxy server and yet another on their WebSMS service. However, the Dhiraagu MMS service, which I recall as being officially launched in July 05, is something I haven't posted about. But now that I chanced upon this "ancient" screenshot and given that Dhiraagu has revamped their MMS website, I thought I'd share...

The screenshot shows the Dhiraagu MMS internet portal that is intended to be used to retrieve recieved MMS and to acquire MMS content for the phone. The shot shows an SQL injection probe on their website and listed by the system as response is a list of database tables - a couple with interesting names. I leave to your imagination what they contain, for I don't remember going pursuing any further on the matter Note that Dhiraagu seems to have re-programmed their MMS service sometime late last year and I have no idea whether the lapses that gave rise to this exploit exist on the new website.

I came back from shopping this evening to find that my brother had messaged me on MSN Messenger saying he wanted to talk to me about something quite urgently. I called him up only to find him answering on the first ring and then unloading a megaton worth of speech in under a minute. He sounded excited and mostly illegible so I took my time digesting what he was saying. Basically what he said was that he had been checking the monthly call details of our home line when he got curious and took a look at the Dhiraagu E-Bill system to see what goes on under the skin. What he found was more than intriguing and he wanted me to investigate it further. (My brother has a bit of what he found out on his blog.) Now, here's my take on it.

Overview
The flaw Jaheen stumbled across lies in the online phone records viewing facility called E-Bill provided by Dhiraagu. Specifically, the flaw exists in the bill downloading section of this online application that allows registered users to download the call records for their line. The lapse in appropriate security measures and the utmost trusting of the data provided by the user seem to let a (malicious?) user view the call details for ANY account number of a Dhiraagu customer.

Walk-through
First, I should note that in order to access and execute the flaw, you need to be a registered user of the E-Bill facility. You need to log in and have a valid session underway to access the required bill downloading facility.

That said, viewing the bill of a specific user is not that trivial a task either. The account number of the desired customer needs to be provided to the system instead of merely providing the customer's telephone number. The account number is printed on the monthly bills that Dhiraagu sends out. The account number is printed in the format XX/XXXXXX/XXXX, where the Xs represent digits. Individual user targeting is thus limited greatly but this is not to say that the consequences of this bug are thus insignificant. It is always possible to mess around and generate a combination of digits which in turn will quite likely correspond with a valid account number of some random customer. A very possible scenario could be an attacker generating all the combinations of the numbers and asking for the bills for each of these generated account numbers!

I duplicated the execution of the flaw using the same "tools" my brother used; i.e. using the Live HTTP Header extension for Mozilla Firefox. This extension is quite handy for these sorts of uses and misc. other debugging purposes.

Forging ahead, first up the E-Bill interface is accessed and login process completed. This gives a cheesy interface that looks like this.


The bills download feature is accessed by clicking on the "Download bills" link from the left menu. The page that comes up next differs depending on the E-Bill account type and the number of telephone numbers combined into the E-Bill account that was logged in with. Skipping ahead, the E-Bill system throws up a page that looks like this:


Now this is where the magic begins. Enter the time duration for which the call records are desired. The select the appropriate links to get to a download page where you are asked to click a button to start the downloading. HTTP Live Header (HLH) extension comes into play at this point. HLH is set to capture the traffic. Then the download button is clicked and soon enough Firefox happily displays the download save dialog for the file being received. The file is saved but there is nothing abnormal till this point still.

Now to execute the amazing rabbit-out-of-hat magic of the E-Bill system, a bit of sleight-of-hand is added the process. The button click in the above mentioned download process creates a HTTP POST request which shows up among the last on the status window of HLH. This request is selected and the "Replay" button clicked to replay the download process with a few changes for the final effect.


As shown above, the highlighted "account=xxxxxxxxx" bit tells the E-Bill system which account number to generate the call records for! This is where our opportunity comes. This number is then changed to a known account number or any random number and the HTTP "replay" continues as normal. Soon as the modified request is replayed, the E-Bill system again spits out a call records file for download. The difference this time? It is no longer the call records for the logged in account but for the account number furnished in the modified replay.


Conclusion
Simply by manipulating a single 12 digit number that the E-Bill system trusts the user?s browser with, we can extract the phone records of ANY Dhiraagu customer. This is a serious flaw and the resulting breach of privacy is a major concern for customers who no doubt would want their phone usage records to be kept safe and confidential.

Now I know quite a few people would wet themselves on hearing of the dirty things one can do to Dhiraagu. I also know quite a few people would risk actually trying what I am about to narrate, so here I begin with a disclaimer.

-----
Disclaimer: The information presented in this article is mostly for entertainment purposes and whatever educational value it may posses must be the result of some exotic butterfly flapping its wings under the canopy of the Amazon. At no time do I recommend you or any circus animals attempting these and consequently, I take no responsibility for your actions.
-----

If you are a dialup user on Dhiraagu Dhivehinet then every time you dial-in you get an IP address assigned automatically. An IP address is sort of a unique identifier for your computer on the internet. I was setting up an internet dialup connection to Dhiraagu on a friend's computer a few years ago when I wondered what would happen if I were to specify my own IP address in the settings rather than let Dhiraagu automatically assign me. If things were set correctly at Dhiraagu, what I was about to do should not be possible. However, I decided to try it out anyway, hoping that they might have mucked it up.

I decided I would attempt using the IP for the Dhiraagu proxy server, i.e. assign myself the same identity as the web proxy operated by Dhiraagu. As you might already know, all WWW traffic flows through a proxy server if you are a Dhivehinet customer, therefore the proxy server knows what you browse, when you browse and can totally keep tabs on you. Similarly, by assuming myself its identity I should be able to see what the real proxy sees. I should be able to grant myself the same power! Sure enough, as soon as I dialed in with the forced IP, the connection status icon at the bottom of the screen lit up. The received packet count in the connection status window kept on increasing endlessly. I was getting bombarded by the web traffic coming into the proxy! I had successfully assumed its identity. I then disconnected and I sat there with a wicked smile painted on my face, imagining the possibilities this opened up.

Few minutes later, my fingers were flying over the keyboard furiously as I wrote a quick ?n dirty proxy server software. Its purpose was to act as a proxy, logging all the data it receives. I could have done a kazillion fun things to add to that but I resisted the temptation. An hour or so later, I had the proxy program working as I wanted and so went back to dialing in. As soon as my connection got established, the program started displaying the various requests coming in from users on the Dhiraagu network. Less than a minute into the dialup and my program crashed due to overflow. There was too much data! I reprogrammed bits to fix the issue and went back on, logging data for about 5 minutes before disconnecting.

I opened up the log file created by my program and analyzed the various connection attempts. By the end of going over the log, I had another reason to be quite amused. The log indicated that about 75% of all requests I had intercepted was for pornographic websites. This was proof that much of the Maldivian internet users used the internet for porn!!

Anyway, this "flaw" gives rise to a whole set of opportunities. I could impersonate any server on Dhiraagu. I could become one of their FTP servers and start logging username/passwords. I could become one of the web servers and start serving rogue web pages. I could become the email server and log username/password as people attempt to check mail. The possibilities were almost endless...

I have mailed Dhiraagu several times over the years regarding this issue but never received a reply. Sadly, this was still working about 6 months ago according to a friend who tried it. However, it may have been fixed in the recent endeavor by Dhiraagu to improve the security in their networks.


UPDATE (11-09-2005):
I just received a log from "Fatty" of Digitial Squid that re-confirms what I revealed in the article. Thanks Fatty!

Below is a screenshot of the captured traffic in Ethereal where I have placed a "http" filter to list only the web traffic. On the right side, it shows the various websites people are browsing and on the left of that is the associated IP address requesting that particular page. It is interesting to note that 53 percent of the requests are for porn

For the technical lot who are keen to see the actual Ethereal capture, HERE is the log that Fatty provided me with.

Dhiraagu WebSMS has been a dear friend to a lot of us. Some of us see it as a means of communicating with friends cheaply when we are strapped for cash while some others use it for more malicious purposes. Anyway, I took a different interest in it since its introduction some years ago.

Once upon a time...

When WebSMS was introduced, Dhiraagu relied on the interface scripts provided by Comverse for their SMS system purchased from Comverse. One part of the web interface had minor changes brought to sport Dhiraagu logos and copyright lines and was offered to the public as WebSMS. It was free for use and had no limits and no Dhiraagu signature lines appended. It was total fun! Ofcourse the fun was just beginning and I forayed into the scripts and ended up with access to the rest of the system that "websms" was actually part of... Dhiraagu then started to bring changes. I suspect these changes were politically influenced rather than being for their own financial or technical reasons.

First, Dhiraagu had a signature line appended to messages. The message was easy to get rid of by merely modifying the form data being submitted to the server. Ofcourse, Dhiraagu fixed it (sorta) in due time.

Next up, they decided to add user registration. It was still free thankfully. This was the first in a step of moves they've made to gather more and more specific data on the users. This initial user registration allowed anyone with an email address to open an account. This ofcourse meant, you can use throw-away free emails and aliases to open WebSMS accounts without revealing any real info on yourself.

Then few months later, the registration with email addresses was scrapped and people were required to have a mobile number to register. The old accounts were ofcourse purged after this change. This new change ruled out random people opening accounts and sending SMS - you needed to be their customer to send SMS via the web.

Sometime late 2004, they decided to limit the number of SMS to 10 per day per account. Now to implement this, they used a messed up implementation of sessions and cookies. When you login, you got assigned a cookie that set a key "Dhi" with a value of the form "12345%2cWanker%2cWho". Simply by altering the "12345", which is probably something meant to act as a session id, one could override the 10 SMS per day limit. By changing this value, you effectively assume the identity of another user - but all without any authentication! Simply change the number and you are good for another 10 SMS. Interesting thing was that user/session id didn't need to exist on their server - you could very well use 1000000 and move onto 1000001, 1000002 and so on for more SMS. I had the pleasure of getting my server blocked/ignored by Dhiraagu after I added this 'hack' to my Email2SMS service offered at the time via maldivianunderground.net - but the block wasn't placed until after my Email2SMS service had dispatched around 2000 SMS total using the 'hack' by the second/third day after they brought the "upgrade".

I should mention there were other interesting but less trivial flaws in the WebSMS system - like being able to reset the password for (all) users on the system via SQL injection. The database table they had, had the following fields (amongst others) : userid, username, password, mobileno. The login and password change facilities had SQL injection and logic deduction possibilities...

Soon after the 10 SMS limit "upgrade", in May 2005, Dhiraagu made another of its upgrades to make the messages that were being sent via the system seem to originate from the number of the WebSMS account holder. Uptil then, the originating number was "+000". This new upgrade killed the anonymity of messages being recieved by a WebSMS recipient. It killed the fun ofcourse and I had to find some way to get around it - just to piss off friends. It turned out Dhiraagu had simply appended the account holder's number to the cookie that is set when a user logins - and then uses that number from the cookie to represent the originating number whenever a SMS is sent. If you are having a hard time imagining how it looked, the cookie was of this form: Dhi=12345%2cJawish%2cJaa%2c770000. This opened up new possibilities! I could make SMS appear to originate from any number. I could make it that of a friend's or foe's. I could make the number an international one or even a landline one. Seeing my dad stare at the phone in disbelief when he received an SMS from himself was fun enough! Hehe.

Sadly, these "features" were fixed when Dhiraagu upgraded the system yet again in August 2005. No wild originating fun for now. I haven't messed around with it yet - much.

Psst. Tricks!

To finish off this lengthy post on Dhiraagu WebSMS, I'm sharing two neat tricks that you may like and still works on Dhiraagu WebSMS as of today.

No signature line: Don't want the "(Dhiraagu WebSMS)" line to appear in messages you send via the WebSMS system? Then simply add a equal sign ("=") as the last character in your post!

Long messages: Do you have some looonnggg message to send to someone and it's hard to fit in the 140 character limit that WebSMS imposes on you? Worry no more. You don't need to split the message into bits and send as separate messages and risk decreasing that dreaded 10 SMS limit you have for the day. All you need to do is disable JavaScript support in your browser temporary (It is an easy feat - consult your browser documentation on how to do this). When you type in the messages now, the limit counter will stay the same and you can go on typing forever. The messages are sent to the recipient as discrete SMS messages of text limit ~140 characters each. However, you will be penalized for only one SMS in the WebSMS daily limit counter.

Enjoy!

Update (14 Oct 2005): Dhiraagu has fixed the bugs that made possible the two tricks revealed above. Too bad

I'm travelling to Raa atoll Ungoofaaru tomorrow and will be staying in the island for about 3 days. Sadly, it's not on holiday though - it's for some work. I am taking my computer gear ofcourse and wanted to be able to get on the internet while I'm there. Thankfully this is now possible, owing to the availability of GPRS service via Dhiraagu. The connection is awefully slooowwwww ofcourse, but it's quite usable and I'd take it happily when I'm bored and desperate.

I had tested using internet on my laptop via GPRS when Dhiraagu had the "free GPRS" week at the time of its introduction in July, but didn't have the settings anymore due to a hard disk change. So again today, I set out to setup my laptop for internet via Dhiraagu GPRS using my bluetooth enabled phone. Here is how I did it...

Installing bluetooth on the laptop
This is normally quite an easy task however it turned out to be quite a challenge as the bluetooth dongle I had now was unbranded and the drivers supplied with it refused to run on Windows 2003 Server running on my laptop. To make a long story short, I downloaded the latest Widcomm bluetooth driver (with Win 2k3 support) and installed it. Then applied the patches floating on the net to remove the vendor hardware dependant licensing. And viola! It works! Head over to http://forum.gsmhosting.com/vbb/showthread.php?t=127539 if you've been having the same problem.

Setting up GPRS
I already have GPRS setup on my phone since I use WAP and MMS occasionally. Details of how to do this for Dhiraagu customers are at http://mms.dhiraagu.com.mv.

Setting up the Bluetooth connection
In the final stage of this process, I created a Bluetooth dialup networking connection to my phone from the laptop. Right clicking the bluetooth system tray icon and selecting "Bluetooth Setup Wizard" will finish the process in a breeze.

Then, the networking settings for the Bluetooth dialup connection was set as follows. Open the connection properties, click the "Networking" tab, click the "Settings" button. Untick "Enable LCP .." and "Negotiate multi-link ...".



Setting up browser
Dhiraagu requires the use of a proxy to browse and use internet. Setup your favourite browser with the proxy address as "172.24.97.4" and port as "8080".

In Internet Explorer, go to "Tools" menu, select "Options" and in the window that opens select the "Connections" tab. You should see the name of the Bluetooth connection you created. Select it and click the "Settings" button". Now, fill the various options as shown below.



Establishing the link
Finally, time to dial! Double click the Bluetooth connection created in the above stages. Enter the dialup number and user/pass. The dial number is of the format "*99***2#" where 2 is the CID shown on the phone for the GPRS account you want to use. The user/pass is blank.



Once the dial button is hit, a connection is attempted and shows as "Connected" if it was successful. There isn't need to worry about how long you keep it connected as you are only charged for the data that is sent and recieved.

Now I am all set to leave to the island and I can hopefully sit and use the internet where the waves crash humbly onto the beach not far from my bare feet while cooling under the shade of a tall colorful palm tree.