Okay, I probably shouldn’t post this, because I don’t have any of the programmers to consult with right now, and that usually gets me in trouble. BTW, we’ve moved up the ladder enough now that reputable media sources are providing code-checkers to verify our findings, and we’re in that process now. But, my procedure has always been to release information as I get it, as that makes me feel safer. (Go ahead, naysayers, laugh…)
So here goes, with the caveats that it hasn’t been independently verified yet:
Three files:
1) Show that Diebold wrote code that opened the Microsoft hole and
2) May have exploited the hole
Microsoft just released a report of the “worst ever” security flaw, which they say was uncovered by four Polish programmers. According to the group that discovered it: “Throughout its exploitation, any user can gain complete control over a vulnerable system by the means of a remote attack.“
Here are the specifics with Diebold, just so we’re not the only people who know:
All touch screens at the precincts, and the central count computer at the county, include a file called atl.dll. This atl.dll file includes three RPC (remote process call) interface files. The Microsoft hole is an exploit of the RPC interface.
The atl.dll file is built by a makefile called atlps.mak, the subject of a DU thread launched by me last Sunday night, wherein we asked for translation of a Czech description of identical code found on a web site. I was assured it had no meaning, but the whole deal was a little unusual:
The Czech commentary was removed every time we posted it. Translations were also removed. One DUer said he was emailing his friends in Poland with a request to look at it. Our input from hackers (who saw additional files along with the makefile) said “this is bad, this is bad!” Our initial take on this file, plus its corollary files, was that it was built to create a .dll file that enabled remote control of the voting machines. We specifically identified the three RPC (Remote Procedure Call) libraries as areas of interest, in context of the other things we were seeing.
One reply ridiculed the entire idea, saying it was irrelevant and that (in a later thread) the concern about this makefile proved we were unqualified to evaluate anything.
But here’s the thing: That makefile built the RPC interfaces, now identified by Microsoft as a critical security flaw enabling remote access attacks, into the voting program. This atl.dll file appears repeatedly in the compiled programs for both touch screens at the precinct and central count computer at the county.
We were told we needed the source code to evaluate what we were looking at. Well, we found it. The C++ source code for the atl.dll file is located in a file called atl.cpp.
Note that this was not built by Microsoft, but was created specifically by Diebold.
Yes, Diebold created files that appear to open a back door allowing remote control of the touch screens and county computers.
Is there any source code which may
exploit the back door? These are preliminary findings, but a file called WCEATL.CPP must be looked at very carefully (and has been shipped to code-checkers with the media), to see why it invokes an invisible window with a mouse double-click, and why it appears to be writing persistent strings to the host. This does not appear to be just passing files, but seems to be writing information directly into the computer, enabled by remote access.
Legitimate reasons to write data to another computer:1. According to user manuals, there is a download of ballots from county HOST computer to a touch screen, and it writes ballots to a PCMCIA card, and many copies of the card are made then. However, the configuration of the strings does not seem to match ballots.
2. Upload of vote data from touch screen to the county HOST computer after polls close. However, the strings don't appear long enough to accomplish this.
3. Another (more risky) function is that the county HOST computer transfers data to an Internet server for election night results, which is used by the media. I did not yet ask if these strings might be passing report data to the web page.
“Microsoft said the vulnerability could allow hackers to seize control of a victim's Windows computer over the Internet…The flaw, discovered by researchers in western Poland, also affected Windows versions popular among home users.”
"This is one of the worst Windows vulnerabilities ever," said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., whose researchers discovered similarly dangerous flaws in at least three earlier versions of Windows.”
“..Maiffret said that inside vulnerable corporations, "until they have this patch installed, it will be Swiss cheese -- anybody can walk in and out of their servers."
================
Now, I have no idea whether the remote access we’re seeing built in are related to the Czech web site and the build file, and I’m sure I’ll get slapped around for this one, hope I’m not offending DU, probably I’m being ignorant to wonder about this in relation to the Microsoft flaw just discovered, but I just reread these snippets:
http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=104&topic_id=38507&mesg_id=38507&page=Post from Bev Harris: "The following information, which refers to setting up remote control functions, was found at the Diebold voting machine ftp site in source code...We found the identical code (except for one word) on a Czech web site,
http://www.eternal.cz/article.php?nID=280 , and it seems to have an explanation for what this code string does...Can anyone translate the following, or explain your theory as to why it is in voting machines?”
EDITED BY ADMIN
---------------------
“From Eloriel: "I'm not even sure if this is the whole thing. From this site:
http://translation.langenberg.com/ which I found by googling Translate Czech -- here's the google page if anyone else wants to try
http://search.earthlink.net/search?site=earthlink-ws&q=Translate+Czech”
EDITED BY ADMIN
---------------------
From MrSteve: “The second part text
“It's nothing cryptic or odd - just a set of directions to build an executable program from source code. All the Czech language stuff, though, is gonna be hard to translate without a Czech enabled tech person involved.”
EDITED BY ADMIN
---------------------
from Bev Harris:
“Ah, but perhaps you missed this: why are they using Active X remote control functions in voting machines at all?
“rpc = Remote Procedure Control”
---------------------
From MrSteve: “Assume you're talking about the rpc*.lib files? Good point - these library files do various things when linked into the program (per the MSDN library) - I'm looking them up individually right now.”
---------------------
From MrSteve:
“rpcndr.lib - used for general internal thread and COM control, including TAPI (phone call origination and answering), internal windows programming features, etc.
“Rpcns4.lib - again, general purpose windows plumbing, except where it's used to build and register a proxy dll
“Rpcrt4.lib - used for creating COM objects (again, with proxy DLL possibilities)
“Basically, they are all used for creating common windows internal constructs, although the proxy business and the TAPI use could be suspect. Plus, ActiveX and COM objects have proven to be exploitable by external attack, especially if they are not constructed in a secure manner, or if they are compromised purposely by the original authors in a trojan horse style COM component upgrade after the system is initially installed and approved.”
---------------------
From Bev Harris:
“… The hacker community is much more disturbed by this code snippet than others --
“they are saying "this is bad, this is bad." I'm getting these cryptic phone calls by all-nighters who do nothing but hack into computers. I consider them to be the flip side of academics like Dr. David Dill, and equally valuable. And yes, it is also being perused by the academics. As a non-computer person, I'm amazed that the same code gets such different interpretations by different people. It seems of very high value to get as many interpretations as possible.”
---------------------
From: MrSteve
“Also, the use of the proxy dll is telegraphed by the command to the C compiler in the 7th line: /DREGISTER_PROXY_DLL”
---------------------
From: alfredo
“Got a friend in Poland who has contacts with the Czech hacker community. I will contact him today to see if he can help. Czech hackers are among the best from what he says.”
(I don’t know, of course whether alfredo contacted his Polish friends, or if they have any contact with the Polish group that discovered the flaw. I'm pretty sure I’m going to have it explained to me that the Microsoft thing has nothing to do with this.)
---------------------
From: Bev Harris
“While we are waiting for less picturesque translation -- anyone? --
“rpcrt4 = Remote Procedure Call Run Time”
---------------------
From: Nlighten1
“This would make a good Slashdot post. I have contacted someone who I know that has good connections with the Slashdot crowd to see if we can get this posted there.”
---------------------
From: MrSteve
“I can give you a line by line by lie breakdown of what the makefile is doing, if you like (but only later during lunch). As I said last night, there's nothing really sinister in the makefile, because it's just a set of high level instructions on how to build the executable.
“Although I should correct myself - it's not creating a standalone executable, per se, but a dll file (atlps.dll to be exact). However, the main point is, what is in the objects that are used to build up theexecutable? What do the object files dlldata.obj atl_p.obj atl_i.obj contain?
“kernel32.lib is a non-issue - just about every windows program, dll, or libary links to it.
“And the libraries we looked at last night - rpcndr.lib rpcns4.lib rpcrt4.lib - what functions are being called in these DLLS? Are they being used to create simple interprocess communication (basic low level windows plumbing) or are they being used for external (out of the box) communication (TAPI, proxy connections, etc.?)”
---------------------
From: Sang0
“I'll ask around in my neighborhood. There are lots E European immigrants in my neighborhood. What needs to be translated? Is it just that one page that's linked to in post#1? I'll ask around tonight.”
---------------------
From: Nederland
“Got a Friend who is from Czechoslovakia...maybe he'll help me out.”
---------------------
From: Bev Harris
“… all I'm convinced of, for now, is that it definitely deals with remote access. I'm very interested in the remote access functions, you see, because of statements like this:
"The GEMS computers are not connected to any communication system" (Dr. Brit Williams, official voting machine examiner and one of the national powermongers influencing certification of these machines) So many places, I'm seeing them de-emphasize or mischaracterize communications, at all levels from precinct on up, and that makes me wonder: Why not just tell us the straight story? Is there something we are not supposed to see?”
---------------------
From Bev Harris
“Was there a reason to delete our assessment of the code on this Czech web site, that it pertains to remote control? … I take issue with not even being allowed to talk about what is in code we found.
“- We found code which pertains to remote access.
“- This code was built into files used in the Diebold voting system, and appears to be used at both local precinct levels and county levels.
“- This code appears to exploit Active X and remote control options.
“And the caveats: We are getting conflicting opinions from computer people, not about the fact that it pertains to remote access, but pertaining to exactly what data is being transferred, who is allowed to do it, and what boundaries are applied.
“This code is of special interest because of the lengths they are going to say the machines "are not connected" or "are connected only one way." It is imperative that we determine exactly, precisely what this code does.
“I am assuming this message is within acceptable DU boundaries. If this one disappears, it means we are getting uncomfortably close to something.”
---------------------
“From: Moderator You can talk all you want about this project, and you can even state your conclusions. But if you post anything that includes computer code allegedly from Diebold voting machines, then I have to assume that it is proprietary and I have to delete it. Your post isn't going to be deleted. You think the code has something to do with remote control. That's fine. Just don't post the code on this website.”
---------------------
From Bev: (posted repeat of Czech commentary without any code.)
--Message was deleted --
---------------------
Received a translation by private e-mail. Gee, the Czech commentary pertains to setting up remote access.
Bev Harris
Black Box Voting
P.S., Thank God I can see the light at the end of the tunnel now. I want my life back.