I've decided to post this article anonymously. As much as I would have loved to get credit for it, it is not worth putting the safety of my Korean guides at risk. They are great people, and having any connection to this (even though everything done was legal), could cause them to suffer consequences under the regime.
In the Spring of 2016 I had the chance to travel to the Democratic People’s Republic of Korea, known in the West as North Korea. The trip was very enlightening, and I’ve come away with a lot of new personal thoughts about the country. This post is not about my personal thoughts though, this post is about my love of cybersecurity and my constant want to be put on new national security lists.
During my trip to the DPRK we went to the Grand People’s Study House, which is the central library in Pyongyang built on Kim Il-sung square. We had the chance to tour the library and see their collection of books, study rooms, culture rooms, etc…
In many of the rooms there were computers, either at desks, or along the walls. Right when I saw them I wanted to get on them. Questions started flying through my head. What OS are they using? What websites are they using, built on what languages? And most importantly, how can they be hacked?
After a while we ended up in the room shown above. This room was used for learning about various kinds of music and television (you can see some televisions on the left). Behind me are two computers on the wall and I couldn’t pass up the opportunity. After a minute the guides were on the other side of the room and now was my chance, even though everything I planned on and ended up doing was legal, it’s still not something you want to get caught doing.
I started browsing around looking at the basic web application on the computer, it was entirely in Korean and used for looking up what kind of library books and such could be rented. The basic web app didn’t show much and was not in English, so I was out of luck there. The config on the computer also blocked command prompt. The computer seemed to be running some later 90s version of Windows, but I’m not exactly sure.
Triggering an error on the website showed a little more information. It’s running something called DigitalLibWeb2009 running on Java Server Pages, at an IP address of 113.113.1.12. I’m not doing an audit here though, and it’s illegal to test web apps without permission, so I didn’t try any injection strings or whatnot on the application. Instead, to stay inside legal boundaries, I looked into what else the computer allowed a normal user to do.
In the start bar I found an interesting icon, clicking on it revealed the following: The computer was running a local WAMP server that was most likely connected to the rest of the library’s internal network. I began looking around at the files I had access to. It’s at this moment that I feel a tap on my shoulder, I turn around ready to get put in cuffs and to enjoy my 15 years of hard labor. Luckily it was another group member, joking with me about not breaking Korea’s computers and getting arrested. We laughed and he went back to looking around.
I clicked around some more and found a directory called “Admin” listed under the PHP directory. Opening a .php file titled “login.php” I was greeted with the following. I’ll let you analyze this for a second and see if you can notice what is wrong here.
Find it? Two lines are concerning, one is located on line 12
$conn = mysql_connect(“localhost”, “root”, “”);$result = mysql_query(“select * from user where name=’$uname’”, $conn)That is as far as I went because anything further would have been illegal, and I had to get back to my group. Nonetheless it gave me enough to feel successful in finding at least some kind of vulnerability in their systems. I would like to once again reiterate that all of this data was accessed by a normal user, and no bypassing of any authentication was done.
Dear Respected Comrade Kim Jong Un, Chairman of the Workers’ Party of Korea, Chairman of the State Affairs Commission of the Democratic People’s Republic of Korea and Supreme Commander of the Korean People’s Army, the best way to fix this issue would be to sanitize user input and use parameterized queries. Maybe these will help:
https://www.google.com/search?q=what+is+a+password
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
If you need any help my rate is $5000/hr.
My trip to the DPRK was a very fun and safe trip. I would highly encourage anyone to go there and experience it for themselves, as it is a culture unlike any you can experience elsewhere, and the people are very welcoming to tourists.