Best Buy Insecurities (Spring, 2003) ------------------------------------ By W1nt3rmut3 Note: The following material should be considered educational only. Attempting anything in this article might result in punishment from Best Buy. No prior knowledge of the Best Buy network was used in my personal exploration. As with most consumer electronic retailers, Best Buy offers computers, DVDs, CDs, stereos, etc., at decent prices. But did you know that Best Buy also offers insight into their business, right from inside their store? I'll bet you didn't. Let's take a trip to our local Best Buy.... Garnering Access A few computers in every Best Buy offer Internet access. They can come in the form of a "Build Your Own Computer" terminal or a "Try Out Broadband" terminal. I have found the "Build Your Own Computer" terminals to be most accessible, since they aren't as "locked down" as their "Broadband" counterparts. Both types include a printer, which is useful. They both have access to "Internet," but this is limited to bestbuy .com, microsoft.com, and some of Best Buy's partners. Normally, some type of interactive demo or fixed browser window protects the units that do allow Internet access. Most keyboard shortcuts (Alt+F4, +R, and the ilk) have been deactivated. One that hasn't been is F1, or Windows Help. To be able to use this keyboard shortcut, you are going to have to get to a pop-up window, or sometimes, it is possible right from the interactive demo itself. Anyways, in Windows Help, you have two options. The first is a drop-down menu in the upper-left-hand corner. Here is your standard close, minimize, etc., but also here is the Go to URL choice. This allows anyone, as long as certain privileges haven t been set, to access local disk drives by going to the URL "c:\" or any drive letter for that matter, and of course any Web link too. The other option is the Web Help button on the top bar, which can get you an Internet Explorer window. From there, you can explore to your heart's content. Exploration - Local Domain But now you say, "mut3, this doesn't get me anything." I say, "You're a hacker, figure something out!" Well, that's what I did. Cruising around the machine, I discovered that most were running some form of NT and even XP. The one that I was using had a functional printer, which will be useful later. An interesting application to run is Explorer. This allows you to connect to Access Network Drives, under the Tools menu. What you find here is extremely interesting, and extremely insecure. All of the NT domains for each store are accessible. Each domain is labeled with STOR, and the four-digit store number. Inside, there are multiple machines, with the following prefixes: SK, SR, SS, SV, and SW. The terminal that I use most frequently, which is a "Make Your Own Computer" terminal, had the hostname SK01xxxx, the xxxx being the store number. All of the hostnames follow the pattern of a prefix, some sequential number, and the store number. Machines within your local domain are accessible, but ones outside of your domain should require a login/password pair. But there are many goodies found within the store. By doing a NETSTAT, some connections piqued my interest. When network browsing those computers, a lot of information was accessible, but the greater percentage were just logs related to computers on the premises. Nothing spectacular, but still interesting. More exploration into the local domain is required. Exploration - Intranet After thoroughly abusing one Best Buy, I moved onto another, which gave me even more insight into the network of Best Buy. While executing the Windows Help vulnerability on a new machine, I was not allowed to view the C: drive and, for that matter, any local drive. But, by using the second option described previously I was on my way. Because of privileges, we can't see any drives, but we do have access to the "Internet," which, as mentioned before, isn't really much. The real gold comes from history. Some Best Buy employee browsed intranet computers, and left the addresses in history. The hostnames I found were: * toolkit: 168.94.67.20 * tagzone: 168.94.67.11 * msizone: 168.94.3.46 * cf: 168.94.9.17 toolkit, from my experience, isn't viewable from a floor computer at least. tagzone is a corporate home page, giving you the latest news on the company and the market. msizone is some type of retailer information center, which requires a login/password pair. cf is either customer fulfillment or computer fulfillment I'm not sure since it's called both on the site. tagzone and cf are the two coolest sites to browse. tagzone, as was mentioned, is a corporate home page. But as you explore it, more than just news is available. I was able to get instructions on how to log on to the company's VPN, how to hire and fire employees, and how the company is structured. Let us assume for a second that Best Buy didn't want the public to see this. Then who the hell didn't think that maybe putting floor machines behind the corporate firewall is a bad idea? But I digress.... cf is a site that allows employees to order items not in store to be shipped from the mysterious "Warehouse 87." I ordered a nice flat panel monitor and had it shipped to the store I was at. Little did I know that for it to be shipped, it must be scanned and paid for at checkout. Well, all is not lost, since from cf you can view warehouse inventory. Now you can see how many box sets of the TV show 24 they really have. If you have access to a printer, go ahead and print. PDFs and documents are available, along with FAQs for employees. Some machines, if you are sneaky, have floppy access. So offloading PDFs is just a matter of time. Don't forget, bringing in programs is also possible, so have fun. As for the situation with the "Internet," as I said, it's bleak. Every computer passes its traffic though a proxy, called "sproxy," with an IP address of 168.94.3.19. From multiple trace routes, it looks like it is blocking pages right from the proxy, but I might be wrong. I did find configuration files locally that specified what sites you are allowed access to, but I think those must be loaded when you first install the Best Buy demo software on the machine. It might be possible to do something through the registry. Another thing is that other open proxies don t work right off the bat, but I am still fiddling with it. Conclusion Best Buy made a big mistake in allowing publicly accessible models behind the company s firewall. Best Buy must patch this up soon. It could be as simple as putting a PIN number before entering any intranet site. If not, then they could be headed for a world of trouble. Shouts: Stankdawg, for getting me going on this whole project, dual for his constant support, the crews of DDP, Hackermind, and Radio Freek America, and most importantly, Sarah and Ashley.