Database Passwords Everywhere!

Transcript

1. Database Passwords Everywhere! Feross Aboukhadijeh feross.org

2. CMSploit Definition: Security scanner that tests websites built with content

   management systems for temporary files that contain sensitive information.
3. None

4. 0 1,250,000 2,500,000 3,750,000 5,000,000 18,819 334,408 1,656,021 4,485,142 Number

   of sites Data from BuiltWith (http://trends.builtwith.com/cms/)

5. Vulnerable sites

6. perezhilton.com

7. indianapublicmedia.org

8. lsc.org

9. su.pr

10. marginalrevolution.com

11. futuremark.com

12. openculture.com

13. scobleizer.com

14. rovio.com

15. How CMSploit works

16. 1. Config files 2. Text editors

17. 1. Config files 2. Text editors

18. Typical config file <?php /**  Name  of  WordPress  database  */

    define('DB_NAME',  'my_secret_database'); /**  MySQL  database  username  */ define('DB_USER',  'secret_agent_1'); /**  MySQL  database  password  */ define('DB_PASSWORD',  'you_will_never_guess_this'); /**  MySQL  hostname  */ define('DB_HOST',  'mysql.mysite.com');

19. Typical config filenames • wp-config.php // Wordpress • config.php //

    phpBB, ExpressionEngine • configuration.php // Joomla • LocalSettings.php // MediaWiki • mt-config.cgi // Movable Type • settings.php // Drupal

20. Big mistake • Config files sit in a publicly accessible

    folder • Easier to set up this way, but less secure • All sensitive info is between <?php ?> tags • Demo: http://feross.net/wordpress/wp-config.php

21. 1. Config files 2. Text editors

22. 1. Config files 2. Text editors

23. Recipe for disaster + Text Editor Config files

24. Temporary Files • For a file wp-config.php, text editors will

    create: • Backup files • wp-config.php~ // Vim, Gedit • #wp-config.php# // Emacs • wp-config.php.save // Nano • Swap files • wp-config.php.swp // Vim • wp-config.php.swo // Vim

25. 1. Config files 2. Text editors

26. What’s wrong here? • There may be temporary files which

    contain sensitive info floating around in publicly-accessible folders. • If temp file gets requested, most servers will return the plaintext, skipping the PHP pre-processor. • .php Content-Type: text/html; charset=UTF-8 • .php~ Content-Type: text/plain • etc... Content-Type: text/plain

27. Temporary Files • For a file wp-config.php, text editors will

    create: • Backup files • wp-config.php~ // Vim, Gedit • #wp-config.php# // Emacs • wp-config.php.save // Nano • Swap files • wp-config.php.swp // Vim • wp-config.php.swo // Vim

28. How prevalent is this problem?

29. What I did • Wrote program to test top 1

    million websites • It issues GET requests to a site to test for the presence of temporary backup files with common CMS config filenames

30. Results: • Tested the 216,391 most popular websites (according to

    Quantcast). • Found 230 config files visible in root of site. • Thus, 230 / 216391 = 0.11% of all websites are vulnerable. • Latest stats say that about 13.8% of the top 10,000 websites run CMSs. If we just focus on CMS-powered websites (and extrapolate), then the percentage of vulnerable sites is: • Thus, 230 / (216391 * 0.138) = 0.77% of websites running a CMS are vulnerable.

31. 230 config files total • E-commerce (cc #s) • Churchs

    • Fire department in a really large U.S. city • Porn sites • Lots of WordPress blogs...

32. What would you do?

33. None

34. What I did • Didn’t try logging in with any

    of the passwords. • Responsible disclosure to top sites. • Submitted a vulnerability report with US- CERT. (They ignored it)

35. Email to top sites To whom it may concern: I

    believe that I have discovered a security issue with the ________.com website. If you'd like to know more, I can disclose the full details of the issue to an engineer or software developer on your website team so the issue can be fixed. Respectfully, Feross Aboukhadijeh Stanford University, Computer Security Lab

36. .htaccess rule <Files ~ “(^#.*#|~|\.sw[op])$”> Order allow,deny Deny from all

    </Files>

37. Complaints From: ****@us.pgds.com To: [email protected] To whom it may concern,

    Our organization has detected suspicious traffic originating from boxxy.stanford.edu (128.12.188.246) against the web site of one of our affiliated companies. The request URL for some of that traffic was to /wp-config.php~ The traffic occurred at 5 Oct 2011 11:48:26 GMT and 5 Oct 2011 12:22:50 GMT. We would appreciate it if you would investigate and resolve this matter. Thank you, ******** ******* Senior IT Security Administrator Prudential Global Data Services (PGDS-US)

38. From: Information Security <[email protected]> To: [email protected] We're forwarding a complaint

    about a machine registered to or administered by you. Unless you're aware of this, it indicates the machine has been broken into or otherwise compromised. When a system has been compromised at the system privilege level, rebuilding the system, applying current patches, and setting good passwords on all accounts, is the recommended way to repair the machine.

39. from: [email protected] to: [email protected], [email protected], [email protected] cc: [email protected] Hi there,

    I first alerted you to miscreant behavior coming out of boxxy on 10/6. Please let me know that you have either remedied the problem or disconnected the machine today. If we continue to get abuse complaints, I will have the machine disabled. I've copied your RCC in case you need help cleaning the machine. Thanks,

40. from: [email protected] to: [email protected], [email protected], [email protected] cc: [email protected] Dear res-net

    folk, We are continuing to receive complaints against boxxy. Please disable the machine until it can be cleaned. Thanks,

41. from: ***@stanford.edu to: [email protected] cc: [email protected], security- [email protected], [email protected], mirrielees-

    [email protected] All: Changed Netdb record to 'vile' state for host 128.12.188.246.

42. Lesson learned • When scanning / attacking 200,000 websites, don’t

    do it from your own IP address • Use Tor (https://www.torproject.org/) • Or a VPN / server in another country

43. Passwords • Tons of people used “wordpress” or the name

    of their site as DB name, username, AND password. • Lots of 1337speak p@ssw0rds

44. Worst offenders “dbdbdb” for an online magazine “patrick” for an

    online newspaper “Summ3r” for a summer camp program “FuckYou4231” for a horror movie site “c0d3b3tt3r” for a site about coding better “usernamehere” “yourpasswordhere” “abc123456” “root” “root” <-- probably disallow remote DB connections

45. Final thought • Lots of sites put their CMS in

    a subfolder/ subdomain • /blog/, /wiki/, /forums/ • blog.mydomain.com

46. Other resources • Original blog post (feross.org/cmsploit) • Reddit discussion

    (goo.gl/3kAI2) • DEFCON: Pillaging distributed version control system repos for fun and profit (goo.gl/IevyF) • Attack against wp-config.php~ (goo.gl/i381Q) • WordPress security thoughts (goo.gl/0K8Bg)

47. Thanks! Feross Aboukhadijeh feross.org