How The Sun was Hacked

Imperva’s Tal Be’ery explains how The Sun was hacked.

Bottom line:

  • Lulzsec are using webapp vulnerabilities (as we said earlier).
  • If you don’t want to be the next lulzsec victim, invest in your web application defense.
  • What Lulzsec is doing (and has done) simply mirrors what commercial hackers do to steal data. Their methods are nothing new–only the purpose is hacktivism.

See quote from http://www.theregister.co.uk/2011/07/19/anonymous_hacking_arrests/

Federal prosecutors announced the arrests of two other people who were charged with computer offenses that may have been related to hacks credited to LulzSec, which many believe to be a splinter group of Anonymous.

Scott Matthew Arciszewski, a 21-year-old student at the University of Central Florida, illegally accessed a website operated by the FBI-affiliated Infragard, a criminal complaint filed last week in Tampa alleged. He then uploaded three files he named “aspydrv.asp;jpg” – and, yes, the indictment includes that semicolon in the filename – which “caused damage to the server by impairing the integrity of the server,” according to FBI Special Agent Adam R. Malone, who prepared the document.

That’s local file inclusion (LFI).

How does it attack work? It exploits a known vulnerability in IIS. (CVE-2009-4444)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4444

Microsoft Internet Information Services (IIS) 5.x and 6.x uses only the portion of a filename before a ; (semicolon) character to determine the file extension, which allows remote attackers to bypass intended extension restrictions of third-party upload applications via a filename with a (1) .asp, (2) .cer, or (3) .asa first extension, followed by a semicolon and a safe extension, as demonstrated by the use of asp.dll to handle a .asp;.jpg file.

If the application (say “app.com”) allows jpg upload, the attacker can upload “malicious.asp;.jpg”. The application filter will identify it as “jpg” based on the extension and allow the file upload.

The IIS server that runs the application identifies files with semicolon in their name, based on the extension before that semi colon.  so “malicious.asp;.jpg” is treated by IIS as an asp file – ASP file is an executable file that can take over the server.

Now the attacker can execute his malicious code by browsing to “app.com/uploaded-content/malicious.asp;.jpg” and activate the malicious asp file and take over the server.

According to the guardian on the Murdoch attack http://www.guardian.co.uk/technology/2011/jul/19/how-lulzsec-hacked-sun-website?intcmp=239

The most likely candidate for that hack – which would use the weakness discovered in 2009 – is the “mailback” page at http://www.new-times.co.uk/cgi-bin/newtimesmailback, which on Tuesday morning had been deactivated, along with the whole of the new-times site.

It’s possible that the “newtimesmailback” page allowed the upload of files in a similar way as described above.

Tags: