由於原文是E文,暫時把原文放在後面,翻譯的放在前面!
大概翻譯一下:
第一步,
攻擊者決定以zone-h.org的一個擁有特別許可權的為目標.(以下稱為''目標'')
他對伺服器發出了''我忘記密碼''的重設請求,這樣伺服器會發對目標發回一個email位址,Hotmail帳號和新密碼.
第二步,
攻擊者使用Hotmail的XSS漏洞
(查看http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048645.html)
得到目標的Hotmail session cookie,然後進入目標的EMAIL,得到新的密碼.
第三步,
攻擊者得到的目標帳號擁有一個特權可以上傳新的論文和圖片,使用該特權他上傳了一個圖片格式的檔,可惜這個檔需要擁有管理許可權的人審核批准後才能公開看到,當然,沒有被批准公開.而且該目標帳號被凍結.
第四步,
攻擊者知道他上傳的檔依然在ZONE-H的圖片檔沒有被刪除,
他以www.zone-h.org/圖片檔/圖片名 的格式使得zone-h接受了並照了快照公開.
現在攻擊者成功上傳了檔並使得可以訪問.
第五步,
在第一次的上傳攻擊者不單單是上傳了一個圖片檔,
還上傳了一個PHPSHELL.可惜因為zone-h的安全政策使得不能執行.
但是在之前攻擊者使用得到的帳號的許可權,他知道zone-h的模組中有一個JCE編輯器,該JCE編輯器模組的jce.php擁有''plugin" 和 "file''參數輸入變數遠端檔包含漏洞(在包含檔時沒有進行檢查請查看http://secunia.com/advisories/23160/ ).
由此攻擊者知道他終於可以使用這個漏洞執行之前上傳的PHPSHELL:
- - [21/Dec/2006:23:23:15 +0200] "GET
/index2.php?act=img&img=ext_cache_94afbfb2f291e0bf253fcf222e9d238e_87b12a3d14f4b97bc1b3cb0ea59fc67a
HTTP/1.0" 404 454
"http://www.zone-h.org/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...&file=defi1_eng.php.wmv&act=ls&d=/var/www/cache/&sort=0a"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"
一段時間後:
- - [21/Dec/2006:23:23:59 +0200] "GET
/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...&act=ls&d=/var/www/cache/cacha/&sort=0a
HTTP/1.0" 200 3411 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"
212.138.64.176 - - [21/Dec/2006:23:25:03 +0200] "GET /cache/cacha/020.php
HTTP/1.0" 200 4512 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"
第六步,
攻擊者這個漏洞執行之前上傳的PHPSHELL建立了一個目錄(/var/www/cache/cacha),再建立一個新的SHELL(020.php),再建立一個自訂的.htaccess令到mod_security在該目錄失效.
第七步,
攻擊者使用這個新建的PHPSHELL(沒有了mod_security的限制)修改configuration.php檔並嵌入 一個HTML的黑頁:
- - [22/Dec/2006:01:05:15 +0200] "POST
/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F
HTTP/1.0" 200 4781
"http://www.zone-h.org/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ar; rv:1.8.0.9) Gecko/20061206
Firefox/1.5.0.9"
好了,我們的過錯如下:
1.擁有一個SB人員連Hotmail XSS都不知道.
2.沒有找出上傳的SHELL.
3.沒有承認JCE組件的勸告建議.
-----------------------------------------------------------------------------------------------------------------------------------
作者:Thanatos
在2006年12月21日晚上,
打開zone-h.org時,出現了以下條文:
zone-h hacked ??
Hacked by Cyber-Terrorist & z3r0 To z3r0
uname -a: Linux zone-h.org 2.6.11.9-grsec-xeon #1 SMP Fri May 20 11:49:29 EEST 2005 i686
your Security...Get DoWn!
[[where the Security is none]]
----------------------
Cyber-Terrorist was here
&
z3r0 To z3r0 was here
--------------------
>From ##Saudi Arabia##
| contact: cyb3rT@hotmail.com |
| contact: z3r0.2.z3r0@hotmail.com
然後我立即和一些人討論(小部分內容):
h3l???? :I guess this is the last of aelph's legacy of getting hacked.
I don't think they rooted it, but then we don't know what user httpd was running as or file / directory perms, who knows they could have screwed them up.
I have to say these guys picked the correct weak link and exploited it fully, respect for that.
S??????? :
Ok, I've been told that he was NOT root, and uploaded a new index from
1) Logged into Zone-h administration using Aelighius_Mungrious password.
2) Edited Joomla skins and therefore uploaded phpshell.
3) Got plaintext config files and logged into SQL.
4) Changed the admin passwords, logged in, and defaced index.
Either way it was a good hack.
Si?????:
What would have been your method of rooting it if PaX (which we dont know if it was or not) was enabled?
h3l???????:
I'm betting it was seeing as they are also running mod_security. They also could'nt get command execution as reading between the lines safe_mode is on
Si?????:
They have mod_security enabled and yet with my experiences mod_security blocks all types of known shells unless they had shit rules. I think PaX was enabled as it comes as standard when you compile grsecurity...
結果還只是猜測,我立即發了封EMAIL去問.
以下是官方的說明:
Dec 17th - step one: The attacker decided to target one of our Zone-H contributors (no names, let's call him TARGET which, by the way, had only limited privileges on our Joomla based platform) by sending a "I forgot my password" reset request, to the Zone-h server running a CMS, Joomla knowing that it would send to the TARGET email address, a Hotmail account, a new password.
Dec 17th - step two: The attacker took advantage of the recent http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048645.html ( The Hotmail XSS bug ) to get the TARGET's Homail session cookie. By accessing his email the attacker obtained the newly generated Joomla frontend password.
Dec 17th - step three: By obtaining the TARGET's frontend Joomla password the attacker gained the same privileges as other Zone-H contributors that allowed them to upload a news article with some pictures (but not to publish it!). He used such privileges to upload news containing an image file that resembled a defacement and submitted it to our defacement mirror. But this didn't work as the attacker didn't realize that the defacement page was visible only to those having administrative rights, not even our mirror robot could take a snapshot of it. Having no mirror of that pseudo-defacement and being it visible only to the administrator we decided not to publish the entry in our database.
We disabled the TARGET’s Zone-H front-end administrative account.
Dec 18th: - step four: The attacker realized that the image file he uploaded and used in his previous defacement attempt was still present in the zone-h image folder, therefore he simply notified the Zone-h mirror robot with a url like: www.zone-h.org/imagefolder/imagename. The mirror robot liked it and accepted it. Even though that image would have never appeared by itself, the mirror robot took the snapshot therefore we decided to publish it in our archive.
After all, the attacker managed to craft an attack against one of the Zone-H staff members and had uploaded a file in our server finding finally the way to make it visible.
Fair enough, defacement + star.
Dec 21th: step five: We thought the attack was finished but this time the "real" defacement arrived, by the same attacker. Apparently during the first defacement he uploaded not only the image file used in
the first defacement attempt but also a php shell (shame on us we didn't find it, but hey... it's x-mas time, we are all busy with shopping down here...). The attacker didn't know though how to use the shell, as
Zone-H security policies didn't allow to execute it directly or from within the defacement mirror frame. During Dec. 17th-18th the attacker had a limited timeframe to access the Zone-H administrative front-end during which he realized what components our Joomla installation was integrated with in the administrative front-end (a mix of self-written modules and standard modules). One of the modules was the JCE editor that contained a file inclusion flaw where input passed to the "plugin" and "file" parameters within jce.php was not properly verified before being used to include files.
http://secunia.com/advisories/23160/
He understood now that he could finally run the previously uploaded PHP shell, and here we see that request:
- - [21/Dec/2006:23:23:15 +0200] "GET
/index2.php?act=img&img=ext_cache_94afbfb2f291e0bf253fcf222e9d238e_87b12a3d14f4b97bc1b3cb0ea59fc67a
HTTP/1.0" 404 454
"http://www.zone-h.org/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...&file=defi1_eng.php.wmv&act=ls&d=/var/www/cache/&sort=0a"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"
and shortly after:
- - [21/Dec/2006:23:23:59 +0200] "GET
/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...&act=ls&d=/var/www/cache/cacha/&sort=0a
HTTP/1.0" 200 3411 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"
212.138.64.176 - - [21/Dec/2006:23:25:03 +0200] "GET /cache/cacha/020.php
HTTP/1.0" 200 4512 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"
Dec 21th: step six: The attacker, by exploiting the local file inclusion in jce component, used the first (nearly useless) php shell to create a new directory (/var/www/cache/cacha), to create a new shell (020.php) and to create a custom .htaccess to disable mod_security in that specific directory.
Dec 21th: step seven: The attacker used the brand new php shell, without restrictions as mod_security has been disabled, to modify the configuration.php file and insert the defacement HTML page
- - [22/Dec/2006:01:05:15 +0200] "POST
/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F
HTTP/1.0" 200 4781
"http://www.zone-h.org/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ar; rv:1.8.0.9) Gecko/20061206
Firefox/1.5.0.9"
Oh well, nothing to say! This time we got it for real. A long time has passed since Zone-H got defaced by means of real hacking (2002), all other times had been by means of stolen passwords (social
engineering against one of our many, many, many contributors) and by means of privilege escalation from within the administrative login, done by one of our first (stupid) Zone-H staff member.
In a short recap, our faults were:
1) Having a staff member who was not wise enough to recognize a Hotmail XSS attack.
2) Not finding the uploaded, but useless at that time, php shell. Zone-H contains 80 gigs of files, but this no excuse.
3) Not acknowledging in time the JCE component advisory (and we all make our living by reading tons of advisories every day...)
Our non fault was: using an open source CMS such Joomla. All CMSs contain bugs and even assuming you had enough time to code your own CMS (have you any idea how long it would take?) it would probably still be vulnerable, as was vulnerable the first, self-written Zone-H CMS (defacers never realized how to exploit the old Zone-H bugs, but we had a couple of serious ones). For the sake of the truth, this is my personal opinion while other staff members have always showed concerns in implementing an open source CMS.
As a second gift from Santa, we received also a good dose of ddos from people who didn't want to see a defaced zone-h online (why not!?! The whole Internet is unsecure, it's Zone-H point to show it, after all...)
Okay, that's all from Zone-H today. We wish you a merry X-mas (also to the attacker, he managed to craft a very elaborated attack, congratulation to him, we all hope he would put his skills into legit activities rather than into defacing).
Ho-Ho-Ho... Meeerry Christmas...
PS: the incident is not in the Zone-H archive because Zone-H policy is not to accept notification on multiple incidents happened to the same server within a 6 month timeframe and we published the previous Zone-H pseudo-defacement three days before. But you can still find the mirror for the forum.zone-h.org (/net/com) as it was also notified for those domains.
You might also notice a slowdown in publishing self-written news during the next 2 weeks, as most of the staff took vacation. We also would like to see an exception this year as x-mas time is usually the time where the defacers are most active.
Why don't you use this time to take a REAL vacation, away from the keyboard and away from the legal troubles defacements can bring along? Real life (and hot chicks are out waiting for you...)
留言列表
