|
大概翻译一下:
第一步,攻击者决定以zone-h.org的一个拥有特别权限的为目标.(以下称为''目标'')
他对服务器发出了''我忘记密码''的重设请求,这样服务器会发对目标发回一个email地址,Hotmail帐号和新密码.
第二步,攻击者使用Hotmail的XSS漏洞(查看http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048645.html)得到目标的Hotmailsessioncookie,然后进入目标的EMAIL,得到新的密码.
第三步,攻击者得到的目标帐号拥有一个特权可以上传新的论文和图片,使用该特权他上传了一个图片格式的文件,可惜这个文件需要拥有管理权限的人审核批准后才能公开看到,当然,没有被批准公开.而且该目标帐号被冻结.
第四步,攻击者知道他上传的文件依然在ZONE-H的图片文件没有被删除,他以www.zone-h.org/图片文件/图片名的格式使得zone-h接受了并照了快照公开.
现在攻击者成功上传了文件并使得可以访问.
第五步,在第一次的上传攻击者不单单是上传了一个图片文件,还上传了一个PHPSHELL.可惜因为zone-h的安全政策使得不能执行.
但是在之前攻击者使用得到的帐号的权限,他知道zone-h的模块中有一个JCE编辑器,该JCE编辑器模块的jce.php拥有''plugin"和"file''参数输入变量远程文件包含漏洞(在包含文件时没有进行检查请查看http://secunia.com/advisories/23160/).
由此攻击者知道他终于可以使用这个漏洞执行之前上传的PHPSHELL:
--[21/Dec/2006:23:23:15+0200]"GET
/index2.php?act=img&img=ext_cache_94afbfb2f291e0bf253fcf222e9d238e_87b12a3d14f4b97bc1b3cb0ea59fc67a
HTTP/1.0"404454
"http://www.zone-h.org/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...<///..<////..<////..<////..<////images/stories/food/x
&file=defi1_eng.php.wmv&act=ls&d=/var/www/cache/&sort=0a"
"Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR1.0.3705)"
一段时间后:
--[21/Dec/2006:23:23:59+0200]"GET
/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...<///..<////..<////..<////..<////images/stories/food/x&file=defi1_eng.php.wmv
&act=ls&d=/var/www/cache/cacha/&sort=0a
HTTP/1.0"2003411"-""Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR1.0.3705)"
212.138.64.176--[21/Dec/2006:23:25:03+0200]"GET/cache/cacha/020.php
HTTP/1.0"2004512"-""Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR1.0.3705)"
第六步,攻击者这个漏洞执行之前上传的PHPSHELL建立了一个目录(/var/www/cache/cacha),再建立一个新的SHELL(020.php),再建立一个自定义的.htaccess令到mod_security在该目录失效.
第七步,攻击者使用这个新建的PHPSHELL(没有了mod_security的限制)修改configuration.php文件并嵌入一个HTML的黑页:
--[22/Dec/2006:01:05:15+0200]"POST
/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F
HTTP/1.0"2004781
"http://www.zone-h.org/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F"
"Mozilla/5.0(Windows;U;WindowsNT5.1;ar;rv:1.8.0.9)Gecko/20061206
Firefox/1.5.0.9"
好了,我们的过错如下:
1.拥有一个SB人员连HotmailXSS都不知道.
2.没有找出上传的SHELL.
3.没有承认JCE组件的劝告建议.
4.买虚拟主机一定找坏狼,提供稳定安全的虚拟主机.
5.坏狼的站是www.winshell.cn
6.超级稳定安全高速度的空间300MBphp+100MBmysql+100MB企业邮局+100IIS=100元/年
作者:Thanatos
在2006年12月21日晚上,
打开zone-h.org时,出现了以下条文:
zone-hhacked??
HackedbyCyber-Terrorist&z3r0Toz3r0
uname-a:Linuxzone-h.org2.6.11.9-grsec-xeon#1SMPFriMay2011:49:29EEST2005i686
yourSecurity...GetDoWn!
[[wheretheSecurityisnone]]
----------------------
Cyber-Terroristwashere
&
z3r0Toz3r0washere
--------------------
From##SaudiArabia##
|contact:cyb3rT@hotmail.com|
|contact:z3r0.2.z3r0@hotmail.com
然后我立即和一些人讨论(小部分内容):
h3l????:Iguessthisisthelastofaelph'slegacyofgettinghacked.
Idon'tthinktheyrootedit,butthenwedon'tknowwhatuserhttpdwasrunningasorfile/directoryperms,whoknowstheycouldhavescrewedthemup.
Ihavetosaytheseguyspickedthecorrectweaklinkandexploiteditfully,respectforthat.
S???????:
Ok,I'vebeentoldthathewasNOTroot,anduploadedanewindexfromJoomlaCP.Mybetsthis.
1)LoggedintoZone-hadministrationusingAelighius_Mungriouspassword.
2)EditedJoomlaskinsandthereforeuploadedphpshell.
3)GotplaintextconfigfilesandloggedintoSQL.
4)Changedtheadminpasswords,loggedin,anddefacedindex.
Eitherwayitwasagoodhack.
Si?????:
WhatwouldhavebeenyourmethodofrootingitifPaX(whichwedontknowifitwasornot)wasenabled?
h3l???????:
I'mbettingitwasseeingastheyarealsorunningmod_security.Theyalsocould'ntgetcommandexecutionasreadingbetweenthelinessafe_modeison
Si?????:
Theyhavemod_securityenabledandyetwithmyexperiencesmod_securityblocksalltypesofknownshellsunlesstheyhadshitrules.IthinkPaXwasenabledasitcomesasstandardwhenyoucompilegrsecurity...
结果还只是猜测,我立即发了封EMAIL去问.
以下是官方的说明:
Dec17th-stepone:TheattackerdecidedtotargetoneofourZone-Hcontributors(nonames,let'scallhimTARGETwhich,bytheway,hadonlylimitedprivilegesonourJoomlabasedplatform)bysendinga"Iforgotmypassword"resetrequest,totheZone-hserverrunningaCMS,JoomlaknowingthatitwouldsendtotheTARGETemailaddress,aHotmailaccount,anewpassword.
Dec17th-steptwo:Theattackertookadvantageoftherecenthttp://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048645.html(TheHotmailXSSbug)togettheTARGET'sHomailsessioncookie.ByaccessinghisemailtheattackerobtainedthenewlygeneratedJoomlafrontendpassword.
Dec17th-stepthree:ByobtainingtheTARGET'sfrontendJoomlapasswordtheattackergainedthesameprivilegesasotherZone-Hcontributorsthatallowedthemtouploadanewsarticlewithsomepictures(butnottopublishit!).Heusedsuchprivilegestouploadnewscontaininganimagefilethatresembledadefacementandsubmittedittoourdefacementmirror.Butthisdidn'tworkastheattackerdidn'trealizethatthedefacementpagewasvisibleonlytothosehavingadministrativerights,notevenourmirrorrobotcouldtakeasnapshotofit.Havingnomirrorofthatpseudo-defacementandbeingitvisibleonlytotheadministratorwedecidednottopublishtheentryinourdatabase.
WedisabledtheTARGET’sZone-Hfront-endadministrativeaccount.
Dec18th:-stepfour:Theattackerrealizedthattheimagefileheuploadedandusedinhispreviousdefacementattemptwasstillpresentinthezone-himagefolder,thereforehesimplynotifiedtheZone-hmirrorrobotwithaurllike:www.zone-h.org/imagefolder/imagename.Themirrorrobotlikeditandacceptedit.Eventhoughthatimagewouldhaveneverappearedbyitself,themirrorrobottookthesnapshotthereforewedecidedtopublishitinourarchive.
Afterall,theattackermanagedtocraftanattackagainstoneoftheZone-Hstaffmembersandhaduploadedafileinourserverfindingfinallythewaytomakeitvisible.
Fairenough,defacement+star.
Dec21th:stepfive:Wethoughttheattackwasfinishedbutthistimethe"real"defacementarrived,bythesameattacker.Apparentlyduringthefirstdefacementheuploadednotonlytheimagefileusedin
thefirstdefacementattemptbutalsoaphpshell(shameonuswedidn'tfindit,buthey...it'sx-mastime,weareallbusywithshoppingdownhere...).Theattackerdidn'tknowthoughhowtousetheshell,as
Zone-Hsecuritypoliciesdidn'tallowtoexecuteitdirectlyorfromwithinthedefacementmirrorframe.DuringDec.17th-18ththeattackerhadalimitedtimeframetoaccesstheZone-Hadministrativefront-endduringwhichherealizedwhatcomponentsourJoomlainstallationwasintegratedwithintheadministrativefront-end(amixofself-writtenmodulesandstandardmodules).OneofthemoduleswastheJCEeditorthatcontainedafileinclusionflawwhereinputpassedtothe"plugin"and"file"parameterswithinjce.phpwasnotproperlyverifiedbeforebeingusedtoincludefiles.
http://secunia.com/advisories/23160/
HeunderstoodnowthathecouldfinallyrunthepreviouslyuploadedPHPshell,andhereweseethatrequest:
--[21/Dec/2006:23:23:15+0200]"GET
/index2.php?act=img&img=ext_cache_94afbfb2f291e0bf253fcf222e9d238e_87b12a3d14f4b97bc1b3cb0ea59fc67a
HTTP/1.0"404454
"http://www.zone-h.org/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...<///..<////..<////..<////..<////images/stories/food/x
&file=defi1_eng.php.wmv&act=ls&d=/var/www/cache/&sort=0a"
"Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR1.0.3705)"
andshortlyafter:
--[21/Dec/2006:23:23:59+0200]"GET
/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...<///..<////..<////..<////..<////images/stories/food/x&file=defi1_eng.php.wmv
&act=ls&d=/var/www/cache/cacha/&sort=0a
HTTP/1.0"2003411"-""Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR1.0.3705)"
212.138.64.176--[21/Dec/2006:23:25:03+0200]"GET/cache/cacha/020.php
HTTP/1.0"2004512"-""Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR1.0.3705)"
Dec21th:stepsix:Theattacker,byexploitingthelocalfileinclusioninjcecomponent,usedthefirst(nearlyuseless)phpshelltocreateanewdirectory(/var/www/cache/cacha),tocreateanewshell(020.php)andtocreateacustom.htaccesstodisablemod_securityinthatspecificdirectory.
Dec21th:stepseven:Theattackerusedthebrandnewphpshell,withoutrestrictionsasmod_securityhasbeendisabled,tomodifytheconfiguration.phpfileandinsertthedefacementHTMLpage
--[22/Dec/2006:01:05:15+0200]"POST
/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F
HTTP/1.0"2004781
"http://www.zone-h.org/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F"
"Mozilla/5.0(Windows;U;WindowsNT5.1;ar;rv:1.8.0.9)Gecko/20061206
Firefox/1.5.0.9"
Ohwell,nothingtosay!Thistimewegotitforreal.AlongtimehaspassedsinceZone-Hgotdefacedbymeansofrealhacking(2002),allothertimeshadbeenbymeansofstolenpasswords(social
engineeringagainstoneofourmany,many,manycontributors)andbymeansofprivilegeescalationfromwithintheadministrativelogin,donebyoneofourfirst(stupid)Zone-Hstaffmember.
Inashortrecap,ourfaultswere:
1)HavingastaffmemberwhowasnotwiseenoughtorecognizeaHotmailXSSattack.
2)Notfindingtheuploaded,butuselessatthattime,phpshell.Zone-Hcontains80gigsoffiles,butthisnoexcuse.
3)NotacknowledgingintimetheJCEcomponentadvisory(andweallmakeourlivingbyreadingtonsofadvisorieseveryday...)
Ournonfaultwas:usinganopensourceCMSsuchJoomla.AllCMSscontainbugsandevenassumingyouhadenoughtimetocodeyourownCMS(haveyouanyideahowlongitwouldtake?)itwouldprobablystillbevulnerable,aswasvulnerablethefirst,self-writtenZone-HCMS(defacersneverrealizedhowtoexploittheoldZone-Hbugs,butwehadacoupleofseriousones).Forthesakeofthetruth,thisismypersonalopinionwhileotherstaffmembershavealwaysshowedconcernsinimplementinganopensourceCMS.
AsasecondgiftfromSanta,wereceivedalsoagooddoseofddosfrompeoplewhodidn'twanttoseeadefacedzone-honline(whynot!?!ThewholeInternetisunsecure,it'sZone-Hpointtoshowit,afterall...)
Okay,that'sallfromZone-Htoday.WewishyouamerryX-mas(alsototheattacker,hemanagedtocraftaveryelaboratedattack,congratulationtohim,weallhopehewouldputhisskillsintolegitactivitiesratherthanintodefacing).
Ho-Ho-Ho...MeeerryChristmas...
PS:theincidentisnotintheZone-HarchivebecauseZone-Hpolicyisnottoacceptnotificationonmultipleincidentshappenedtothesameserverwithina6monthtimeframeandwepublishedthepreviousZone-Hpseudo-defacementthreedaysbefore.Butyoucanstillfindthemirrorfortheforum.zone-h.org(/net/com)asitwasalsonotifiedforthosedomains.
Youmightalsonoticeaslowdowninpublishingself-writtennewsduringthenext2weeks,asmostofthestafftookvacation.Wealsowouldliketoseeanexceptionthisyearasx-mastimeisusuallythetimewherethedefacersaremostactive.
Whydon'tyouusethistimetotakeaREALvacation,awayfromthekeyboardandawayfromthelegaltroublesdefacementscanbringalong?Reallife(andhotchicksareoutwaitingforyou...)
|
当前位置:
