Showing posts with label vulnerability. Show all posts
Showing posts with label vulnerability. Show all posts

Tuesday, November 8, 2016

A nasty pair of MySQL exploits grant attackers system root from any database user

Four days ago I received an email from Dawid Golunski through the list illustrating one of the more brutal pair of security vulnerabilities I have seen recently. Here's how it works.
    The exploit uses a vulnerability within MariaDB, PerconaDB (and/or XtraDB Cluster) and MySQL to, first, gain access to the 'mysql' system user using any mysql user that has CREATE / INSERT / UPDATE permissions. The first part revolves around a race condition when sql generates temporary files as part of the `REPAIR table` command. Then using the mysql system user the second vulnerability grants the attacker root access to the server using a clever hack that takes advantage of mysql_safe's approach to writing to file based error logs. Below I've provided a list of vulnerable server versions. Just about any server using the more recent (unpatched) stable releases of MySQL or MariaDB through CentOS is vulnerable (Percona isn't part of the standard CentOS repositories), with a few of caveats.
    The first caveat is that an unpatched vulnerable server can prevent at least the 2nd exploit by disabling symlinks through /etc/my.cnf using skip-symbolic-links or symbolic-links=0
    The next caveat is that the 2nd exploit also depends on using file-based mysql logging. Using syslog will avoid trouble.
    The third caveat is that for the 1st exploit to work an attacker needs a mysql user and password.
    There is some good news here. The latest stable versions of MariaDB at least disable symbolic links in my.cnf by default (its been a while since I installed MySQL through the repo but I'm fairly sure its disabled here as well). And how would an attacker get a MySQL user anyway?
    Consider that because *any* MySQL user to be used, an un-patched shared server used by a hosting company would depend on the security competency of every one of that c customers to securely handle database authentication. Not only are there a variety of exploits available for obtaining a standard database user, but its depressingly common for web designers to place their connection strings with un-encrypted database username and password into world-readable files. There are a variety of feeds and sites that scan the internet for and compile such files.
    And even without the use of the 2nd exploit, an attacker can still do an enormous amount of damage without server root with only the mysql system user. The attacker will have full access to the MySQL system files. An attacker could easily delete an entire database instance, for example.
    Of course the best part is that this is a vulnerability in MySQL itself. Upgrading MySQL is the scariest, riskiest upgrade there is among standard repo software. A lot of admins compile it from source or install it from a direct RPM (in which cases symlinks are enabled by default). And applications are closely linked with the database version. Even successful upgrades can easily break applications that run on that database as calls used by the application become deprecated. Upgrading applications has substantial costs, whether you develop the application itself or license it. A patch was already in circulation before these exploits were posted, but for all of the reasons listed above, vulnerable databases will be active for years.

Here are the impacted DB versions:


MariaDB 
 < 5.5.52
 < 10.1.18
        < 10.0.28

MySQL  
 <= 5.5.51
 <= 5.6.32
 <= 5.7.14

Percona Server
 < 5.5.51-38.2
 < 5.6.32-78-1
 < 5.7.14-8

Percona XtraDB Cluster
 < 5.6.32-25.17
 < 5.7.14-26.17
 < 5.5.41-37.0

Here the first two links below contain a comprehensive breakdown of both exploits with example scripts that you can run to test.

http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html

https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html

This link includes a video illustrating how a compromise takes place using the example scripts:
http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html

Friday, July 31, 2015

Leaked Zerofox documents outline Baltimore network infrastructure vulnerabilities

Several days ago a document from the corporation Zerofox was leaked on the internet. Zerofox is a domestic spying organization there is no other word for them. They are paid obscene amounts of money to monitor people's Twitter and Facebook accounts, and provide the results of their stalking to police departments and other people who are in theory bound to respect the autonomy of free political speech. In the document that was leaked, Zerofox claimed to have "mitigated" 19 "threats" and "monitored" hundreds of others. The document is available here.

What constitutes a threat? Political speech that is critical of the police. At the top of the list of "physical threats" are #blacklivesmatter activists Deeray McKesson and Johnetta Elzie, neither of whom have ever been convicted of a violent crime AFAICT. The report recommends that police engage in "continuous monitoring" of the pair and justify this absurd response because they have "coordinated protests". The two were not alone on the list, which lists several other protesters and bloggers. Several times Zerofox recommended police perform a social media "profile takedown"; one of these recommendations was justified by Zerofox because an individual "slandered" a police officer. The slander consisted of taking screenshots of the police officer's Facebook posts - posts that included long, rambling racist screeds.

Most of this is well known, or will be over the next couple of days. This is a tech website! So what is my angle?

After the first few pages of creepy Stasi-style investigation, the report began to list what Zerofox believed were vulnerabilities in City of Baltimore networks. The "vulnerability reports" are laughably amateurish and consist almost entirely of information available from WHOIS, googling lists of applications combined with the word "exploit" and maybe nmap scans.

baltimore servers joshua wieder zerofox
2 kilos of WHOIS; street value $250,000
There are two things about this report that are interesting. First of all, it includes a list of Baltimore city online resources that would not immediately be publicly available - servers like email backups and an Exchange server that is either entirely for internal use or horrifically misconfigured (it lacks an rDNS entry, so it won't be doing a lot of sending to email servers setup by grown-ups).


And secondly, I really can't stress enough how bottom of the barrel this is. Let's just set aside the first part of this product that the people of Baltimore were forced to purchase. If this is what municipal governments believe infosec looks like, we are in for quite a few more repeats of Office of Personnel Management "cyber-warfare Pearl Harbors".

(Did you just vomit a little? I always vomit a little when I hear anything that begins with the prefix "cyber-")

Wednesday, July 15, 2015

Malware discovered in the Stratfor email file dump provided by Wikileaks is not limited to torrents - curated content on the Wikileaks website also infected

Several months ago I identified malicious software contained within a torrent available for download from Wikileaks. The torrent was the most recent and most complete copy of what Wikileaks titled the "Global Intelligence Files" - a large trove of emails and attachments from defense contractor Stratfor. The story as it is widely understood is that former Lulzsec member and hacktivist Jeremy Hammond was involved in the acquisition of these files from Stratfor and provided them to Wikileaks. Among the many files included in the leak I have identified 18 that have malicious software; most of those are embedded within PDF and DOC files. Some of the attacks I discovered are old, others are less old. Only two of the 18 files are blocked from downloading using Google Chrome's malware protection service, for example. In a second post, I decompile one of these two (older) files using PE Explorer and Hex-Rays IDA to demonstrate how the file corrupts the Microsoft Connection Manager while posing as an application called iPassConnect in order to faciliate infection with a Magistr worm variant.

Since that time I have made numerous attempts to contact Wikileaks so that they could inform their users that the torrent contained malicious software. After receiving no response, I began to publicize my findings by posting them on Hacker News/Ycombinator and similar sites like Slashdot and Reddit. My post on Hacker News quickly reached the front page and attracted the attention of the former leader of Lulzsec, Hector Monsegur (aka sabu), who confirmed the validity and importance of my findings in a series of public tweets.

In my original post, I speculated that:
"The data is indeed massive, over 5.5 million emails. Perhaps so massive that ~ two years was not long enough to properly review and sanitize these files prior to their complete publication in 2014 (from the time they were received by WL sometime around 2012)."
The publication of the Global Intelligence Files by Wikileaks began on February 27th, 2012. The entire email server spool was not dumped onto the internet at one time. The publication was curated, with only a small percentage of the emails being published initially. Over time, more emails were published. This progression can be easily viewed on the directory hosting the torrents for the Stratfor leaks:
wikileaks josh wieder stratfor torrent download index
The file name of each torrent contains the date of its publication. Meanwhile, the number to the far right, beginning with 1603, indicates the size of the torrent in bytes. While the relationship between the size of a torrent and the size of the files it contains is not a direct one in all cases, in this case it is a fairly direct relationship because we are dealing with large lists of small files. The last torrent, which I have identified as containing malware, has a size of 121071 bytes. The point here is that you can see that the number of files contained in the archive grows over time.

The torrent file that contains malware is the only file in the directory with a nomenclature that does not include a full date (it was also created using bzip instead of 7zip); the filename is simply gifiles-2014.tar.bz2.torrent. Initially, this meant I was not sure of the exact date that the torrent was released.

I knew that the relatively small number of curated content was available on the Wikileaks.org website. Today I was able to confirm that malicious files and their related attachments are also being hosted on Wikileaks.org, as individual uncompressed files. I have composed a list of these files, their URLs and basic file information on pastebin: (I have embedded the pastebin below as an iframe; if you don't trust iframes in your browser you can click through the prior link instead)

NOTE: Wikileaks has multiple URLs servicing multiple directory structures, all that eventually seem to point to the same place. So for example, https://wikileaks.org/gifiles/docs/35/3547802_plans-coordinates-and-executes-.html and https://search.wikileaks.org/gifiles/emailid/3547802 both point to the same content (and include the same malware attachment available for download).

While I am not alone in my concern over the circulation of an infected torrent of the nature I described in my first post, posting individual infected files directly to *.wikileaks.org domain and several subdomains in a curated manner is likely more dangerous - users are more likely to consider the following a link to content that has in some fashion been secured:

wikileaks josh wieder stratfor emails research

An expectation that a video posted on Fox News will not contain an embedded script is not a wild expectation. Similarly a New York Times article that includes a photo in an article is usually believed to not contain spyware. This is a basic expectation of service on every website, not just news outlets. Primary sources are important. User transparency is also important.

The attached file above, "18714_Research_and_R.xls", appears to be a normal Excel spreadsheet but in fact contains an embedded OLE. It is the exact size in bytes as the same attachment I discovered within the torrent that started this series of posts:

wikileaks josh wieder stratfor emails research

Of course there is no need to take my word for it. The file contains an embedded OLE and PE file - the hallmarks of malware designed to exploit vulnerabilities in the Microsoft Office Suit. Of note are the following:

An API-Hashing signature is stored at 0x3ad1
There are two decryption loops at 0x00003932 and 0x00003934
The embedded OLE signature is stored at 0x7a00
A XOR encrypted MZ/PE signature is stored at 0x5a00 and the encryption key is 0x97
A ROL encrypted OLE signature is stored at 0x7a00 and the encryption key is 0x08

OfficeMalScanner can duplicate these results. When I ran OfficeMalScanner against "18714_Research_and_R.xls" using the brute debug scan mode, the scan produced a malicious index of 62. Several antiviruses will detect this file. Depending on which you use, it might declare the file to use CVE-2009-3129 or CVE-2009-0557 (it probably relies on both exploits at different points). I have created bin files from memory dumps of the embedded OLE and PE (as I have for the roughly dozen similar malware payloads); I am happy to provide those to interested researchers. Here are the relevant signatures:

MD5 2746a014bdd9f7bf252262b82cf63e11
SHA1 cf525700b9e1027c4628fa9689bf68777291c60d
SHA256 4f9550c3f3abbfac4153b4467666e7a46e29ab974627ffd7feed7a711d55ffcd

As I mentioned earlier in this post, Google malware service in Chrome detects only three of the so far 18 infected attachments. The two that are detected are the two oldest malware by the date sent and are both compressed executables (one a .COM and the other two are .EXE) rather than embedded within documents. Here is what downloading one of these off of the Wikileaks website looks like as of now:

wikileaks josh wieder stratfor emails research

Both of the old nasty .EXE's appear to have been sent from mfriedman@stratfor.com, which as far as I can tell, was/is the email address of Meredith Friedman, the VP of Communications for Stratfor:

 Email-ID 3451016
 Date 2003-11-04 15:32:57
 From mfriedman@stratfor.com
 To mooney@stratfor.com, wit@stratfor.com
 Subject: FW: Re[2]: our private photos bkarngkr
 
 Email-ID 3491917
 Date 2004-01-27 01:03:10
 From mfriedman@stratfor.com
 To mooney@stratfor.com
 Subject: FW: HI

Would anyone care to bet me a dollar that in late 2003 her email password was "mfriedman", her birthday, "12345" or some combination thereof?

The source of the .COM file is as follows:

 Email-ID 3547802
 Date 2001-11-10 05:16:54
 From rcleicht@worldnet.att.net
 To undisclosed-recipients:
 Subject: Plans, coordinates, and executes

Finally for today, please do not make the mistake of assuming that all of the exploits are from this time period and thus are of no important to modern computer users. I cannot make this clear enough: these two files are the *oldest* of the malicious files I have discovered.

To return to the first post in our series on the Wikileaks / Strafor email malware click here.

If you are looking for the second post, where we look briefly inside one of the executables click here.

This is the link for my conversation with Hector Monsegur AKA sabu of Lulzsec on the Wikileaks / Strafor email malware. 

Thursday, July 9, 2015

The Florida Local Government Investment Trust website was hacked by a spammer affiliated with ExoClick & Alibaba Group & they haven't told anyone

The Florida Local Government Investment Trust manages money for counties and clerks throughout the state of Florida. They handle bonds that are AAA rated by S&P; pooling assets for municipalities throughout the state to increase their buying power. The Trust was created in 1991.

The Florida Local Government Investment Trust maintains a website based on Wordpress, floridatrustonline.com (I highly recommend that readers do not visit the website from an unsecured browser/computer - preferably using a platform like TAILS). The website contains a description of the Trust, the legislation under which it carries its mandate (Florida Statute 218.415 (16) (a) and 163.01), a list of employees and trustees as well as a series of financial reports covering the last year. The floridatrustonline.com domain is registered to Earl Donaldson, an employee of the Florida Association of Court Clerks. Donaldson's LinkedIn page lists him as a Network Engineer. The website is hosted on a shared hosting server operated by Dreamhost.

Starting no later than March of this year, floridatrustonline.com was compromised. Each document on the site was embedded with links to sales websites that claimed to sell everything from Ralph Lauren merchandise to golf clubs. The links began immediately following a div element titled "footer_column".

All of the links, which included domains registered through a variety of different countries and companies, were hosted on a server in Istanbul by a company called "Sayfa Net", which in turn leases its infrastructure from a host called Radore Hosting. Many of the domains are known spam domains. The domain registrations show classic spam behavior; a single registration would have a registrar in one country, the registrant in another country and would included an email address to a free email service, like gmail. Companies with even the least stringent fraud protection would prevent an automated domain sale under such circumstances. It is very difficult to track down the source of spam using domain registrations in this manner, as those using them are savvy enough to nearly always rely on either a stolen identity or a completely fraudulent identity. More on that soon.

Florida Local Government Trust, Josh Wieder, floridatrustonline.com, spam links, index file
Landing page for floridatrustonline.com demonstrating spam links
I begin by pointing out this specific change to the website because of how obvious it was. Anyone who visited the front page of the website and scrolled down would be able to see this. It would not take any sort of complex security audit to reveal a compromise. It would be obvious that the site has been hacked even to completely non-technical users with no access to the site other than anonymous browsing. I mention this because the site remained defaced for a significant length of time. floridatrustonline.com continues to host malicious files - the site has continued to host malicious files for at least four months, despite efforts to sanitize the site. Adding insult to injury, Google was announcing the site as hacked as early as March 14th:
Florida Local Government Trust, Josh Wieder, floridatrustonline.com, Google Malware service
Google warning message displayed for floridatrustonline.com
In addition to the embedding, over 100 files were uploaded in the root and throughout several subdirectories of floridatrustonline.com. Many of these files contained web scripts that forced those who opened them to visit online pharmacies.

There was more to the hack then just embedding bad links in the footer of documents. Above the header of several files, including the landing page index.html, a bit of javascript checked to determine the User Agent string sent by a website visitor and executed one of two scripts based on the reply. Websites can determine what kind of browser someone uses based on the User Agent string (some browsers and savvy users modify the User Agent string to prevent them from being identified using this bit of information).

Florida Local Government Trust, Josh Wieder, floridatrustonline.com, malicious script embed
code embedded in floridatrustonline.com that opened connections to malicious scripts
The gist of the code above is that if your browser matches any of those in a list, you are referred to a CGI script on a website owned by the person or group that hacked the Florida Trust site, who then forwards you to an advertising affiliate network named ExoClick who finally hands over the traffic to a sales page on Alibaba. The upshot of this is that these hackers are a paid affiliate of ExoClick, who is selling the traffic that the hackers steal from Florida Trust (and a number of other websites) to Alibaba. In the world of blackhat and greyhat affiliate web marketing, the method used to hijack a users browser window to gain surreptitious click traffic is referred to as "popunder" or "clickunder". Even under the best circumstances - as when someone is putting popunders on their own website - it is widely considered spam and an unethical programming tactic. Posting such garbage on a hacked site escalates the practice to the realm of the obviously illegal.

Readers will most likely be familiar with Alibaba - their 2014 IPO was the biggest IPO of all time. ExoClick is similarly a heavy hitter in the world of online commerce, though US readers may not be as familiar with them. Based in Spain, ExoClick's affiliate network made the top 500 Alexa list in 2011, an accomplishment they share with the likes of Google, Ebay and Wikipedia.

I realize this is a huge claim. Let's break down the technical details that lead me to this determination.

We start on the floridatrustonline.com landing page. From there, the malicious code in the header of the page sends visitors to one of two websites, both of which are hosted on the same server by IP address 37.9.53.124. One of these two websites - googleframe.net - executes a file called "wat.cgi?13" that forces the user's browser to open a window which sends the users to ExoClick. Exoclick then immediately forwards the traffic to Alibaba. This process occurs in a single request using an iframe:

Florida Local Government Trust, Josh Wieder, floridatrustonline.com, wat.cgi, Alibaba, ExoClick
The content of "wat.cgi?13" that sends users to Alibaba by way of ExoClick
The second website also sends users to Alibaba, but uses a different methodology to do so. This second methodology also appears to cut ExoClick out of the connection. Remember that users get sent to "wat.cgi?13" if their browser matches a pre-specified list. Many browsers place restrictions on the execution of off-domain iframes by default, which explains why two different methods are used. It is unclear whether the hackers are using a different affiliate network to collect payment for this traffic.

With the second method, users are forced to load a javascript file - "click7.js" on a website called bwinpoker24.com. Instead of directly opening a new window like "wat.cgi?13" in our last example, this javascript file loads a cookie which in turn forces the launch of yet another website in a new window. This behavior avoids many of the iframes prohibitions mentioned previously. The website loaded in the new window is googleframe.net, but it loads a new file this time - "tijaq.cgi?18".

Florida Local Government Trust, Josh Wieder, floridatrustonline.com, tijaq.cgi, Alibaba
The content of "tijaq.cgi?18"
Notice how this time we go directly to Alibaba's website rather than using ExoClick's website in a referral URL. This may indicate that the hackers are selling this traffic directly to Alibaba, or using an affiliate network other than ExoClick as an intermediary, or ExoClick allows a server-side application to count traffic for reimbursement.

Just to avoid confusion as to the ownership of the sites profiting from this traffic, ,the domain registrations and IP assignments are not obfuscated or consistent with fraud:

$ host s.click.aliexpress.com
s.click.aliexpress.com has address 198.11.136.52
s.click.aliexpress.com has address 205.204.96.48

NetRange:       198.11.128.0 - 198.11.191.255
CIDR:           198.11.128.0/18
NetName:        ALIBABA-US-CDN
OriginAS:       AS45102
Organization:   Alibaba.com LLC (AL-3)
Ref:            http://whois.arin.net/rest/net/NET-198-11-128-0-1

NetRange:       205.204.96.0 - 205.204.127.255
CIDR:           205.204.96.0/19
NetName:        ALIBABA-US-NET
OriginAS:       AS45102
Organization:   Alibaba.com LLC (AL-3)
Comment:        http://www.alibaba.com
Ref:            http://whois.arin.net/rest/net/NET-205-204-96-0-1

Domain Name: aliexpress.com
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2014-10-28T12:38:28-0700
Creation Date: 2006-04-16T11:16:46-0700
Registrar Registration Expiration Date: 2016-04-16T11:16:46-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Registrant Name: Timothy Alexander Steinert
Registrant Organization: Hangzhou Alibaba Advertising Co., Ltd.(杭州阿里巴巴广告有限公司)
Registrant Street: No. 699 Wangshang Road , Binjiang District
Registrant City: Hangzhou
Registrant State/Province: Zhejiang
Registrant Postal Code: 310052
Registrant Country: CN
Registrant Phone: +852.22155100
Registrant Phone Ext:
Registrant Fax: +852.22155200
Registrant Email: dnsadmin@hk.alibaba-inc.com
Name Server: nsp.alibabaonline.com
Name Server: nshz.alibabaonline.com
Name Server: nsp2.alibabaonline.com
Name Server: ns8.alibabaonline.com

---------------------------------------------------------------------------------------------------------------------

$ host syndication.exoclick.com
syndication.exoclick.com has address 64.111.199.222

Domain Name: EXOCLICK.COM
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Registrar Registration Expiration Date: 2015-09-01T12:21:42Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Registrant Name: Benjamin Fonze
Registrant Organization: EXOCLICK, S.L.
Registrant Street: Marina 16-18
Registrant Street: 18B
Registrant City: Barcelona
Registrant State/Province: Barcelona
Registrant Postal Code: 08005
Registrant Country: Spain
Registrant Phone: +34.671646725
Registrant Email: contact@exoclick.com
Name Server: NS1.P23.DYNECT.NET
Name Server: NS2.P23.DYNECT.NET
Name Server: NS3.P23.DYNECT.NET
Name Server: NS4.P23.DYNECT.NET

Note that the Exoclick IP is registered to a company called ISPrime, a hosting provider in New Jersey. I tried to check for a subdelegation, but their RWHOIS times out:

$ whois 64.111.199.222
[redacted]
Found a referral to rwhois.isprime.net:4321.

Timeout.

None of this behavior will strike sysadmins or security professionals as particularly unique or not-worthy; this is an almost text-book example of monetizing a website defacement. What is newsworthy about this is the organizations involved, and their reaction.

At some point, the Florida Local Government Investment Trust, the Florida Association of Court Clerks, their hosting provider DreamHost, some third-party tech support or some combination thereof became aware that floridatrustonline.com had been compromised. Remember how I mentioned that over 100 files forwarding visitors to online pharmacies had been uploaded? Originally these files were scattered throughout the web root directory of floridatrustonline.com. Someone rounded up all of these files and placed them in a subdirectory called "/burnt/", where they remain right now, and are still indexed by Google:

Florida Local Government Trust, Josh Wieder, floridatrustonline.com, burnt, spam
Malicious files remain hosted on floridatrustonline.com/burnt/
The webserver parses these files as webscripts. It is not unusual to configure a web server to parse HTML files as PHP or vice versa. It is unusual to parse PDF files in this manner. I was able to execute these files in a browser; the files attempted to save cookies on my computer and redirect me to another server (similar to the behavior described above). To continue to host these files represents a serious professional oversight.

The malicious scripts on the landing page index.html were removed. It makes little sense for the individual or group who hacked floridatrustonline.com to make these changes. Their own websites continue to host malicious scripts forwarding to ExoClick & Alibaba. Removing the malicious forwards from index.html is consistent with restoring a backup version of the file, an action usually performed by the hosting provider (in this case DreamHost) at a customer's request.

To the best of my knowledge, the Securities and Exchange Commission does not explicitly require corporations to disclose so-called "cyber attacks" (as an aside I find it amusing how everyone in government and no one outside of government uses the prefix "cyber-"); however, disclosure of hacking could be required by rules that govern risks and incidents that an "investor would consider important to an investment decision":
Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. - Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2
The Florida Trust is an organization that manages millions of dollars of tax payer funds. At the very least, such a substantial security breach of their primary online presence should not be swept under the rug. Preventing a disclosure of these events to Florida tax payers is at best completely unethical. (Florida Statutes §§ 501.171, 282.0041, 282.318(2)(i) also apply to these sorts of disclosures - there is a whole host of regulations that may apply to this sort of thing that I can't explain very well because I am not a lawyer).

Furthermore, this traffic has identified that two very large companies - ExoClick and Alibaba Group - are relying on advertising methodology that is illegal. There is no other reasonable explanation for the malicious files pointing directly at the advertising networks of ExoClick and Alibaba. I realize the gravity of this accusation; and I feel it necessary to clarify it a bit.

I have no evidence that proves Alibaba Group is aware that the traffic they receive from ExoClick is, in essence, stolen from websites like floridatrustonline.com. In fact, I find it most likely that Alibaba Group has no idea that what I have described here is occurring. As of this writing, alibaba.com is ranked 59th globally on Alexa, which is a very rough way of demonstrating that it is one of the most frequently visited websites on the planet. Organizations of that scale spend immense amounts of money on advertising, usually with several advertising firms like ExoClick. Identifying, tracking and making sense of the source of all of the traffic that comes pouring in is an incredibly complex task.  Organizations like Google have hired some of the smartest computer engineers alive to tackle that task - and the solutions required frequently terrify people when they learn how invasive such tracking must be to be effective and have lead to class-action lawsuits. So to some degree I sympathize with Alibaba Group.

With that said, the evidence I have uncovered strongly suggests that Alibaba Group money is financing the hackers behind the floridatrustonline.com defacement. Alibaba Group owes the public - and in particular the voters of Florida - in explanation as to why their due diligence has failed to detect this issue before I did. Im just a guy with a computer. It would have been much easier for Alibaba Group to track this sort of activity than it was for me.

ExoClick is in a much less morally ambiguous position. ExoClick is an affiliate advertising network. You sign up for an account and they provide you with a code to embed within your website (or in this case, a series of hacked websites). Every time someone clicks on the code, ExoClick pays you. ExoClick is proud to help their users set up "pop-unders" like we saw on floridatrustonline.com:

ExoClick, Josh Wieder, Florida Local Government Investment Trust, affiliate marketing, black hat
ExoClick is proud to ruin your online experience

Under the best of circumstances, this sort of browser behavior has been considered unethical by developers for decades. Its remarkable to see something so contrary to good internet stewardship presented as a normal business practice, as ExoClick does on their website.

For any members of law enforcement that may be reading, it is certain that ExoClick can lead you directly to the individual or group that hacked floridatrustonline.com; they will have a payment history established for googleframe.net and bwinpoker24.com.

Florida Local Government Trust, Josh Wieder, ExoClick, payment options, black hat, affiliate advertising, spam
ExoClick's means of transferring funds to "advertisers"
Consider for a moment that any of these payment methods would require bank account information to receive in any significant amount. ExoClick's records could lead to a PayPal account, which would lead to either a real bank account or a stolen bank account.

ExoClick prohibits part of the behavior that the floridatrustonline.com hackers engaged in, specifically this part: "The use of any tools that artificially generate impressions or clicks are not permitted." I think it interesting that the guidelines to do not mention any restrictions on spamvertising or the use of hacking or botnets. The guidelines prohibit publishers from "promoting" hacking, but not actually hacking.

ExoClick, Josh Wieder, publisher guidelines
ExoClick's publisher guidelines; note that the use of hacking & botnets are not prohibited
I should point out here that, as with Alibaba Group, nothing here represents a "smoking gun" that shows that ExoClick deliberately conspired with the floridatrustonline.com hackers. ExoClick's responsibility is more readily apparent than Alibaba's for a few reasons. First, it is almost certain that at some point ExoClick was directly paying the floridatrustonline.com hacker(s). It is much easier to know your contractor - as ExoClick should have - than it is to know your contractor's affiliate - as Alibaba should have. Second, according to ExoClick guidelines, ExoClick employees would have been required to communicate directly with the floridatrustonline.com hacker(s): "New Publishers who reach their minimum payment must contact Customer Services (click “Contact” above and select the Publisher Payments department) to request the activation of the first payment." Finally, all ExoClick would have needed to do to see how awful this affiliate is would have been to put one of the domain names they were billing for through a search engine. Floridatrustonline.com is not the only website that was hacked by this group. I have identified several dozen other websites compromised by this same group - many of these sites have been complaining to Wordpress publicly for months that this specific hacker (or group) was using a vulnerability in a Wordpress theme to deface their websites:

Florida Local Government Trust, Josh Wieder, floridatrustonline.com, Wordpress, forum, hacking, spam
Another victim of the floridatrustonline.com / googleframe.net hackers seeks support from Wordpress
I hope that pointing light on this event will compel the Florida Trust to implement greater transparency in their online disaster recovery practices. I hope Alibaba Group will begin to pay closer attention to who they do business with. I hope ExoClick will decide to join the rest of the successful advertising industry in adopting fraud prevention measures. And I hope that law enforcement uses my findings to hold the googleframe.net hackers responsible.

I have additional notes and research available to interested parties upon request. If you feel I have posted something here that is inaccurate or unfair, contact me and let me know how I have made a mistake - if I have printed a factual error the likelihood of me complying with a civil correction request is 100%. 

Sunday, May 24, 2015

Secure your Apache server against LOGJAM

Some time ago I wrote a post about the dismaying history of US government attempts to regulate encryption out of existence. I had to omit quite a bit; it was a post and not a book after all. One of the details left out of the story was the DHE_EXPORT cipher suites. During the 90's, developers were forced by the US government to us deliberately insecure ciphers when communicating with entities in foreign countries (readers will remember from the last post that law makers were convinced that encryption should fall under the same rules as weapons technology, and thus could not be shared with anyone outside the Father Land). These insecure ciphers became DHE_EXPORT. The DH stands for Diffie-Hellman; the key exchange system that bears their name was first published in 1976.

Along with the cipher suite was a mechanism to force a normal encrypted transaction to downshift to a lower-bit DHE_EXPORT cipher. As so many short-sighted technology regulations have done in the past, this silly bit of Washington DC-brand programming has come back to haunt us in the form of the LOGJAM vulnerability. Until just a few days ago, all major browsers continued to support these deprecated DHE_EXPORT ciphers, as have a variety of applications as fundamental to web infrastructure as OpenSSL.

The exploit is described in detail on a website hosted by the researchers responsible for its discovery - weakdh.org which also hosts their paper on the same subject (PDF).

Meanwhile, patching your Apache server is simple: Apache HTTP Server (mod_ssl)
SSL parameters can globally be set in httpd.conf or within specific virtual hosts.
Cipher Suites
Disable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order :
SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLHonorCipherOrder     on
DH Parameters
In newer versions of Apache (2.4.8 and newer) and OpenSSL 1.0.2 or later, you can directly specify your DH params file as follows:
SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"
If you are using Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later, you can append the DHparams you generated earlier to the end of your certificate file.
Reload configuration
sudo service apache2 reload

Sunday, October 26, 2014

Massive Critical Security Patch Released by Oracle Impacting Most Versions of MySQL

Oracle has released a Critical Security Patch for a long list of Oracle products. For MySQL specifically, the patch purports to resolve a multitude of vulnerabilities that allow remote execution without authentication, and impact nearly all versions of the database software.

Oracle provided the following Risk Matrix to their MySQL customers, which outlines the CVE numbers of stated vulnerabilities, the component used by the vulnerability and a number of other details.

I've included a copy of that Matrix for readers to review below.

As the reader can clearly see, the risk for unpatched MySQL users is huge. A total of 154 vulnerabilities are addressed with this update. Some of these vulnerabilities reach a forehead-slapping CVSS score of 9.0 (just one point beneath the score for the recent Shellshock bash vulnerability). 24 of the patches are for MySQL.

I highly advise anyone using MySQL or any Oracle product, including Java, to  update their software immediately.



Oracle MySQL Risk Matrix


CVE#ComponentProtocolSub-
component
Remote Exploit without Auth.?CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base ScoreAccess VectorAccess ComplexityAuthen-
tication
Confiden-
tiality
IntegrityAvail-
ability
CVE-2014-6507MySQL ServerMySQL ProtocolSERVER:DMLNo8.0NetworkLowSinglePartial+Partial+Complete5.5.39 and eariler, 5.6.20 and earlier
CVE-2014-6491MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes7.5NetworkLowNonePartial+Partial+Partial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6500MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes7.5NetworkLowNonePartial+Partial+Partial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6469MySQL ServerMySQL ProtocolSERVER:OPTIMIZERNo6.8NetworkLowSingleNoneNoneComplete5.5.39 and eariler, 5.6.20 and earlier
CVE-2014-0224MySQL ServerMySQL ProtocolSERVER:SSL:OpenSSLYes6.8NetworkMediumNonePartialPartialPartial5.6.19 and earlierSee Note 1
CVE-2014-6530MySQL ServerMySQL ProtocolCLIENT:MYSQLDUMPNo6.5NetworkLowSinglePartial+Partial+Partial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6555MySQL ServerMySQL ProtocolSERVER:DMLNo6.5NetworkLowSinglePartial+Partial+Partial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6489MySQL ServerMySQL ProtocolSERVER:SPNo5.5NetworkLowSingleNonePartialPartial+5.6.19 and earlier
CVE-2012-5615MySQL ServerMySQL ProtocolSERVER:PRIVILEGES AUTHENTICATION PLUGIN APIYes5.0NetworkLowNonePartialNoneNone5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6559MySQL ServerMySQL ProtocolC API SSL CERTIFICATE HANDLINGYes4.3NetworkMediumNonePartial+NoneNone5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6494MySQL ServerMySQL ProtocolCLIENT:SSL:yaSSLYes4.3NetworkMediumNoneNoneNonePartial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6496MySQL ServerMySQL ProtocolCLIENT:SSL:yaSSLYes4.3NetworkMediumNoneNoneNonePartial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6495MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes4.3NetworkMediumNoneNoneNonePartial5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6478MySQL ServerMySQL ProtocolSERVER:SSL:yaSSLYes4.3NetworkMediumNoneNonePartialNone5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-4274MySQL ServerMySQL ProtocolSERVER:MyISAMNo4.1LocalMediumSinglePartial+Partial+Partial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-4287MySQL ServerMySQL ProtocolSERVER:CHARACTER SETSNo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6520MySQL ServerMySQL ProtocolSERVER:DDLNo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier
CVE-2014-6484MySQL ServerMySQL ProtocolSERVER:DMLNo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6464MySQL ServerMySQL ProtocolSERVER:INNODB DML FOREIGN KEYSNo4.0NetworkLowSingleNoneNonePartial+5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6564MySQL ServerMySQL ProtocolSERVER:INNODB FULLTEXT SEARCH DMLNo4.0NetworkLowSingleNoneNonePartial+5.6.19 and earlier
CVE-2014-6505MySQL ServerMySQL ProtocolSERVER:MEMORY STORAGE ENGINENo4.0NetworkLowSingleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6474MySQL ServerMemcachedSERVER:MEMCACHEDNo3.5NetworkMediumSingleNoneNonePartial+5.6.19 and earlier
CVE-2014-6463MySQL ServerMySQL ProtocolSERVER:REPLICATION ROW FORMAT BINARY LOG DMLNo3.3NetworkLowMultipleNoneNonePartial+5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6551MySQL ServerMySQL ProtocolCLIENT:MYSQLADMINNo2.1LocalLowNonePartialNoneNone5.5.38 and earlier, 5.6.19 and earlier