Tag: AT&T
AT&T Exposes the neck
by Alex on Jul.27, 2009, under Security, Web App Sec
Recently I posted about a malformed url penetration attempt on my webserver. It didn’t work because I had taken steps to prevent attacks like that, such as setting proper permissions on my directories and files, and not using very silly programming practices. How ever it seems that AT&T, the creators of System 5 Unix from Bell Labs, dropped the ball on this little corner of security.
One of their PHP scripts used the QUERY_STRING attribute and was able to do some very fun things because of through some very bad programming. It was able to call any file on the server by simply entering it’s path on the box. Since paths for most things are commonly known, files like /etc/passwd which contains the user names and passwords with some low level encryption, were very vulnerable to access from outside non-authorized users. All one would have to do once they got this file was run John the Ripper against it and start logging into research.att.com systems. Hell the attacker could have access to the employees personal data through access.att.com, and remotely log in through the VPN and gain a lot more access than users outside of the network have.
AT&T Research is the new Bell Labs as Bell Labs was sold off a few years ago to Acatel Research and is now known as Lucent-Acatel Bell Labs. AT&T Research is primarily responsible for research and development of network and system related products to be delivered to market. Recently they’ve put out things like the 4G Multilevel network protocols and design, and Adaptive Defense technology.
The exploit is simple. Once a vulnerable page has been found, such as:
http://www.research.att.com/areas/visualization/papers_videos/subpage.php?page=
All the attacker would have to do is enter the path for the target file, and the file would display in clear text in the browser.
Example:
http://www.research.att.com/areas/visualization/papers_videos/subpage.php?page=../../../../etc/passwd
AT&T’s response to this vulnerability was to simply pull the page down, or at least make it inaccessible to outside users. I’m sure that’s not the only page that had this ability though, as if some coder was able to make that big of a mistake in one place, the coder probably copied and pasted the code to another part of the site as well.
Attribution: Shane Forsythe on the Web Security Mailing list added the reddit link to the mailing list. Reddit is the first place I know of the vulnerability being divulged.
http://www.reddit.com/r/programming/comments/94z5w/att_exposes_etcpasswd_bad_php/
