Security Student

Recently I posted about a malformed url penetration attempt on my webserver. It didn’t work because I had taken steps to prevent attacks like that, such as setting proper permissions on my directories and files, and not using very silly programming practices. How ever it seems that AT&T, the creators of System 5 Unix from Bell Labs, dropped the ball on this little corner of security.

One of their PHP scripts used the QUERY_STRING attribute and was able to do some very fun things because of through some very bad programming. It was able to call any file on the server by simply entering it’s path on the box. Since paths for most things are commonly known, files like /etc/passwd which contains the user names and passwords with some low level encryption, were very vulnerable to access from outside non-authorized users. All one would have to do once they got this file was run John the Ripper against it and start logging into research.att.com systems. Hell the attacker could have access to the employees personal data through access.att.com, and remotely log in through the VPN and gain a lot more access than users outside of the network have.

AT&T Research is the new Bell Labs as Bell Labs was sold off a few years ago to Acatel Research and is now known as Lucent-Acatel Bell Labs. AT&T Research is primarily responsible for research and development of network and system related products to be delivered to market. Recently they’ve put out things like the 4G Multilevel network protocols and design, and Adaptive Defense technology.

The exploit is simple. Once a vulnerable page has been found, such as:

http://www.research.att.com/areas/visualization/papers_videos/subpage.php?page=

All the attacker would have to do is enter the path for the target file, and the file would display in clear text in the browser.

Example:

http://www.research.att.com/areas/visualization/papers_videos/subpage.php?page=../../../../etc/passwd

AT&T’s response to this vulnerability was to simply pull the page down, or at least make it inaccessible to outside users. I’m sure that’s not the only page that had this ability though, as if some coder was able to make that big of a mistake in one place, the coder probably copied and pasted the code to another part of the site as well.

Attribution: Shane Forsythe on the Web Security Mailing list added the reddit link to the mailing list. Reddit is the first place I know of the vulnerability being divulged.

http://www.reddit.com/r/programming/comments/94z5w/att_exposes_etcpasswd_bad_php/

It seems that someone has tried to gain access to my website by trying to use URL injection, which was amateur at best. The IP address routes to a block owned by a school district in Colorado leased by comcast business. The local time for that area when the attempt was made was 3:36pm. Considering the lack of delay between requests it also shows that a tool was used to attempt to gain access.

An image of the log file:
http://chaulis.com/images/penattempt.jpg

Nmap output of the IP:
Not shown: 919 filtered ports, 66 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
106/tcp open pop3pw
311/tcp open asip-webadmin
389/tcp open ldap
625/tcp open apple-xsrvr-admin
749/tcp open kerberos-adm
1723/tcp open pptp
3283/tcp open unknown
3306/tcp open mysql
3659/tcp open unknown
5900/tcp open vnc
No OS matches for host

The IP address hosts a website for the school district though. So either it’s some script kiddy in high school trying to deface my site or it’s a server that insecure that’s being used as a proxy. He didn’t even look for subdomains on the site, and just wend after the horde mail box which doesn’t exist, and the wordpress crap. Sucks to be him!