{"id":24019,"date":"2014-03-13T14:42:58","date_gmt":"2014-03-13T20:42:58","guid":{"rendered":"http:\/\/rankexploits.com\/musings\/?p=24019"},"modified":"2014-03-13T15:15:36","modified_gmt":"2014-03-13T21:15:36","slug":"no-shit-sherlock-sks-part-vi","status":"publish","type":"post","link":"https:\/\/rankexploits.com\/musings\/2014\/no-shit-sherlock-sks-part-vi\/","title":{"rendered":"No Shit Sherlock: SkS Part VI"},"content":{"rendered":"

\"Cache\"<\/a>I’m supposed to go exercise. And someone sent me the google cache address. Dang you to heck!!!
\nPart VI.<\/a><\/p>\n

Authors have the ability to upload images, PDFs, and other supporting files. It struck Doug that this was the most likely path to corrupting the log file.<\/p>\n

This turned out to be not entirely true, because the upload program would not overwrite a file. If the file already existed, it completed the upload request by adding a numeric suffix to the file name. But the intuition was right. A program that could put files into the system was dangerous, even if it was only available to authors and moderators.<\/em><\/p><\/blockquote>\n

No shit, Sherlock.<\/p>\n

Doug immediately asked that that capability be shut down. The third security risk was now sealed.<\/p><\/blockquote>\n

Three: count them three.<\/p>\n

Thinking on it further, it became apparent that the image upload tool was also a third avenue into accessing the database. In theory, someone could upload a program, a web page which when accessed would do whatever the uploader wanted it to do. In this way he could initiate his own database dump, and grab the resulting file. First, he\u00e2\u20ac\u2122d need to get the database password, but in theory he could get that, too, from another uploaded program.<\/p><\/blockquote>\n

No shit, Sherlock. (This is so well know that one can installd a Timthumb Vulnerability Scanner<\/a>. It’s been around since at least 2011<\/a>.) Anyway, this would be the 4th security hole associated with the ‘leak\/hack’.<\/p>\n

Turns out someone did upload a file. It was called either “temp.php” or “temp3.php”.<\/p>\n

The rootkit itself was easy to find on the Internet, however, using the parameters it employed as a signature. It was nothing more than an open source program for navigating a file system and using the shell commands via the web. It was very easy to use, and conveniently came with translations in English, Portuguese, Spanish, French, Dutch, Italian, Turkish\u00e2\u20ac\u00a6 and German. It\u00e2\u20ac\u2122s what let the hacker easily find and view the site\u00e2\u20ac\u2122s source code, and also to find the SQL injection logs.<\/p><\/blockquote>\n

Well… yeah. That’s because the TimThumb vulnerability was well know, had been around for some time, and script kiddies were sharing scripts. <\/p>\n

It\u00e2\u20ac\u2122s what let the hacker easily find and view the site\u00e2\u20ac\u2122s source code<\/em>, and also to find the SQL injection logs.<\/p>\n

But how did he get access to John\u00e2\u20ac\u2122s ID? <\/em> […]<\/p>\n

So how did the hacker get them? Until we knew that, even with all of the other security holes closed, everything was at risk.<\/p><\/blockquote>\n

How about this: He read them in an email John Cook sent to himself at the university? Of John has a stupid one like “password” and he guessed? Or it turns out John stored it in clear text in a “super-secret obscure directory” and someone ran across it? Or… Oh. It goes on and on you can read. * (DGH told me to be clearer here.<\/p>\n

And the guy’s name is now “dieter”. And SkS tells us how “dieter” tricked the SkS system into giving him escallated privileges: He edited his cookie to tell the server he was<\/i> John Cooke. Well, sort of: his cookie told the server he was user #1. Which is how the SkS system recognizes “John Cook” or “the guy will all the admin privileges”. <\/p>\n

But evidently there is more: I guess well have to wait until someone find part VII in cache. <\/p>\n","protected":false},"excerpt":{"rendered":"

I’m supposed to go exercise. And someone sent me the google cache address. Dang you to heck!!! Part VI. Authors have the ability to upload images, PDFs, and other supporting files. It struck Doug that this was the most likely path to corrupting the log file. This turned out to be not entirely true, because … Continue reading No Shit Sherlock: SkS Part VI<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[134],"tags":[],"class_list":["post-24019","post","type-post","status-publish","format-standard","hentry","category-politics"],"_links":{"self":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/posts\/24019","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/comments?post=24019"}],"version-history":[{"count":0,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/posts\/24019\/revisions"}],"wp:attachment":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/media?parent=24019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/categories?post=24019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/tags?post=24019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}