On July 18, Sunbelt Software came across a SQL command passed as a query within a URL belonging to an arm of a European countrys military. With that, any visitor can pass queries in the URL straight to the back-end database and squeeze out any data, no password required.
At the time, the URL displayed what Sunbelt President Alex Eckelberry calls an “infantile” security screw-up: Namely, putting production code and a back-end database into the hands of anybody who wanders by. It was, in other words, a serious security vulnerability that even the most basic security policy should have forbidden, never mind the security policy of a major defense agency.
Sunbelt, of Clearwater, Fla., alerted security researchers from the country in question. They in turn assured Sunbelt that they would notify the defense agency.
End of story? Unfortunately not. Six weeks later, Sunbelt checked the site and found it was still a sitting duck, serving up military base information to any visitor who knows how to frame a SQL query, telling potential attackers exactly which database it was running and what operating system it was using, thereby painting a day-glow arrow toward the exact class of known vulnerabilities and exploits that could bring it to its knees.
Sunbelt alerted security researchers from the country in question. Again. They in turn assured Sunbelt that they would notify the defense agency. Again.
This is far from an anomaly. As evidenced by the recent attack on a portion of the Pentagons network—allegedly perpetrated by the Chinese Peoples Liberation Army—continued vulnerability in defense establishments is leaving governments exposed and populaces at risk. Whats worse, much of it is due to sheer sloppiness: Poor security policies, unpatched systems, you name it—nothing glamorous, nothing cutting-edge, just run-of-the-mill slacker lack of attention.
The most malware is made in China. Click here to read more.
The Pentagon didnt respond by the time this story was published to eWEEKs requests regarding what, if any, vulnerabilities led to the network penetration. Neither did the U.S. consulate of the European country with the serious security vulnerability, nor the defense agency that runs the site in question.
But even without specifics from the horses mouths, finding specific vulnerabilities on these sites isnt particularly difficult. Eckelberry directed eWEEK to simply Google “sex porn site:.gov.” Out of the 10 top hits Sept. 6 at 4:13 EDT, eight were for pornography somehow tied in to Web servers hosted by the government of California. “Pic rough sex Pic revenge sex Pic russian porn free” is a typical return.
On the face of it, redirects to porn sites might not seem as serious as a defense agency whose database is a few keystrokes away from being nakedly displayed in public. But these porn sites arent necessarily benign—many serve up Trojans. And the fact that government servers can be used with impudence to plant redirects for spyware and porn sites reflects the fact that the U.S. government, just like the European countrys military and its naked database, has spotty network security.
This was made starkly evident last week when the official site of Lawrence Livermore National Labs—the institution entrusted with safeguarding the U.S. nuclear arsenal—was found to be hosting unauthorized advertisements and blogs. According to the Washington Post Aug. 25, the blogs linked to “illegal prescription drug sites hawking everything from generic painkillers to erectile dysfunction medication.”
Until recently, several pages—not just inserted links, but actual full pages—on the Lawrence Livermore site were redirecting visitors to other sites that tried to exploit browser security flaws to install malware, the Washington Post quoted a source as saying.
In addition, Eckelberry said that as of the week of Aug. 27, a number of government sites were redirecting to porn pages requiring visitors to view a sex video by downloading a fake codec—a program that performs encoding and decoding on a digital data stream—that in fact was a piece of malware.
Its all happening because of the most banal of reasons: Namely, people arent keeping systems patched, Eckelberry said.
An unpatched system is particularly fun for attackers to play with when its supported by spongy security policies. The European countrys defense agencys site is a case in point.
Heres a quick tutorial that will demonstrate how mind-bogglingly easy it is to gain entry to a site thats been constructed with poor security parameters. This is a partial chunk of the defense agencys URL, with its name and the search terms used to drain the back-end database obscured, and with certain terms translated to English in order to more thoroughly protect the country in question: http://www. obscuredsitename/obscured/index.asp?npag=1%20&strsql=select+%2A+from+obscuredsearchterm++where+category+like+%00%00 obscuredcategoryname%00%00+++order+by+data%5Fgara+DESC%0C+id+%0B.
The text in blue is an SQL query. The URL has been designed to work in production—i.e., it is able to actively query the database and return data as an HTML page.
Page 2: No-Defense Department
At one point, Sunbelts Greg Krass, vice president of product management, changed the select statement in this URL to include information schema columns, which he expected would give him the database structure. He received two error messages, which in turn told him that the defense department is using Access as a back-end database. Access isnt a SQL-based database, but its just as easy to toy with, he told eWEEK.
Through such querying and tweaking of select statements, he also found out the name of the database file and that it was a Windows 2003 box. Finding that out is trivial. Krass typed this query into the URL: &strsql=select+%2A+from+test.txt, which returned an error message that said, in part, “Could not find file c:windowssystem32inetsrvtest.mdb.” The error message references the c: directory, which had been called C Windows NT in Windows 2000. This means its a post-Windows 2000 operating system, which could be XP or 2003, but Krass could tell “just by poking it” that it was Windows 2003, he said.
From there, somebody who wants to really abuse this database and site could just set up a script to throw known Windows 2003 and Access exploits at known vulnerabilities in those programs.
What can these sites do to clean up their acts?
Patching is the most obvious part of the solution, Krass said. “Once a patch is available, its basically a verifiable admission on Microsofts part that there was something there. Whether there was a POC [proof of concept] or exploit code there [initially], you can bet your bottom dollar [there will be soon].” That applies not only to Microsoft code, of course, but also to other programs known for flaws and exploits, whether theyre proprietary or open source: PHP and Apache, for example.
A security policy that would specifically help sites such as the one belonging to the European defense agency would be to keep SQL users running with bare minimum access rights, Krass said. Many times, people set up accounts that represent full-fledged database ownership when they only need read access and not write access.
Setting “write” privileges on another account would be a good idea, Krass said. Instead, “people cut corners for simplicitys sake,” he said.
The thing about SQL is that it is often overly powerful. SQL can be used in other commands that act on the server. For example, xp_exec is an extended stored procedure. From a SQL command line, if a user gets the ability to run a command by putting a SQL query in the command path, he or she can get to a command prompt within the SQL server itself. Thats it, Krass said: end game. That unauthorized user now has the ability to tell the server to do anything.
“You dont want that, you dont need that, [you should] never have that ability,” Krass said. “That doesnt just affect one database; it lets you own the entire SQL box.
“SQL permissions are very different from permissions that other systems use. …[Its] fairly misunderstood what you can do with those permissions. Make sure SQL access accounts are locked down.”
Another best practice has to do with logs. By default, logging should be turned on with most services. And they should be backed up and offloaded to another server where they cant be modified, Krass said.
“If a server gets compromised, one of best things [an attacker can] do on [his or her] way out is to clear out the log files so theres no record of it,” Krass said.
Therefore, logs should pump out to another machine constantly, he said. “When you set up a Web server, dont just plan for not getting it compromised. Plan for what happens if it does get compromised, so you can do damage control later. How do you know what you [may] have to remedy?”
Another good practice is running vulnerability assessment programs so as to pick out what software needs to be updated. Outside vulnerability assessments are another good idea, Krass said.
An even cheaper, easier and quicker spot check is to run Google searches on ones own site, Eckelberry said. Set up a Google alert to look for certain keywords that will sound an alert every time the word “sex,” “casino,” “free ringtones” or the like pops up on a site—its a quick, simple way to tell if Web servers are being used for redirects—or worse.
Sept. 7: The sites back-end database is still exposed. The defense agency has responded to eWEEKs e-mail. “Thanks a lot for your information,” the communications office simply states, including no ETA for a fix. “We are working on it.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.