Telecom and Logistics Associates 

new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  publication: Christian ALT 
  Save Time and Money

TLAnews: Security NEWs Service

11 .7.2000 SecurityAn Australian wins the OpenHack contest
An Austrian exploits two previously unknown security holes in e-store program to score a victory in eWEEK's hack this contest.

En français: Un Australien a remporté le concours OpenHack
En exploitant deux vulnérabilités inconnues dans un logiciel de e-magasin un Australien réussi à gagner le concours de OpenHack.

Home
Consulting
Tech Doc
FW-1 FAQ
Training
Products
TLAnews
Archive
Advertising
 

TLAnews.com
Information for security concerned people

 
Register to TLAnews letter
 

 

 

 

 

 

 

 
English version
Seven days after the start of our Openhack security competition at www.openhack.com, we've had our first successful crack, of the e-commerce storefront. The rest of the site, including the Web server, mail server and database, is still secure and remains a target of attack.

On July 3, Austrian hacker Alexander Lazic penetrated our e-commerce storefront package, Akopia Inc.'s Mini Vend, by finding and exploiting two previously unknown application security holes. (The package, including new security updates, is available at www.minivend.com.)

The new security information and updates will be vital for the many MiniVend users on the Web. Heins estimates that between 5,000 and 10,000 people have deployed the product and that it is live on tens of thousands of sites. It's been downloaded nearly 1 million times, and "a fair number" of these sites will be vulnerable to this new crack, Heins said.

The simplest way MiniVend sites can protect their storefronts is to delete the VIEW_PAGE.HTML file from their sites because it has a security hole.

Here's how Lazic got into the site. After standard network scans turned up nothing promising, he identified the software we used for our storefront—MiniVend. He then downloaded the Mini Vend code, which is freely available, and went through it looking for security holes.

Résumé en français
Ca y est sept jours après le début du concours le "hacker" australien Alexander Lazic a décroché une victoire dansl e concours de Openhack.com. Il a exploité deux vulnrabilités du produit logiciel Mini Vend de Akopia. Ce logiciel selon son auteur devrait équiper actuellement entre 5000 et 10000 sites dans le monde. Un "patch" est déjà disponible pour impermeabiliser le logiciel.

Par contre la base de données n'a pas encore été conquise. Elle subit encore de nombreuses attaques chaque jours.

La vulnérabilité se trouve dans une page HTML appelée VIEW_PAGE.HTML. Le gagnant après différents "scan" du site a identifié un des logiciels utilisés et a pu obtenir une copie sur Internet, qui est librement téléchargeable. Il a ensuite analysé le code ce qui lui a permis d'identifier les vulnérabilités.

Technique
Il a identifié un appel système réalisé en Perl, qui prend des paramètres et les passe au système d'exploitation.

De cette manière, il a pu accèder aux commandes du système d'exploitation. Il a ainsi modifié la page d'entrée du site.

 

 


The first flaw Lazic found lies in the VIEW_PAGE.HTML file. It is part of Mini Vend's sample store (highlighting the dangers of sample code) and doesn't check for a pipe (a vertical bar) in a passed file name. This means an operating system command can be appended to a file name.

VIEW_PAGE.HTML then calls a Mini Vend subroutine called READFILE in the file UTIL.PM, which has a second hole: The code uses the Perl system call OPEN in an insecure way to check if the file exists. Specifically, the OPEN command, as used in UTIL.PM, passes its input to a command shell. If this input has a pipe in it followed by a command, the command gets executed using the permissions of the MiniVend program.

"That's a wrong thing to do," Heins said. "MiniVend is almost five years old, and some [of the code] has just stayed there. I probably would not have done it that way if I had written that particular routine in the last few years."

At this point, Lazic could run any operating system command as the MiniVend user. He renamed the original store home page and then used the Unix ECHO command to create a new store home page in its place.

We could have prevented this part by making MiniVend's templates read-only for the MiniVend user. Defense in depth is the mantra in security, and we have made these file permission changes.

Note that Lazic did not get root access on our e-commerce server. We have installed all of the operating system security patches that could affect our configurations and, as far as we know, are protected against all known local and remote root exploits

 
Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juillet 11, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.