How a cracker defeated 'Hackopen'

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2600258,00.html

By Timothy Dyck, eWEEK
July 9, 2000 9:00 PM PT

Seven days after the start of our Openhack security competition at
www.openhack.com, we've had our first successful crack, of the
e-commerce storefront. The rest of the site, including the Web server,
mail server and database, is still secure and remains a target of
attack.

On July 3, Austrian hacker Alexander Lazic penetrated our e-commerce
storefront package, Akopia Inc.'s Mini Vend, by finding and exploiting
two previously unknown application security holes. (The package,
including new security updates, is available at www.minivend.com.)

Also on July 3, we informed Mini Vend author Mike Heins of the
security problems. Heins, who is based in Oxford, Ohio, posted a
workaround and a patch to the MiniVend users mailing list on the
morning of July 5 and told us that an updated version of Mini
Vendwithout the holeswill shortly be posted on the product's Web site.

The new security information and updates will be vital for the many
MiniVend users on the Web. Heins estimates that between 5,000 and
10,000 people have deployed the product and that it is live on tens of
thousands of sites. It's been downloaded nearly 1 million times, and
"a fair number" of these sites will be vulnerable to this new crack,
Heins said.

The simplest way MiniVend sites can protect their storefronts is to
delete the VIEW_PAGE.HTML file from their sites because it has a
security hole.

Here's how Lazic got into the site. After standard network scans
turned up nothing promising, he identified the software we used for
our storefrontMiniVend. He then downloaded the Mini Vend code, which
is freely available, and went through it looking for security holes.

The first flaw Lazic found lies in the VIEW_PAGE.HTML file. It is part
of Mini Vend's sample store (highlighting the dangers of sample code)
and doesn't check for a pipe (a vertical bar) in a passed file name.
This means an operating system command can be appended to a file name.

VIEW_PAGE.HTML then calls a Mini Vend subroutine called READFILE in
the file UTIL.PM, which has a second hole: The code uses the Perl
system call OPEN in an insecure way to check if the file exists.
Specifically, the OPEN command, as used in UTIL.PM, passes its input
to a command shell. If this input has a pipe in it followed by a
command, the command gets executed using the permissions of the
MiniVend program.

"That's a wrong thing to do," Heins said. "MiniVend is almost five
years old, and some [of the code] has just stayed there. I probably
would not have done it that way if I had written that particular
routine in the last few years."

At this point, Lazic could run any operating system command as the
MiniVend user. He renamed the original store home page and then used
the Unix ECHO command to create a new store home page in its place.

We could have prevented this part by making MiniVend's templates
read-only for the MiniVend user. Defense in depth is the mantra in
security, and we have made these file permission changes.

Note that Lazic did not get root access on our e-commerce server. We
have installed all of the operating system security patches that could
affect our configurations and, as far as we know, are protected
against all known local and remote root exploits.

West Coast Technical Director Timothy Dyck can be reached at
timothy_dyck () ziffdavis com


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".