Thursday, March 5, 2009

Analysis of a Real World Hacking Attempt

Many of my clients look to me and my team of penetration testers for input on the latest and greatest attacks since we are down in the trenches performing the work and clean-up of real-world attacks. With that being said, a member of the Northeast Ohio INFOSEC forum recently sent out a request for more information regarding over 1,000 recently blocked requests against a website he runs. The attack came from less than 12 IP addresses with a user-agent of "NV32ts", so it *may* be a fair assumption that it came from a bot net.

The attack looked like this:

/modules.php?name=news&new_topic=9\' and 1=2 union select CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c) and \'1\'=\'1

Just from looking at it, I observe a few things:

  • It is a clearly a SQL injection attempt
  • It utilizes hex
  • I assume the escaped quotes are because of PHP’s magic quotes being enabled
  • Its syntax shows an attempt to inject into a string literal
  • It attempts to append data to a record set with UNION SELECT
  • The UNION SELECT has 21 values with each being CONCAT(0x27,0x7c,0x5f,0x7c)
  • The injection is meant to be in the same query as the page's query since it doesn’t utilize comments (MS SQL allows for “piggybacking” of queries, others like Oracle and MySQL do not)

Let’s break it down into something we can read:

/modules.php?name=news&new_topic=9' and 1=2 union select '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_| and '1'='1

More observations:

  • An underscore (“_”) in MySQL is a wildcard for a single character
  • Two vertical bars in Oracle and other databases is equivalent to “OR” as most people know it
  • ‘|_| would be the same as ‘|*| for those of you that are familiar with an asterisk wildcard, or ‘|?| for those of you that like MSDOS and renaming other things... (for example, to rename test_1.txt to test-1.txt you would use rename test?*.txt test-*.jpg)

What doesn’t make sense:

  • ‘|_| would leave an unclosed quotation mark...so there are syntax errors for every value, and the number of values being odd, so let’s say they are careless and they get lucky for single quotes to close each other out, at best, we *may* be able to get 10 values, but we still have one oddball that will cause an error...you would have a string literal of “|_|, “ followed by a |_|, which does not follow logically...The UNION SELECT portion makes no sense to me whatsoever...perhaps me not knowing much about MySQL is an issue, or the attack was by a script kiddy.
  • If you search "0x27,0x7c,0x5f,0x7c" in Google there are 3,450 hits. There is somewhat widespread exposure out there with this...
  • If it is specifically aiming at 21 values in the UNION SELECT, maybe it is targeting a specific 3rd party application?
  • The logic is AND UNION SELECT <21> AND

o AND will always be false

o UNION SELECT <21> will always fail with syntax errors

o AND will be true only if injecting into a string literal

  • From the previous bullet point, whatever the page is that will be loading will NEVER return a record...

After my analysis and trying to think outside of the box, with so many things to go wrong with this attack, I have led myself to believe that the one and only goal of this is to cause deliberate errors. There is the opportunity for unclosed quotations, different numbers of values in the UNION and page, and who knows how many others I missed...

Part of my due diligence as a pen tester is to always be on top of things, and provided the latest and greatest to everyone, and aiding other information security professionals with my knowledge. For those of you that may have been lost through all of that, I chose to post this blog to give some insight as to some of the challenges we face in this world of cyber criminals. Not only do I break into stuff regularly, I also try to decipher the bad guys’ attacks as well. As the saying goes, you have to know how to be a hacker to defend against one.

If anyone has any information as to what this may be or has seen it before, I would love to hear your thoughts so not only I can hear, but I can forward them on to others if someone has a better explanation that I do!

5 comments:

dre said...

nice work ... very interesting.

could it be discovery / footprinting / fingerprinting?

Tyler said...

Scott,

I also posted this on my blog at http://secshoggoth.blogspot.com and have pretty much come to the same conclusions as you.

I have more info on the NV32ts malware and will be posting that in a followup probably within the next couple days.

Anonymous said...

Hey, Scott,
Just wanted to let you know how much I enjoyed your talk last night at OWASP on '25 hacking techniques'. I was the one in the back who asked about Googlehacking.
I am currently doing my last class at UAT in Network Security with Greg Miles of Security Horizon before getting my BS.... nice to see a UAT alum doing well in the world. Anyhow, please let me know if you decide to do a talk on GoogleHacking soon. I am an online student and have taken up this topic as a way of getting the feel and mindset of doing pentest work without doing damage to the school's system.
Thanks again,
Christopher Horne
chrhorne@uat.edu

Anonymous said...

Honestly, I love a good puzzle, and this certainly is. I've given this some thought and it just doesn't seem realistic in today's world that this is a mistake. Sure, the first real virus was a mistake as a proof of concept that was a little more. But how often do you see a mass scale virus that's impotent?? So let's work on the original premise that this is an intentional error.

Why error? I think you'd just have to consider different game strategies that may make sense. For instance, why not release what looks like a harmless virus, lull people into thinking it's benign, and the mutate to nasty? It's not unlike in basketball when you keep faking to the left and then suddenly go right.

On the other hand, perhaps it's another type of distraction technique. Perhaps amongst the 1200 bad attempts there is 1 good one? The old needle in the haystack? Perhaps there is a bunch of intention noise to hide the real attack. Almost anti-honey pot approach.

Of course, this is all just guesses. But if you look at virus writing and hacking as a game, we see the 'offense' is releasing variants at an amazing pace and zero-days are on the rise. The defense has evolved quite a bit from signatures to heuristics systems. We see multi-vector attacks like combining phishing with cross-site scripting. And of course, many attacks are very sophisticated and well funded. So is it really crazy to think the strategies are getting smarter?

Matt Davis said...
This comment has been removed by the author.