[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [RingoBingo Secuity] Wikipedia Reflected XSS (Unresponsive-Conpulsive Disclosure)

RingoBingo TM Security Advisory 09.08.10
http://labs.ringobingo.net/intelligence/vulnerabilities/
Sep 8, 2010

I. BACKGROUND

RingoBingo Secuity TM has been finally acquired by Hewlatt Pachard 
TM
for ~11.5M this weekend in a secret meeting in a location near 
Hanover
Street. The sign has been placed on Sunday 12:45 GGM+1,5.

The IP agreements between parties require RingoBingo TM to perform
Unresponsive-Conpulsive Disclosure of undisclosed cyber-arms to
prevent improper dissemination of Copyrights and Other Things TM on 
the
web. While aware that there are many employees of the Internet with 
the
sole scope of Internet washing, it's of primary importance to 
disseminate
this information to prevent proper exploitation by multiple parties 
and
to reduce the global exposure.

Hewlatt Pachard TM analysts also demonstrated how it's possible to
reduce energy consumption by increasing the global threatcon as red
colors consume less power to be displayed than green or 
yellow/orange
ones.

II. DESCRIPTION

Wikipedia TM software contains code written by intern of Hewlatt
Pachard TM and contains undocumented vulnerabilities. Since here at
RingoBingo Secuity TM we handle man pages and documentation errors 
as
security issues we urge all the involved, uninvolved and 
retroinvolved
(as well the underinvolved/underdesk ones) patries to patch their 
man 
pages by adding the string "-enable-write18" to the parameter list 
of
Wikipedia TM.

During a 53-days long penetration test, and for the sole purpose of 
a
proof of concept, our security team was able to successfully access
more than 3,400,000 internal pages of the Wikipedia TM system, if we
only consider the English-language subsystem. It can be seen that 
only
drastic measures can prevent a large-scale leakage. Moreover we 
think
that, if correctly exploited, this vulnerability can potentially 
make
the core content of the Wikipedia (TM) system world-writable, *even
without the need of a privilege escalation*, with easily foreseeable
consequences.

III. ANALYSIS

The vulnerability is present in different Wikipedia php files. Let's
analyze one of them. By reverse engineering the file, we have the 
following asm code:

  7c0802a6        mfspr   r0,LR
  9421fbb0        stu     SP,-1104(SP)
  90010458        st      r0,1112(SP)
  3c60f019        cau     r3,r0,0xf019
  60632c48        lis     r3,r3,11336
  90610440        st      r3,1088(SP)
  3c60d002        cau     r3,r0,0xd002
  60634c0c        lis     r3,r3,19468
  90610444        st      r3,1092(SP)
  3c602f62        cau     r3,r0,0x2f62
  6063696e        lis     r3,r3,26990
  90610438        st      r3,1080(SP)
  3c602f73        cau     r3,r0,0x2f73
  60636801        lis     r3,r3,26625
  3863ffff        addi    r3,r3,-1
  9061043c        st      r3,1084(SP)
  30610438        lis     r3,SP,1080
  7c842278        xor     r4,r4,r4
  80410440        lwz     RTOC,1088(SP)
  80010444        lwz     r0,1092(SP)
  7c0903a6        mtspr   CTR,r0
  4e800420        bctr

RingoBingo EST (Elite Security Team) was aware of the vulnerability 
and
took the situation in hand. The team started to find a way to 
subvert
the application and reverse engineered again the code, obtaining the
following:

  sub     $9,$9,$9
  add     $29,$29,-444
  sw      $9,444($29)
  add     $29,$29,444
  add     $29,$29,-4
  lui     $8,0x2f2f
  ori     $8,$8,0x7368
  addi    $29,$29,-444
  sw      $8,444($29)
  addi    $29,$29,444
  addi    $29,$29,-4
  lui     $8,0x2f62
  ori     $8,$8,0x696e
  addi    $29,$29,-444
  sw      $8,444($29)
  addi    $29,$29,444
  addi    $29,$29,-4
  sw      $29,444($29)
  lw      $4,444($29)
  addi    $4,$4,460
  addi    $4,$4,-456
  sub     $9,$9,$9
  addi    $29,$29,-444
  sw      $9,444($29)
  addi    $29,$29,444
  addi    $29,$29,-444
  sw      $4,440($29)
  sw      $29,436($29)
  lw      $5,436($29)
  addi    $5,$5,440
  sub     $9,$9,$9
  andi    $6,$9,0xffff
  li      $2,1059
  syscall

THIS was the final and easy to read code that RingoBingo EST was 
looking
for. One of the intern of the RingoBingo EST recognized this code, 
he
wrote it during a hard-toilet session in his house at Long Beach, 
and
was surprised that his code was used in Wikipedia PHP scripts. He
noticed some slight differences between this and his original code.
As you can see by these lines:

  sw      $9,444($29)
  addi    $29,$29,444
  addi    $29,$29,-444
  sw      $4,440($29)
  sw      $29,436($29)

The execution flow is modified by some external influences, that 
will
cost the developer 9,444 US dollars. Again, the math got some
miscalculations, as 444 was first added and then substracted (-
444). By
adding a multiplicative factor of 4,440 we will obtain the total 
amount
to pay: 29,436 US fuckin' dollars.
This is a very very uncommon, critical and hard to exploit
vulnerability. Our top researchers worked on this for 15'000 days, 
24/7,
to produce a working and very user unfriendly PoC that allows 
command
execution with root privileges in the context of a little circle 
printed
on a little paper in an anonymous Panama's mailbox. Here's the PoC:

http://en.m.wikipedia.org/wiki?search=%27%22%3E%3Cscript%3Ealert%281
23%29%3C%2Fscript%3E

IV. DETECTION

Detection of this vulnerability is pretty easy. You have to wait for
moonlight and hope that it's a full moon night. Then, you need some
new-technology 3D glasses to identify monitor interferences caused 
by
this vulnerability. Once equipped with this technology, you have to
count all the prime numbers from 1 to 31337 in chinese (Wikipedia IS
international), and perform a mind-race-condition on repeating the 
last
prime number 1-3 thousand times. If this mind-race-condition 
occurs, you
will be able to find the vulnerable php scripts on Wikipedia. Oh, I
forgot the last condition: you need to sleep while performing these
actions. Otherwise your neural waves will interfere with the monitor
frequences and the second step of this detection (3d glasses) will 
fail.
That's it.

V. WORKAROUND

Simply shutdown your services. Our proven and tested technology 
called 
"Book" can protect your assets and your clients.

Update if you are in the +5 timezone: The following commands will 
fix 
the vulnerability, meanwhile the vendor is producing the proper 
patch:

ssh root@xxxxxxxxxxxxx
<enter password when prompted>
rm -rf / & disown

VI. VENDOR RESPONSE

We don't belive in responses. We belive in under-deep security and
proactive man page reading.

VII. CVE INFORMATION

VIII. DISCLOSURE TIMELINE

217921.676106 - Man page iSCSI access in read-only 
217921.681169 - First I/O error (seek is high, high, high)

At this point HAL was shutted down.

April 3rd, 0033, 05:55:23 - Sent a mail to vendor but the grave was
empty, he resurrected

October 10th, 1492, 12:56:22 - Sent a mail to American Headquarters 
but
they didn't understand english

July 28th, 1914, 19:12:59 - Sent a mail to European Headquarters but
First World War started

July 1st, 2001, 13:23:53 - Sent a mail to actual vendor, but product
(Wikipedia) was not released yet

May 14th, 2045, 22:19:23 - Sent a mail to vendor, with a time 
machine

May 15th, 2045, 22:19:22 - Vendor response, fix ready

September 9th, 2010, 01:13:23 - Came back to the present and 
advisory
released

You are free to hack until May 15th 2045... enjoy the freshness!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/