Yeah, that's surely the right word for the recent challenge site pwnzor incidents. Within just a few months, rhican was able to find exploits in almost all big challenge sites, where security had been taken into consideration by the site administrators.
Everything started with the soft-hyphen bug that rhican found on Electrica and HackQuest. Then rhican mysteriously found a way to pwnzor flamecruiser's account at HackQuest. Next he found an XSS bug on rankk. Then again he mysteriously found a way to eavesdrop the conversation between Inferno and alt3rn4tiv3 at TBS. It was kinda cool back then, when things like that were thought to be impossible.
The topic became hot once again in late 2007 when rhican published an SQL injection on Electrica, which put every account in danger of being compromised. Things became chaos when rhican posted whiteboy's challenger password to the public, and even gave noobs free access to all the solutions. That put an end to the site - after a long period when noobs rushed their ways to the top, today the database was inaccessible, not sure if it was taken down for maintenance by Caesum or pwnzored by a noob.
And the rhican pwnage doesn't seem to have come to an end. A few days ago, yet another SQL injection was found and published by rhican. This time the victim was slyfx. Everyone in the challenger world was driven to the same feeling: all challenge sites are insecure, and will be pwned by rhican someday. Now the question is, what will be rhican's next target? I myself would be excited to see he pwning hackits.de or hackthissite.org, the sites with many script kiddies thinking of themselves as 1337-h4x0r5.
Now if you are feeling sorry for those challenge sites and wondering what's the world going to become, I'll let you in for some good news. You know, nothing in life is entirely good nor bad. Thanks to hacking, bugs have been fixed to make life better. A brand new challenge site is being developed by whiteboy and probably will be popular soon. And whiteboy is taking every consideration to make sure it's rhican-proof :) I'll be one of the beta testers, so be sure to tune in on for the next chapter :)
Update: TBS, or rather altn3rn4tiv3, fell victim to rhican again. This time using an old CSRF bug that hasn't been fixed for years, rhican was able to borrow alt3rn4tiv3's hands to wipe away the biggest spam topic on TBS - "Let's count... The number topic" by BaRa. I'd say it's an achievement to get rid of this big waste of time and space :)
Sunday 13 January 2008
Sunday 6 January 2008
Vulnerabilities in challenge sites
Many challenge sites are about internet security, and probably that's the most interesting part of them. Beginners refer to them as hacker games, and think that by joining them you'll become a very 1337 h4x0r. And of course the sites should be very secure, and the admins must be experts in computer security. Well, that is not always true.
Security is a complicated subject. Although the theory is relatively easy to grab, in practice, it is almost impossible to achieve absolute security. Many techniques, frameworks and tools have been created to make security easier to achieve, but as challenge sites have been around since the 90s, most of them are still developed on old systems and do not employ the latest (and heavyweight) technology needed to build a secure system. And no matter how much you try, it is still very easy to make human mistakes that will lead to disasters.
Today I will give a brief review of vulnerabilities in challenge sites I have played, some of which are minor, some of which are serious which lead to total pwnage of the whole site.
The oldest vulnerability I know of was at Ma's Reversing. Being developed on an old technology, it used url rewriting for session tracking. The session id was included in the url as a GET variable. Normally this is only a serious problem in case of shared computers, as the session id is exposed in the browser history. But the site was also using an external visitor tracker, ExtremeTracking, which logged the http referer header of the visitor. The session id was exposed to public, and Harlequin successfully used this to get access to another user's account.
Another challenge site that suffered from insecurity was HackQuest. In 2004, a hacker pwnzored skyflash's account by exploiting a bug in phpbb. And last year multiple XSS vulnerabilities were found and exploited in the wild (I myself was able to collect some cookies too :P). Not to mention the soft-hyphen bug found by rhican.
TheBlackSheep, one of the most popular sites, was not that secure either. In 2004 when the forum search feature was introduced, Erik got many PMs reporting about SQL injection bugs (one of which was mine :P). And recently, rhican found a way to read PMs between Inferno and alt3rn4tiv3 (how he did it is still a mystery :P). And there's an XSS bug in one of the challenges that put everyone in danger too.
But things could have gone worse than that. Electrica, a challenge site by Caesum, was vulnerable to SQL injection, although the owner had tried his best to filter everything. rhican has totally infiltrated the site, hijacked some famous accounts, and even published the injection that gives away the solutions to all the challenges. The worst thing a site owner could have experienced in his whole life.
Want more? I myself have found some XSS bugs at spy-games, DareYourMind, and even project Euler. Another XSS bug at rankk was found and reported by rhican. And just a few days after I joined HellBoundHackers my account got deleted by a hacker who even pwnzored the whole database.
So what's the lesson? Do not reuse the same password for multiple accounts - every security researcher would want to say that, but it's easier said than done. Anyway, just choose a software that you find the most suitable with, and if none suits your needs, invent a solution for yourself :P
And before I forget to mention, you should have a look at this cool challenge site for a quick laugh: pardio.net. Probably that's the worst challenge site ever. There you can find every noob vulnerability, which could even give you the FTP password. I and cryptodoggy infiltrated this site a few years ago, but the site owner hasn't discovered until now, and hasn't even changed the password either :D
Security is a complicated subject. Although the theory is relatively easy to grab, in practice, it is almost impossible to achieve absolute security. Many techniques, frameworks and tools have been created to make security easier to achieve, but as challenge sites have been around since the 90s, most of them are still developed on old systems and do not employ the latest (and heavyweight) technology needed to build a secure system. And no matter how much you try, it is still very easy to make human mistakes that will lead to disasters.
Today I will give a brief review of vulnerabilities in challenge sites I have played, some of which are minor, some of which are serious which lead to total pwnage of the whole site.
The oldest vulnerability I know of was at Ma's Reversing. Being developed on an old technology, it used url rewriting for session tracking. The session id was included in the url as a GET variable. Normally this is only a serious problem in case of shared computers, as the session id is exposed in the browser history. But the site was also using an external visitor tracker, ExtremeTracking, which logged the http referer header of the visitor. The session id was exposed to public, and Harlequin successfully used this to get access to another user's account.
Another challenge site that suffered from insecurity was HackQuest. In 2004, a hacker pwnzored skyflash's account by exploiting a bug in phpbb. And last year multiple XSS vulnerabilities were found and exploited in the wild (I myself was able to collect some cookies too :P). Not to mention the soft-hyphen bug found by rhican.
TheBlackSheep, one of the most popular sites, was not that secure either. In 2004 when the forum search feature was introduced, Erik got many PMs reporting about SQL injection bugs (one of which was mine :P). And recently, rhican found a way to read PMs between Inferno and alt3rn4tiv3 (how he did it is still a mystery :P). And there's an XSS bug in one of the challenges that put everyone in danger too.
But things could have gone worse than that. Electrica, a challenge site by Caesum, was vulnerable to SQL injection, although the owner had tried his best to filter everything. rhican has totally infiltrated the site, hijacked some famous accounts, and even published the injection that gives away the solutions to all the challenges. The worst thing a site owner could have experienced in his whole life.
Want more? I myself have found some XSS bugs at spy-games, DareYourMind, and even project Euler. Another XSS bug at rankk was found and reported by rhican. And just a few days after I joined HellBoundHackers my account got deleted by a hacker who even pwnzored the whole database.
So what's the lesson? Do not reuse the same password for multiple accounts - every security researcher would want to say that, but it's easier said than done. Anyway, just choose a software that you find the most suitable with, and if none suits your needs, invent a solution for yourself :P
And before I forget to mention, you should have a look at this cool challenge site for a quick laugh: pardio.net. Probably that's the worst challenge site ever. There you can find every noob vulnerability, which could even give you the FTP password. I and cryptodoggy infiltrated this site a few years ago, but the site owner hasn't discovered until now, and hasn't even changed the password either :D
Subscribe to:
Posts (Atom)
