Archive for the ‘Security’ Category

因為一點小病，今天需要在家裏躺下來。稍好一些後，覺得無聊，但仍然未到能夠工作的狀態，只能做些不用腦的事情，所以不常做的事也去做：就是幫 Windows 掃病毒。就因為這次掃毒，令我整晚都不再無聊。

用 AVG 掃完一次後，結果嚇了我一跳。平常工作需要用的工具，全部被隔離了。

• netcat 是病毒。
• pwdump 和 fgdump 是病毒。
• 某些 packer 和 binder 逃不出同一命運，病毒。
• 一些 rootkit trojan 如 Donald Dick 和 BO2K 等更不待言，病毒。

結果整晚都為了救亡，而不再覺得無聊。稍為偷懶一下不用腦，就會落得這種下場。

04:27 更新：精神不好，搞錯了。Donald Dick 是 trojan，不是 rootkit。

As most people remotely interested in computer security should know, bugtraq is one of the ultimate mailing list one should subscribe in order to get the latest news or vulnerabilities (sans full-disclosure and a few others). But few people mentions what should be done before sending to the mailing list, and what will happen afterwards. Here is my little experience to be shared:

1. Before sending email, make sure the email is properly signed with PGP or GPG or whatever. There is a mailing list maintainer watching over the list; email will be validated before they can be delivered to the mailing list. During the first time, the maintainer told me personally my email is delivered successfully.
2. For me the most interesting part is the ‘aftermath’. Most likely the following things will be found in your mailbox afterwards:
1. A few or no reply to your email (depends on people’s interest in the content, disputability, etc).
2. Lots of “out of office” reply. So many.
3. Several “This address does not exist” or “mailbox full” error from other mail servers around the world.
4. And what distinguished bugtraq from most mailing lists: one or two email from Russia or East Europe or wherever, asking you to join malicious groups or exchange your ’scripts’ with $$$.

之前看 Zone-H，留意到一則評論，基本上是網絡上的反華主義文章。和當初聯想收購 Thinkpad 的情況其實已經差很遠，華為不是全面收購 3com，只是佔少於 20% 的股份；但不同的是被美國政府以國家安全理由腰斬。不想中國染指美國的技術，向來都是這樣的，很正常。

中國人的 IT 技術，十居其九都是左抄抄右抄抄得出來的，真正自家研究得出的成果少得可憐可笑；即使是中國人本身，也清楚得很，許多都是高官、紈袴子第、親戚朋友的家家酒遊戲，不會對這些「大企業」有甚麼指望。所以被別人瞧不起，也毫無反駁餘地。說到底現在中國還有幾億人在挨餓，還說 IT ?

裏面有一兩句，可以很明顯看到文章的立場：

……we should all be concerned about the possible implications in having a Chinese networking company controlling one of the largest western producer of network and security appliances. Here both stakes and risks are too high.

反過來，中國大陸也怕呀。大陸政府也好，企業也好，老百姓也好，哪個不是 Windows？有朝一日美國政府指示 Microsoft 等等美國公司將全大陸的機密資料漏出去，或者學以往一樣不提供任何更新，任由病毒摧毁網絡，那一樣會完蛋。但是，大陸只是借 Linux 作為和 Microsoft 談判的籌碼而已，以往就是國家補貼，現在就是「不干預自由市場」，一般中國人的用家都可以看到，中國人搞的 Linux，應該死的都已經死清光，就只剩下少數苟活。台灣和香港的都一樣無需要再談。有多少個中國人的 Linux，不是將 Red Hat 的 logo 和桌布換掉，就變成新產品 XXX Linux 1.0?

別誤會，現在僅剩下最後一點慨嘆而已，恐怕也是我最後一次。人要面對現實的。將來的預測，將來再算。

話說回來，Zone-H 那篇文章也有些地方有點見地。我們的資料，是誰擁有的？No no no，不是我們自已，而是屬於各式網絡硬件廠商、ISP、政府、執法人員、各大電腦系統和網絡巨擘、黑客，假設以上所有 party 不會要了我們的資料，排隊排最後的才到我們自己。

Here we take a glimpse of WordPress fanboys’ mindset. Why WordPress is more than SSH? Because SSH is vulnerable to username guessing (more formal term: enumeration), while WordPress isn’t! But why?

I can repeatedly send password attacks to an SSH server very fast without it being particularly impacted by it.
Hitting a WordPress server very fast would either a) have a very long round trip time or b) bring down the server due to the sudden high amount of database activity.

Look at the old SSH documents, and yeah, a username leak makes it that much easier to run a brute force attack. But this is not SSH. This is a webpage with a login form. The same solutions should not instantly apply just because that’s what people think of as ’secure’.

In no way shall this bug report about leaking WordPress username be forgotten:

There are other ways to verify user names. You can reverse engineer them from the author archive URLs (e.g. http://example.com/author/mark/). I believe the consensus last time this came up was that it was trivial to figure out the user names anyway, and that it is much more user-friendly to tell them when they messed up their username, and not the password. Also, “admin” is created on install, and can’t be changed using WordPress itself, so there’s no hiding that.

In short: default user name is already leaked in multiple ways, it is of no use protecting the user name.

Heh, I suppose this is the reason why WordPress doesn’t need to protect against username enumeration, in addition to all kind of attacks possible. The word ‘insecure’ is blasphemy to WordPress fans and developers alike, and all reports saying WordPress has holes would be automatically countered with ‘Bwahahaha’, be it true or not; while all Automattic hard-coded answer would be ‘please send e-mail to security@wordpress.org’. Of course, sending email to that alias is usually met with dead air. (No, not just me) After my second email report to them about my previous WordPress hole, only the newest employee gave a single line of reply: “we saw that”. Of course, the hole is still there without any fix, even though multiple releases has passed.

Other quotes worth chuckling:

• MD5 is an encryption.
• “WordPress is highly secure by default.”
• Any error must be user or administrators’ problem, not related to WordPress at all.

比之前提及來自 Mandriva 那一封電郵更過癮。今次有可能是來自俄羅斯、白俄羅斯之類的國家的。內容也很簡單，只是問我還有沒有任何 0-day exploit (請看英文解釋，中文維基那篇是垃圾來的)，如果有的話，想我開個價錢。詭異至極。可能是因為上次 disclose 了 WordPress 的漏洞的緣故吧。

As promised in previous post (in Chinese, sorry), here is the full advisory of WordPress SQL injection vulnerability I have mentioned. Excerpt below:

It is found that the search function provided within WordPress fails to sanitize input based on different character sets. So if WordPress tries to query MySQL database using certain specific character sets, WordPress search function is exploitable using charset-based SQL injection.

Currently known character sets exploitable include: Big5, GBK, GB18030. All of them may use backslash (’\') as part of multibyte character. WordPress with MySQL database created any other character sets fulfilling such property may also be exploitable.

Executing this attack alone results in exposure of all database content on web interface without need of authentication. However, if combined with other exploits (such as cookie authentication vulnerability disclosed earlier), any remote user can obtain WordPress admin privilege, resulting in server compromise.

Actually, I have long been suspecting this is exploitable, though the real effort to verify such claim doesn’t occur before a few days ago. Given the security track record of WordPress, such thing is entirely within expectation.

Chinese sites which are stubborn enough to continue using Big5 or GBK encoding in database are in jeopardy; but otherwise most sites should be rather safe from this exploit (as most should be using UTF-8). Neither is latin1 character set vulnerable (as used in most earlier default WordPress installation). But in contrary to common belief, it looks like mysql_real_escape_string() doesn’t fix the problem at all. Anybody can confirm or deny this?

2007-12-10 20:55 update: GB18030 is not vulnerable. MySQL 5.0.x doesn’t support this character set at all, don’t know about 5.1 series.

我大概會在短時間內將這個貼上 full-disclosure 和 bugtraq：

想知道圖中那個 e10adc3949ba59abbe56e057f20f883e 作表甚麼嗎？拿這個數字去 www.xmd5.net 查一查，就知道我架設這個測試用的 WordPress 時使用甚麼密碼了。

單從這個漏洞本身來看，最多只能將整個資料庫的內容顯示出來；但如果配合別的漏洞一起，就天下無敵了。例如最近發表的一個 WordPress cookie 漏洞 (適用於 1.5 - 2.3.1)，能夠隨意成為 WordPress 的 admin，但先決條件是能夠讀取 admin 的名稱和密碼，從而合成 admin login 所需的 cookie。我找出來那個漏洞剛好可以不用直接存取資料庫而取出 admin 的名稱密碼，正是那個 cookie 漏洞必須和充分的條件。

不過大家應該不用太擔心，我找出來的漏洞的先決條件很苛刻，大部份的人應該都不會中招；但如果有哪位是使用 Big5, GBK, GB2312 等作為資料庫的 charset，那麼是時候考慮 migrate 至 UTF-8 了。

順帶一提，如果哪個打算建議我先知會 Automattic 的人，那麼可以省下這口氣了。有不少的安全漏洞的 advisory 他們都不于理會，直至有公開的 exploit 方會處理，我對此已到達厭惡的程度。