Intel Breach Reveals Passport Information

Unu, an active Romanian hacker (see hacker vs. cracker) who largely discloses SQL injection web application vulnerabilities on major sites including recently two Kaspersky international properties and a Wall Street Journal conference site has demonstrated an attack on an Intel web property, http://channeleventsponsors.intel.com/intelwebinar/somepage. This site handles online registrations for channel partner events and that has been demonstrated to have a SQL injection vulnerability that outputs a database table appearing to contain personally identifiable information (PII).

What the Site Normally Looks Like

While the site is down, we can still grab captures of what it looks like. The screenshot below shows the site in active use for events occurring between 10/22/09 and 12/03/09, so the site is active:

A Timing Problem

It is unclear whether Intel has been notified ahead of the blog post, but the affected web site https://channeleventsponsors.intel.com has been taken down. This web site has been the subject of a previous attack, that time a defacement. It is unclear whether Unu identified the issues he is reporting before or directly around the time a public mirror of a defacement of the site by netb00m was captured by Zone-H on 11/28/09. If his successful injection occurred after it was obvious there was a problem with channeleventsponsors.intel.com, then that is somewhat problematic.

The Attack

load_file

Unu demonstrates a successful load_file, the equivalent of doing this in MySQL:

mysql>

Primarily what you’re looking at is the etc/passwd file of a Linux OS. The fact that this is possible opens up the possibility of putting files on the machine itself. Unu mentions the possibility of defacement, however netb00m already clearly demonstrated that possibility.

Database Enumeration

Unu takes us through the enumeration of the MySQL databases resident on that installation:

mysql.user Table

Unu then submits a SQL injection string containing xxx which outputs the contents of the mysql.user table. Of interest is the one password hash we see: 4fd0bea62bb51ad3. This is only 16 characters long, indicating it is the type of password hash used in MySQL versions prior to version 4.1. That doesn’t mean the database version is that old, only that the style of password hashing uses the old function. But it probably means the database is that old.

The id translations has the ‘%’ entry for host meaning that the associated user can connect from any host, although an outside the company connection to the MySQL instance running on the box would usually require port 3306 to be open on the machine.

Super_user

Unu then shows fields from a table where he has enumerated an indicator whether or not a user is a superuser for the application itself by requesting xxx via the injection string. This dumps the accounts of Benjamin Barber, Michael Petrovich, and others, and as Unu points out the application’s programmers have not bothered to implement any protection (such as hashing the passwords).

Here we have our first problem though. Intel Corporation personnel would not list e-mails with domains such as gmail and mailwh.com. Further mailwh.com doesn’t seem to be an active e-mail service anymore, which along with the old MySQL password format starts to indicate that this is web application that was created by a vendor a while ago.

Passport Information

Potentially the worst part of this breach is the screenshot showing what appear to be persons who have registered to an event and their passport numbers and dates of birth. Also displayed are credit card types, and Unu acknowledges that he simply is not showing the credit card numbers, expiration dates, and CW/CID codes but they are also in the table.

Looking around, the persons listed are findable:

• Dragan Dimitrovici
• Duc Nguyen
• Michael Jones

Generally a combination of first name and last name with something like a passport number is considered a breach of protected personally identifiable information (PII). Many of the entries appear to be of foreign nationals however, so U.S. laws may not be applicable. Intel may be liable under a violation of its online privacy notice however: http://www.intel.com/sites/sitewide/en_US/privacy/full.htm which states among other things that reasonable measures will be taken to secure information, that it will not be shared with third parties without authorization, and that it will only be retained as necessary.

Vendor Site?

The site affected is hosted at 198.145.116.67, located in Vancouver Washington and associated with Infinity Internet, an ISP. It is not on the same hosts as intel.com in Santa Clara, CA, although we have not found direct evidence it is a vendor site.

This job entry though, reflecting that mailwh.com mailing address we saw in the table with super_user accounts, seems to suggest this is not an internal Intel Corporation site:

THIS POSITION IS ON-SITE AT OUR VANCOUVER, WA OFFICE. IT IS NOT A REMOTE OR TELECOMMUTING POSITION. 

We are looking for PHP programmers. We have 2-3 positions. The initial contract will be for 3 months, with the potential
 to extend the position to a year or more. We are developing event registration and customer management systems
 that are used by major global companies. 

Our work environment is casual. We work hard and enjoy ourselves. When projects are complete – we like to
 celebrate. 

You must have a willingness to learn, enjoy sharing, and play well with others. If you don’t have the answer – 
we expect you to find it quickly by either asking a co-worker for help, doing a Google search, or checking a 
reference book. There are no 'know-it-all' attitudes here – only people who have a lot of work to do quickly 
and enjoy creating some awesome programs. 

Due to deadlines we must hit - we are also looking for people who would be willing to work crazy long hours 
for the next 2 weeks. Compensation will be adjusted accordingly for these individuals. 

pdxphp.org/node/558

One of the e-mail addresses (michael@mailwh.com) in the superuser table can be attributed back to posting a similar job post: http://www.phpwomen.org/forum/index.php?t=msg&goto=2649&S=4ec99ba59bf45b125215512f60ba369c. We also found his address and phone number in Vancouver if anyone wants to call him and find out what this site is.

And of the three Intel offices in Washington State, none are in Vancouver.

Tool Used (from a previous post)

Our friends from Romania who comment on the blog get annoyed when we speculate, but a popular tool for performing SQL Injection attacks on web applications with MySQL database backends, that typically starts by checking load_file, and requests data using the ordering concat(user,0x3a,host,0x3a,password) (whereas a SELECT * in MySQL would output host, user, password as the order) is rsauron’s schemafuzz.py. If Unu tells us differently, we’ll post an update.

Who’s Unu? (from a previous post)

Unu, apparently from Bucuresti Romania, says that for him penetration testing and finding vulnerabilities is a hobby and a passion. His blog, a testament to the results of his hobby, is a compilation of the results of successful SQL Injection attacks against web sites like BNP Paribas, Credit Agricole in France, Royal Bank of Scotland’s WordPay, Poste Italiane (the Italian Postal Service) and others as well as examples of successful parameter manipulation and other web application vulnerabilities. He appears to practice a version of responsible disclosure in that he has notified the organizations mentioned on the blog and explained the problems. His blog, and its disclosures, are interesting reading for the security professional and thus we encourage you to have a look.

Intel Corporation

The largest semiconductor chip maker revenue wise in the world.

Finally

This is an unusually serious data breach for the Unu blog with the information it reveals through straight forward SQL injection attacks. We’ll be looking to see what Intel Corporation says about this one, how fast they respond, confirmation whether this was truly a vendor site and why passport information and credit card information was retained.

Related Posts:

• Unu Gets Kaspersky (again)
• Unu Cracks a Wall Street Journal Conference Site, Not WSJ.com
• The Barack Obama Donations Site was Hacked…err, no it wasn’t.

Filed Under: SQL Injection

Tags: post-wide, SQL Injection, unu