A Romanian hacker has on December 6th re-identified previously discovered input validation deficiencies in URL parameter handling leading to security vulnerabilities on a tour images section of the official web site of the Pentagon, the headquarters of the U.S. Department of Defense. The hacker who identifies himself as Ne0h has posted images demonstrating the vulnerabilities, which are still active at the time of this blog post, on his blog.
The vulnerabilities themselves are caused by weak validation of name value pairs being received by the browser in a photo album application on the Pentagon web site. The normal page, seen here, loads pictures of past tours of the Pentagon. The entire web site is largely on online brochure for the Pentagon, and does not appear to host sensitive data or allow users to make sensitive requests, making the risk profile of the site low. Ne0h actually rediscovered vulnerabilities first identified back in April by XaDoS and posted on the XSSed project.
Cross Site Scripting
XSS String, XaDos example:
The code is reflected back in the returned HTML:
<div id="content_1column"> <div id="content_main"> <h2>Tours</h2> <h3>Photo Gallery</h3> <div id="galleryPhotoLg"> <img src="images/largePhotos/1>"><ScRiPt >alert(document.cookie);</ScRiPt>" width="650" height="480" alt="Image Gallery" /> </div>
The second proof of concept demonstrates an iFrame inclusion vulnerability. An iFrame is an element in an HTML page that is loaded and refreshed as a separate page, but loads under the original page. In this example, an attacker can load content from outside the Pentagon web site, but serve it to the user as part of the Pentagon web site (malicious software and so forth) in a provided URL.
iFrame Inclusion String
It is an interesting handle for a hacker or cracker, as its already taken by a Canadian hacker who was a member of gLobalHell, a group responsible for a number of well known defacements and break ins including the systems of the White House, U.S. Army, and the U.S. Postal Service. I guess we could call his handle an homage.
This Ne0h has demonstrated vulnerabilities of other web sites successfully including a SQL injection on two MTV properties called MTV Philippines and MTV India using the Pangolin SQL injection testing tool and XSS (cross site scripting) vulnerabilities on TinaTurnerlive.com and Logitech.com. He has also demonstrated successfully vulnerabilities in the web site of the Romanian police.
Baywords, The Choice of Romanian Hackers?
We are noticing now a couple of these folks using Baywords, a blogging platform known for this raison d’etre:
Over a year ago, a friend of ours got his blog closed by WordPress for violation of TOS. Essentially he got blocked because he linked to material that could lead to maybe a download of something that you might not have paid for. We became very upset and decided to open Baywords!
The authors whose blogs we’re linking to like Baywords for this reason:
Baywords is now back again, and we’re not taking any details on the users. As long as it’s legal to write, we won’t close down your blog. We will not give out any information, IPs or anything else — that data is deleted when no longer needed.
No condemnation, we’ve just noticed Baywords showing up more often in these situations. If it is not on BayWords however, it would just be somewhere else.
At the time of writing, these vulnerabilities are still active, which makes this nearly nine months of being open (credit Mike Bailey for pointing this out). If not patched, the Pentagon web site may be used as part of other web based attacks via redirection using URL’s sent to a user that appear to be for the Pentagon web site. This type of XSS vulnerability, a reflected XSS vulnerability, is fairly common in web applications and does not have as large an impact as other input validation problems. A high profile site such as that of the Pentagon should close it out though. The Pentagon and other DOD entities have a reputation interest in appearing to be highly competent in securing their infrastructure. If there was no other reason to search out and correct common low hanging fruit web site vulnerabilities (there are of course), this would be enough of a reason.
This exact vulnerability continues to be pointed out, this time in October. The earliest reference we identified is still in April from the XSS’d Project.
Mike Bailey, a security researcher with web application expertise, and I have been having a friendly give and take on Twitter about whether this example is newsworthy by itself, following that whether it is depressing that XSS flaws are no longer newsworthy, whether this serves as a great example to get reasoned attention on the issue with its downstream problems and so on.
In the midst of proving his points, the DOD has gotten some good analysis of their web sites XSS vulnerabilities, as Mike tested a number of the other properties under afis.osd.mil as part of his blog post. So while the first problem is being fixed, here are a few others to go after:
- Neoh’s Blog – Pentagon
- Pentagon XSS Vulnerability on XSSed
- Official Site of the Pentagon
- Article on the Original Ne0h