

Hacking Stephen Fry's Twitter Account - michael_dorfman
http://eng.xakep.ru/link/50643/

======
btilly
Nice real world example of the poison null byte attack.

For those who don't know what a null byte attack is, that's where you pass in
an http request that turns into a string that explicitly encodes a null byte,
\0 at the end. So you insert something like
subsection=/../../../../../../../../../../../../../../../../etc/passwd%00. Now
the code in the application tries to append something like .txt because "how
bad could a .txt file be", and it arrives in C land as
"/../../../../../../../../../../../../../../../../etc/passwd\0.txt\0" and C
thinks that the string ends at the first \0 and doesn't pay any attention to
the .txt bit.

This is a good example of why your escaping mechanism should always be "allow
only what is explicitly known to be safe" rather than "block what is known to
be unsafe". Because you have no idea what unsafe things there are that you
don't know about.

~~~
axod
Similar issue a while back with SSL certs wasn't there. When will people learn
how to deal with null bytes properly :/

~~~
DannoHung
I could similarly ask, "When will people learn that null bytes are a terrible
way to terminate data?"

But that ship sailed eons ago.

~~~
messel
After mangling a number string operations (and the program memory space) when
first learning C I realized how terrible they could be. If I can mistakenly
destroy my memory space, what would a malicious mind do with such a thing?

~~~
axod
This is a very good reason to use a language with built in memory management.

------
dandelany
While this is a clever hack, and I doubt the author had any malicious intent,
this article really rubs me the wrong way. To the author of this post, this
was most likely nothing more than an intellectual challenge, but from
Stephen's perspective, I imagine it feels a whole lot like a mean-spirited
breach of privacy. Furthermore, by publishing the details of the breach, he's
pressured Stephen & his webmaster to immediately fix this hole or risk a much
worse attack on his site. (I'm assuming he didn't notify Stephen before
publishing this post. Such courtesy would have been greatly appreciated, I
bet.)

There's a security hole in the postal service, too. You can read anyone's mail
by stealing it from their mailbox. Doesn't mean it's a good thing to do.

~~~
lemming
"he's pressured Stephen & his webmaster to immediately fix this hole or risk a
much worse attack on his site."

Surely that's a good thing? I agree that Stephen would/will probably be
offended (assuming he wasn't notified), but he'll certainly take security more
seriously now.

~~~
dandelany
It's a good thing that Stephen was made aware of this security hole, but the
author could have informed him a lot more effectively.

If someone broke into my house and I found out about it on Hacker News because
they set up a webcam in my living room, I suppose it would be a good thing
that I found out about a security problem in my home, but I certainly wouldn't
be happy about it.

~~~
lemming
Fair enough, although it's a much more graphic illustration of the problem
actually seeing the results (rather than simply "your site isn't very secure",
"your front door lock is a bit loose"). I know it made much more impact on me
than it would have if I'd read an article about the possibility of it
happening. Although I suspect that if he'd just mailed the username/password
to Stephen that would have been example enough.

Kind of scary how many of these sites are almost certainly out there, though.

------
robotrout
I still lost. Can somebody give me an example of what an "improperly escaped
include" would look like?

Was the site author (not the hacker) taking a get parameter and passing it to
an include? That seem odd.

I need a little more help understanding this.

~~~
DougBTX
Probably a directory of php files like,

    
    
       sections/food.php
       sections/shopping.php
       sections/fryclub.php
    

with different content, then an index page like,

    
    
       <!-- common header -->
       <?php include("sections/" . $_GET["section"] . ".php") ?>
       <!-- common footer -->
    

And then when you access,

    
    
       http://fry.com/index.php?section=fryclub
    

you get the content of fryclub.php with the correct headers and footers. Or
you access,

    
    
       http://fry.com/index.php?section=/../.[snip]./../etc/passwd%00
    

and get any file you like, treated like a php file.

Find a file that you can write to (such as the error log), use the above trick
to treat it as a php file, use it to make system calls, and the box is yours.

~~~
robotrout
Thanks for that. I wasn't aware that this was a common practice. I assumed it
must be something like that, but I wanted to make very sure I understood
exactly. Don't want any hacker news stories about my sites!

EDIT: Errr, at least, not this sort of story.

~~~
DougBTX
You can actually search for this vulnerability on Google Code Search, and it
finds a few results that look exploitable. I don't know how to go about
informing people with that code that their systems are vulnerable. Many are
open source projects, so anyone using those tools are vulnerable too.

------
alain94040
Can anyone explain the injection part? I didn't understand how getting the
passwd file helped in any way with injecting a php error, and why code got
executed in the end.

~~~
erydo
The passwd file didn't help, it just showed him that he could retrieve
arbitrary files via an open/improperly escaped PHP include().

His injected worked by causing an error to be written to a log, and then
reading that log back through the PHP include. The error that was logged
contained an arbitrary string (the HTTP request, with the malicious PHP code),
which was executed by the server.

------
jrnkntl
That was an interesting read, nice 'peek' into a (I guess) lot used method of
defacing a site; without the defacing that is.

------
andrewvc
This is the exact kind of thing App Armor can be used to shield against.
Problem is, it's a PITA to setup right.

~~~
njs12345
Apache's mod_security can also protect against this with the
SecFilterForceByteRange directive.

------
tungstenfurnace
Stephen Fry is a good person.

:-(

~~~
jkasndas
Stephen Fry is a public figure with a large following. He is mostly concerned
with political matters, and he uses his influence to affect their outcomes.
These days he is more accurately described as a political figure than an
actor.

Whether he is seen as a good or bad person is immaterial. Public figures like
Fry are not immune to attacks on the basis of their personal qualities. If
someone's account is going to be accessed unlawfully, then Stephen Fry's is as
good a target as any other. Fry is as much fair game as Britney Spears.

~~~
GoboGobo
Even though his site's security was not completely up to snuff, he did have a
pretty good password.

~~~
danielh
Unfortunately, the chain is only as strong as the weakest link.

FWIW, the vulnerability is listed in the OWASP 2007 Top 10 as Malicious File
Execution <http://www.owasp.org/index.php/Top_10_2007-A3>

