Sunday, August 19, 2012

The Bug Which Wasn't A Bug

Dear members and guests of InterN0T,

Today it's a little bit over 7 months since I reported a bug to Google (http://intern0t.blogspot.com.au/2012/01/bug-which-isnt-bug.html) and for old times sake, I wanted to try out the proof of concept. Primarily because I like seeing "old" bugs I found, not getting fixed as they make me laugh.

Of course the purpose of reporting a bug is hoping they do get fixed, but as Google deemed this a non-bug in January 2012 I thought they would never encode apostrophes, and therefore be ignorant of the potential threat this minor bug in encoding could pose.

Apparently they fixed this bug within the last 3 months or so, meaning they apparently did deem it as a bug, but where am I on the Hall of Fame? I don't care about the monetary reward, but I do care about credit. Back in January 2012, Google only encoded quotes (") and angle brackets (<, >), but now they also encode apostrophes ('), meaning they definitely fixed the bug / updated their sanitisation function.

This naturally makes me annoyed to see Google acting this way, first saying it's not a bug, then fixing it a couple of months later without any notification. Next time I find a bug I probably won't be so kind to inform them first. Instead I will probably drop it as a 0day, as a reminder of giving credit where it should be given.

I know this is a dead blog, used primarily for emergency purposes only if InterN0T is down, but posting an entry here about this bug, will probably get more attention from Google than if I post it on InterN0T.



Best regards,
MaXe

Tuesday, January 17, 2012

The Bug Which Isn't a Bug

Dear members and guests of InterN0T,

A couple of days ago, I discovered a bug in the Disqus Widget for Blogger.com (I haven't heard anything from them yet, even though I've provided them with a permanent solution that fixes the problematic code entirely. See end of blog entry.)
When a user adds this widget to his or her blog, a few lines of JavaScript and "Layout Data Tags" are included as well, to offer functionality to the widget.

One of these lines within a script tag in particular, is even vulnerable:
var disqus_blogger_current_url = '<data:blog.url/>';

<data:blog.url/>, outputs the current URL "somewhat". You can't submit custom GET-requests, but you can use the Search Form to submit data to this variable aka "Layout Data Tag" (which is often used in widgets).

This tag does not encode the following characters: ' / ! ( ) ? ; : _ , . - * $ @

Knowing this, we know that if <data:blog.url/> is used within a javascript variable, e.g. var x = '...'; Then it will most likely, be possible to inject javascript into this, as an attacker can simply inject: ';alert(0);' and the alert(0); statement, will execute.

Even within the default template with no widgets installed, it seems this tag is used here too:
<link href='http://itsnotabug.blogspot.com/search?q='Unescaped characters exist here too, including single quotes' rel='canonical'/>

It seems unlikely, but not impossible to exploit with the link tag above. (Depends on the browser.)


Anyway, by knowing this, and that the bug was also found in a widget / plugin to start with, it was clear that it had to be reported. Both to the Disqus developers, but also the Google Security Team, as this bug could've been prevented if they had sanitized single-quotes / apostrophes in the first place.

This was made very clear in the e-mail they received, including that if they would not encode single-quotes aka ' , then at least write on their developer pages that it is insecure to use single-quotes to encapsulate data.

Within a couple of hours I received the following message:
----------------------------------------------------------------
Hi MaXe,

Thank you for your note. We don't consider this is a vulnerability. Users
are permitted to place arbitrary JavaScript, Flash, Java, etc, in their
<username>.blogspot.com domains; this is by design. These domains are
fully isolated from other Google content, and therefore, the risk in
visiting them is no different to navigating to any other website on the
Internet.

Note that there are no authentication cookies or other sensitive
information in these domains; blog management is implemented on
blogger.com, instead.

You can read more about bugs that qualify for a reward here:
http://www.google.com/corporate/rewardprogram.html

Regards,
[Redacted], Google Security Team
----------------------------------------------------------------
[ Figure 1.1 - E-mail response from Google Security Team ]


After receiving this mail, I thought about it for a while and decided to create a test blog so you can see the bug in action, at least until they perhaps decide to encode single-quotes.


Simple Proof of Concept: http://itsnotabug.blogspot.com/search?q=%27%3Balert%280%29%3B%27

Second Proof of Concept: http://bit.ly/y1Ifxp
If you want to see the actual URL: http://bit.ly/y1Ifxp+


Disqus Widget Solution:
1. Go to: Blog Settings => Design => Edit HTML
2. Check [X] Expand Widget Templates
3. Search for: var disqus_blogger_current_url = &#39;<data:blog.url/>&#39;;
4. Replace with: var disqus_blogger_current_url = &quot;<data:blog.url/>&quot;;
5. Save, you're done. It's thankfully that easy in this case


References:
- http://disqus.com/


Best regards,
MaXe

Thursday, January 12, 2012

12th January 2012 - Domain Issues

Dear members and guests of InterN0T,


We haven't given up, and we know that it's taking a long time, for some it is almost too long time, but we haven't given up. What troubles us the most is that after several attempts to make 1and1 release the domain back to us, they keep ignoring us it seems.

It has been a long struggle so far, and in one day they could actually destroy the domain by a mistake or by other imbecile means. We've mentioned several times that they've violated ICANN policy, and that they have no right to hold the domain "hostage" as they are still currently doing.

According to the ICANN policy, they must provide the domain owner with an authorization code and the means to unlock the domain, within 5 days of the request. That, is the official ICANN policy, that is above anything 1and1 can make up or say, their ToS, license, or anything they add to bend those rules.

The problem is, 1and1 and many other hosting providers that also functions as domain registrars, doesn't realise that it's actually "illegal" to break the ICANN policy like this, and I believe that if enough cases are made against them, they can be permanently banned as registrars.

Imagine they host 1 million domains and customers pay ~6$ per domain, that's 6 million dollars, and if people can't register domains at a hosting provider, why would most choose hosting as well at the same place. After being patient for so long, we're hoping that 1and1 and all other hosting providers breaking ICANN policy will fall this year. ICANN should step in and say stop, not just because of the case with InterN0T, but so many other cases where they break the policy.

As a UDRP case with ICANN will take even longer, we've waited to avoid this. But as time goes, this is soon going to be the road that we'll take, where we will report to ICANN that 1and1 won't release our intern0t.net domain. Suing 1and1 has even come to our mind, even though it would require funds we do not have available right now, but the time may come this year when we do.

But for now, we will focus on getting the site back, even though the forums will definitely not be up to date, as we couldn't find any recent backups, but the forums will return, as there is so much content we often need that is hard to find anywhere else.

Indeed it has taken too long time, and we probably should've worked harder, but running a website on a domain that could disappear from one day to another, is not something we wish for to happen, hence the reason we also bought intern0t.org.

By many thanks to a member of InterN0T we have good, stable, faster and reliable servers, where the hosting provider is fine with us hosting our forum on their servers. We're glad, that the "Anti-Hacker" madness has not yet taken over all hosting providers, as it seems more and more bans all websites related to hacking.



Best regards,
MaXe

Tuesday, December 20, 2011

20th December 2011 - Another Update

Dear InterN0T'ers and guests,


As you may know, we've had trouble transfering our domain name from 1and1 to another registrar, and we still do, which explains the 301 (permanent redirect) from intern0t.net to intern0t.org as that is registered with another registrar.

On December the 14th, the domain should've expired.

On December the 15th, there is still no answer from 1and1's department that should help transfer domains, but somehow, they don't have any SLA as I've waited over a week, perhaps two or more so far. One thing that did happen though, was that the domain was updated to last yet another year, meaning that intern0t.net is at least not completely lost, yet.

Currently I'm on vacation, meaning I am barely working on the website at the moment. However I will continue the work, next week of course. Before I went on vacation, I ensured that it was okay to host "hacking content" at our new provider, so I won't have to deal with that when I start working.

I also managed to get most of my e-mails back, before removing them completely from 1and1's servers, as they've apparently not deleted my data yet, which makes me wonder, what are they doing with it, and for what purpose? (It seems like the account is only suspended, not permanently deleted.

One thing that may interest, is the responses at The Ethical Hacker Network, which you can see at the link below: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,8227.msg45553/topicseen,1/

What interests me the most, is that the security team recently, said the following:
Quote:
As long as a customer site does not violate our terms and conditions regarding adult content, the abuse department does not care what the content of the site is.
Even if it is a hacker forum, it's not going to matter to us, as long as you are not hacking with our equipment. You can say what you want, publish what you want, and do what you will with your own computer, but you may not use any of our equipment for hacking. If we discover you doing this, it can lead to the locking and/or termination of your account.

And then, one week later, 1and1 claims the website above, got attacked and therefore it had to be disabled? My condolences to Group51.org, who may have suffered the same fate as InterN0T. I hope not of course.

One funny fact, is that even SANS has dealt with 1and1 in the past: http://isc.sans.edu/diary.html?storyid=11338

In short: They hosted a malware sample (a PE file) for a reverse engineering quiz, and after they initially said their servers had been "hacked", because this file was there, SANS responded with that it was for a reverse engineering quiz, and then they got an "template reply" back saying everything is fine. (A "template reply" at helpdesks is a standardized reply they use to save time but is often not related to the case at all. Furthermore, if the template is not edited in any way, it actually lowers the customer experience, well, enough about that.)

Some time later, they published the reply from 1and1, and suddenly they received an e-mail, stating they would have to remove the executable Windows file now, or their servers would be disabled and locked down instantly. (They had 12 hours to remove this file.)

What kind of hosting is 1and1, or has it become? I've heard that hosting providers like XLhost, is much more tolerant with hacking content, as long as the actual servers you use, are not used for hacking.


Merry X-mas to all of you!



Best regards,
MaXe

Monday, December 12, 2011

12th December 2011 - Update about InterN0T

Dear InterN0T'ers and guests,


Over the last couple of weeks, we've worked  hard on getting a backup of our files back without any luck. Alas, one of our mediators even got blacklisted in the process by 1and1. After reading through their Terms&Conditions, I (MaXe) found out that the domain was still my legal and intellectual property as I anticipated, and that I could file a complaint, even a lawsuit (if I had the money), as both a part of their Terms&Conditions (see references) and the UDRP (Uniform Domain-Name Dispute Resolution Policy), protects domain name at least.

We've given up on getting our files back from 1and1, including the most recent database, but the domain is something we're still fighting for. However, as a backup / precaution we've bought intern0t.org as well. (intern0t.com was already taken, we prefer .org anyway.) It may seem strange, why do we need another domain name? Imagine we lose control over intern0t.net for 3-12 months, as right now we only control the nameserver records, not the actual whois record including any transfers. It would be catastrophic, esp. with our rank in the Google search engine which has already gone down, including a lot of traffic we're losing. This traffic, is visitors to InterN0T. We earn 0 (zero) [insert currency] on these, but we do value all legitimate visitors, as that is one of the things our community is about.

Recently we contacted the support department, which told us to contact the security department, which then told us to, contact the transfer department. See below.

------------------------------------------------------------------------------------
Dear [Redacted], (Customer ID: [Redacted])

Thank you for contacting us.

As we double checked your account, currently is it being locked by our security team. It would be best to contact them so that they can provide you the necessary information you need.

Here is our Security team direct number: 1-877-206-4253, they are available 9am-5pm EST, Monday till Friday

If you have any further questions please do not hesitate to contact us.

--
Sincerely,
[Redacted]
Technical Support
1&1 Internet
------------------------------------------------------------------------------------

After reading that I sent the "Security Team" (security-team@1and1.com) the same e-mail, and received the following reply:

------------------------------------------------------------------------------------
Dear [Redacted], (Customer ID: [Redacted])

If you have any inquiries about domain transfers, please email transfers@1and1.com.

--
Sincerely,
Security Team
1&1 Internet, Inc.
--------------------------------------------------------------------------------------------

Currently, I'm awaiting a reply from the "1and1 Domain Transfers" department, if there even is such a department? After all, I work at a helpdesk too, for a large financial company with ~35'000 users, so I'm quite familiar with how cases like this works too, including "security departments" that barely knows anything about information security, ethical hacking and penetration testing.

One thing that in particular is interesting, is some parts of 1and1 is (or has been not long ago) outsourced to TelePerformance, and if this is the company handling my case, then I wouldn't recommend anyone to use 1and1 ever again. How can I judge this company? I've worked for them of course, I know the type of people they hire as agents, team leaders, managers, even site managers. A company like this, is not suitable for making any judgements, about ethical hacking communities (or pentest companies for that sake) at all.

The funny thing is, there's a lot of other hacking communities hosted at 1and1 too, some of them are bigger, some of them are smaller, some of them has been around for longer than InterN0T, how come it was only us that got terminated? How can that be fair judgement? As I see it, the balance of what you could call "justice" has tipped to the wrong side.

Anyway, the most important thing for us right now, is that we regain full control over the intern0t.net domain, and that we restore the website. Over the last couple of weeks we've also set up our own mailservers, and made sure they do not violate any T&C's, etc. Of course we're not going to use 1and1 ever again, so currently we use two other providers instead, that seems better than the previous. (Even though it took some time setting the initial servers up the right way.)

This current week we're in, is the week that will matter most for the intern0t.net domain, as we've almost located all of the necessary files and databases to restore a copy of the site as it looked roughly 6 months ago, perhaps even earlier than that. It's a drawback, but the site will be there soon, either via intern0t.net or intern0t.org.

We wish all of you a very happy X-mas in case we don't have any further news on this blog before the site is restored.


Best regards,
MaXe


References:
http://www.icann.org/en/udrp/
http://www.icann.org/en/registrars/registrant-rights-responsibilities-en.htm
http://www.icann.org/en/transfers/
http://order.1and1.com/TcPdr;jsessionid=6807123412397CB6593E425AF2845266.TCpfix243a?
http://order.1and1.com/terms;;jsessionid=6807123412397CB6593E425AF2845266.TCpfix243a?

Monday, November 28, 2011

What happened..?

Somebody set us up the bomb, and this time it was 1and1, our hosting provider!


Saturday between 13:46 and 14:01 GMT, almost all of InterN0T was shut down, except for one of the servers that hosted e.g., guides.intern0t.net. After calling 1and1 "Technical Support", the reason for closing the accounts and shutting down the servers, was revealed to me. It was because of a "security issue" flag set by the 1and1 Security Department.

They also informed me, that this department sent me an e-mail when it happened, where I of course informed them that I couldn't read any of my e-mails as those were frozen / suspended too. So I waited, until Monday after experiencing other horrible and unrelated events.

When it was almost the end of the day at my job, I decided to give 1and1 a call, and shortly thereafter I was talking with the security department. Let's call the person I talked with Eric.
Eric: "Sir, may I take your customer number please?"
Me: "Sure, it's [redacted]".

Eric: "For verification purposes, what is your first and last name please."
Me: "It's [redacted] [redacted]".

Eric: "Hold on for one sec."
Me: "Sure."

Eric: "Sir, your account has been terminated."
Me: "What!?! What's the reason???"

Eric: "Hold on for one sec."
Me: "Okay."

Eric: "Sir, you hosted content that could be used to hack."
Me: "Yes for ethical purposes only!"

Eric: "Sir, you hosted content that could be used to hack. Your account has been terminated."
Me: "I can't believe this.. I've been hosting this type of content for 5 years on your servers, and NOW you decide to close my accounts?"

Eric: "Sir, your account has been terminated."
Me: " *Sigh* Is it possible you can provide me with a backup of my files then?"

Eric: "Hold on for one sec."
Me: "Okay."

Eric: "Sir, we're unable to provide you with that. Your account has been terminated."
Me: "Okay.. Well.. I know it doesn't help yelling, as you're just a helpdesk agent any way... Have a good day."

* End of phone conversation *


At this point, I was in shock. Literally, I couldn't believe what just happened. This wasn't meant to happen, not now, not when I've just experienced a lot of other bad things. After thinking for a while, as it took at least 20 minutes (or so it felt like), to write the announcement on Twitter, I felt "beaten".

I decided to walk home, and take it easy, while reflecting over life. The community is still alive, and kicking at irc.freenode.org #intern0t , and yes, we will, survive.


~ MaXe