Friday, 26 April 2013

Yahoo! Blind SQL Injection could lead to data leakage

 
It seems that 2013 is the "Data Leakage Year"!many customers 
information and confidential data has been published on the 
internet coming from government institutions, famous vendors, and
 companies too.

Ebrahim Hegazy(@Zigoo0) an Egyptian information security advisor
 who found a high severity vulnerability in "Avira license daemon" 
days ago, is on the news again, but this time for finding and reporting
 Blind SQL Injection vulnerability in one of Yahoo! E-marketing applications.
SQL Injection vulnerabilities is ranked as Critical vulnerabilities, because
 if used by Hackers it will cause a database breach which will lead to 
confidential information leakage.

A time based blind SQL Injection web vulnerability is detected in
 the official Yahoo! TW YSM Marketing Application Service.The vulnerability 
allows remote attackers to inject own sql commands to breach the database
 of that vulnerable application and get access to the users data.

The SQL Injection vulnerability is located in the index.php file 
of the so easy module when processing to request manipulated said
 parameters. By manipulation of the said parameter the attackers can inject own
 sql commands to compromise the webserver application dbms.

The vulnerability can be exploited by remote attackers without
 privileged application user account and without required user interaction.
 Successful exploitation of the sql injection vulnerability results in 
application and application service dbms compromise.

But Ebrahim is a white hat hacker, so he reported the vulnerability to 
the Yahoo! security team with recommendations on how to patch the vulnerability. 
 
Title:
======
Yahoo! TW YSM MKT - Blind SQL Injection Vulnerability


Common Vulnerability Scoring System:
====================================
7.1

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=892

Introduction:
=============
Yahoo! Inc. is an American multinational internet corporation 
headquartered in Sunnyvale, California. It is widely 
known for its web portal, search engine Yahoo! Search, and
 related services, including Yahoo! Directory, Yahoo! Mail, 
Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising,
 online mapping, video sharing, fantasy sports 
and its social media website. It is one of the most popular sites in the
 United States.
 According to news sources, 
roughly 700 million people visit Yahoo! websites every month. Yahoo! 
itself claims it attracts `more than half a 
billion consumers every month in more than 30 languages.

(Copy of the Vendor Homepage: http://www.yahoo.com )

Report-Timeline:
================
2013-02-24: Researcher Notification & Coordination
2013-02-25: Vendor Notification
2013-03-01: Vendor Response/Feedback
2013-04-01: Vendor Fix/Patch by check
2013-04-03: Public Disclosure


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
A time based blind SQL Injection web vulnerability is 
detected in the official Yahoo!
 TW YSM Marketing Application Service.
The vulnerability allows remote attackers to inject 
own sql commands to compromise the affected application dbms. 

The SQL Injection vulnerability is located in the index.php file
 of the so easy module when processing to request manipulated 
scId parameters. By manipulation of the said
 parameter the attackers can inject own sql commands
 to compromise the webserver 
application dbms.

The vulnerability can be exploited by remote attackers 
without privileged application user account and without required 
user interaction. Successful exploitation of the sql 
injection vulnerability results in application and application 
service dbms compromise.

Vulnerable Service(s):
    [+] Yahoo! Inc - TW YSM Marketing

Vulnerable Module(s):
    [+] soeasy

Vulnerable Module(s):
    [+] index.php

Vulnerable Parameter(s):
    [+] scId


Proof of Concept:
=================
The time-based sql injection web vulnerability 
can be exploited by remote attackers without privileged 
application user account and without 
required user interaction. For demonstration or reproduce ...

Vulnerable Service Domain:  tw.ysm.emarketing.yahoo.com
Vulnerable Module:   soeasy
Vulnerable File:   index.php
Vulnerable Parameters:   ?p=2&scId=

POC:
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113;
 select SLEEP(5)--

Payload:
1; union select SLEEP(5)--


Request:
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113;%20select%20SLEEP
(5)--

GET /soeasy/index.php?p=2&scId=113;%20select%20SLEEP(5)-- HTTP/1.1
Host: tw.ysm.emarketing.yahoo.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:19.0)
 Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: is_c=1; device=pc; showNews=Y;
 B=9tgpb118xilu04&b=3&s=mu; AO=o=1&s=1&dnt=1;
 tw_ysm_soeasy=d%3D351d9185185129780476f856.
17880929%26s%3DxLxK2mb96diFbErWUyv_jGQ--;
 __utma=266114698.145757337399.1361672202.1361672202.1361672202.1;
 __utmb=2663114698.
1.10.1361672202; __utmc=2636114698;
 __utmz=266114698.13616732202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
DNT: 1
Connection: keep-alive

HTTP/1.0 200 OK
Date: Sun, 24 Feb 2013 02:16:48 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml",
 CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi 
SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV
 INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: no-store, no-cache, must-revalidate
, post-check=0, pre-check=0, private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip


Note:
Since it'a time based blind so the page will
 not give an output as a result in the reply,
 but it will SLEEP/DELAY for 5 seconds before it load.


Solution:
=========
The vulnerability can be patched by a restriction 
and secure parse of the said parameter request.


Risk:
=====
The security risk of the time based
 blind sql injection web vulnerability is estimated as critical.


Credits:
========
Ebrahim Hegazy(@Zigoo0) 

Thanks for Vulnerability-laboratory Team

How phishing attack can destroy US stock market

Somebody’s prank turned into a nightmare for the world, as the word spread about the  a series of explosions taking place at the White House and rendering the U.S. President Barack Obama, injured. The news released by the international news agency Associated Press, that caused a virtual plunge in the stock market within three minutes, apart from panicking the world, was later found to be false and sent from the hacked twitter account of the agency.
Considered to be the high-profile hacking in the recent times, the hackers took control of the Associated Press Twitter account and tweeted “Breaking: Two Explosions in the White House and Barack Obama is injured.”
Apart from @AP being hacked, the hackers also targeted @AP_Mobile, another account operated by the news agency and tweeted from the account: “Syrian Electronic Army was here. A group calling itself the Syrian Electronic Army, which is supportive of that country’s leader, President Bashar al-Assad, in its two-year civil war, claimed responsibility on its own Twitter feed for the AP hack. The group has in the past taken credit for similar invasions into Twitter accounts of National Public Radio, BBC, CBS’ “60 Minutes” program and Reuters News.
Following the incident that once again exposed the vulnerability of the social networking sites, as the news spread like wild fire, AP spokesman Paul Colford quickly confirmed the tweet was “bogus,” and White House spokesman Jay Carney told reporters that Obama was fine.
Immediately after the incident Twitter suspended the account of the news agency @AP and @AP_Mobile, even as it put out word through other accounts, including that of its correspondents, that it was the victim of an egregious hacking episode.
Though it was not clear how hackers got the control of AP’s Twitter account, but there is possibility of the hackers managing it by mistaking a AP employee. Confirming this Mike Baker, an AP reporter, in his tweet said that the employees of the company had received a phishing email. He tweeted: “The @AP hack came less than an hour after some of us received an impressively disguised phishing email.
Phishing emails are disguised as genuine notification from a reputed company like Twitter and seek account information. Cyber criminals often use phishing emails to fool web users.
Even as the false piece of the news of the explosions was immediately denied by other journalists present inside the White House at the time of incident, the damage has already been done.
E McMorris-Santoro, Buzzfeed’s White House reporter, tweeted: “from here in the WH basement, this acct (AP) seems hacked.”
Michael Skolnik, editor of GlobalGrind, said that the AP tweet was an obvious fake as it was made from a web browser while the news agency always uses a tool called SocialFlow to push news through its Twitter account.
The biggest setback of the false news piece was borne by the stock markets that plunged just as the report came out, resulting in the Dow Jones Industrial Average losing 130 points, or 0.9 percent, and the S&P 500 dropping 12 points, or 0.8 percent.
Meanwhile the FBI has already started a probe into the incident along with the US Securities and Exchange Commission. SEC Commissioner Daniel Gallagher said:”I can’t tell you exactly what the facts are at this point or what we are looking for, but for sure we want to understand major swings like that, however short it was.
Commenting upon the Twitter Security issues, Stewart Baker, a cyber security lawyer at Steptoe & Johnson in Washington, said: “At a time when cyber security and hacking have become top national security concerns, Twitter and its reach to hundreds of millions of users is coming under growing scrutiny for the risk of privacy breaches on the site. there was plenty of blame to spread around regarding Tuesday’s incident. AP should have had better passwords, Twitter should have gone to at least optional two-factor authentication months ago, and guys on the Street really should be thinking twice before they trade on Twitter reports. That’s risky.
This is not the first time false claims have been made from a hacked Twitter account. In February, Twitter account of Burger King was hacked. It then tweeted that the company has been acquired by McDonald’s.

Source: Northern Voices Online (NVOnews)

Samsung to Block Access to App Store in Iran

Iranian users of Samsung mobile applications said Thursday that the company had notified them that they will no longer have access to the company's online store as of May 22.
The move is seen as part of international sanctions on the country over its disputed nuclear program. The West has imposed banking and insurance sanctions on Iran since it suspects Iran is pursuing nuclear weapons, a charge Tehran denies.
At a Tehran shopping mall, owners of mobile phones and tablets said Thursday that they had received the message via email from the company late the night before. Retailers said they had no power over the decision.
"We have heard about it, but we are only responsible for hardware here, not software and apps," shopkeeper Bijan Ashtiani said.
Mideast Iran Samsung.JPEG
In the message, Samsung said that it cannot provide access to the store, known as Samsung Apps, in Iran because of "legal barriers." It apologized to customers in emailed statement seen by the Associated Press on Thursday.
Samsung's offices in Tehran could not be immediately reached for comment due to the weekend there, and its headquarters in South Korea did not immediately respond to a request.
The decision quickly provoked ire on social media.
"Samsung is to stop its apps in Iran, oh how we appreciate our officials," wrote Bahareh, a Twitter user blaming Tehran's policy. Another, named Armin, pointed at the technology giant itself, saying: "Now, Samsung's sanctions honor us as well!"
Samsung spokesman Chris Jung in Seoul said the company is still looking into the matter and could not confirm any details.
Unlike Apple, Microsoft and Adobe, Samsung has provided localized services to Iranians in their native Persian language. In 2012, Finnish communications giant Nokia stopped its services in the country.

US banking Sector too Vulnerable to Hackers

US authorities charged with overseeing the financial sector are worried about its vulnerability to cyberattacks, they said in a report published Thursday.

"Security threats in cyberspace are not bound by national borders and can range widely from low to high security risks," wrote the Financial Stability Oversight Council in its 2013 annual report.

The council is worried, in particular, about the increasing skill of hackers attacking the US financial system.

Making reference to a series of cyber attacks that targeted several of the biggest US banks toward the end of 2012, the FSOC noted "the knowledge and skill of the attackers appeared to increase over time."

In an attempt to protect the financial system against these attacks, the FSOC proposed "enhancing cross-sector cooperation, particularly with industries upon which the financial sector is dependent, such as energy, power, and telecommunications."

"Public-private partnership improvements in the analysis and dissemination of robust information to improve real-time responses to cyberattacks will enhance incident management, mitigation, and recovery efforts," the report added.

Source: http://www.globalpost.com