Wednesday, March 18, 2009

FOX News Fail on Twitter

You have to admit, twitter is the social medium today. I even get my as-it-happens news from CNN, Fox, and other news sources (just to be balanced, of course); so you can imagine my chuckle when I saw this on my tweetdeck this morning.

I'm amused... apparently their MySQL connection failed :)

WHOOPS.

UPDATE:
So, as @mubix so aptly pointed out, this really isn't a FOX problem, but it looks like a Twitter "oops"... after doing a quick search I found hundreds of these mysql_connect and other assorted MySQL errors all over the place. Sounds like there's some issues over at Twitter... or maybe something else?



~~ Z O M G ~~ --> 3/18/09 @ 2:41pm CDT
In case you're curious... this has absolutely devolved into a very serious configuration/flaw issue - tinyurl's site has a very serious problem. As you can see, going to http://tinyurl.com/php.php (the PHP configuration display page) shows you way, way, waaaaay too much information.

Can someone please tell me WHY this exists?

----------
Thanks to Steve Ragan from The Tech Herald for this link... more data-mining type information, all publicly available, about TinyURL.com: http://www.robtex.com/dns/tinyurl.com.html

Woohoo! We got written up in The Register! Thanks Dan!

FINALLY - 3/18/09 @ 10:12pm CDT
... TinyURL finally got the sense to turn OFF the tinyurl.com/php.php page... FINALLY. I guess better late than never.

UPDATE - 3/19/09 @ 7:00am CDT
I received this email overnight from Kevin "Gilby" Gilbertson...

While our backup server was misconfigured to show the php errors, you
incorrectly concluded that we are running the webserver under a root
or administrator user.
--
Kevin "Gilby" Gilbertson
TinyURL.com, Founder
http://tinyurl.com

UPDATE - 3/19/09 @12:10pm CDT
Well... I can see some of you have gotten quite worked up about this issue... so let me address it as such.

  • First, thank you to Kevin Gilbertson (founder, TinyURL.com) for the constructive email exchange and removal of some of the dangerous content on the root site; and in addition to that Kevin has promised a full security review of his infrastructure which makes me (and should make you) feel better about the service. Progress is everything here; in the security profession we all understand that vulnerabilities are a fact of life - it's how you deal with them and how quickly you close them that separates the wheat from the chaff. Again, thanks to Kevin for being constructive - great job.
  • Next, regarding the "root" user question -
Web Server: Lighttpd/1.4.21
Sample Config page: http://redmine.lighttpd.net/repositories/entry/lighttpd/branche/lighttpd-1.4.x/doc/lighttpd.conf
... so from there we can discover that Lighttpd does *not* automatically jump to a non-privileged account when it's done starting up, in stead it's fully configurable, as so:
188 # chroot() to directory (default: no chroot() )
189 #server.chroot = "/"
190
191 ## change uid to (default: don't care)
192 #server.username = "wwwrun"
193
194 ## change uid to (default: don't care)
195 #server.groupname = "wwwrun"
So while this in no way conclusively proves that this server is running as root:wheel, it also does not tell us that it is not... therefore the only thing that could prove this would be a "ps" from the CLI on the box itself...
  • Finally... Those lobbing nasty comments are missing the point. The TinyURL site/server had serious security issues, which I have since sent along to Kevin and also removed from the post above for the sake of being responsible... Kevin's has done a good job closing this issues up and will be following up on what is left on his own. Disclosing the full PHP information is a serious security risk and if you don't feel so... I feel bad for your customers/employer. I will certainly welcome any healthy debate about the topic.
As a final though... think of the "big picture" here. This service is utilized thousands (maybe more) of times per hour, and who knows how many times per day. If someone could simply take over this service... think of the carnage that could be done by redirecting every click to some drive-by malware site. Posting config like that may seem like a "tempest in a teacup" but I assure you there is a bigger picture here - and it is not pretty.


Thanks for reading, I appreciate the debate and welcome continued discourse!

11 comments:

m said...

Heh. I came across this one on my local news' website this morning:

http://skeptikal.org/exploits/ksl.com_error_reporting.jpg

Anonymous said...

It wasn't twitter, it was actually tinyurl

http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=Oxy&q=%2Fhome%2Fgilby%2Fsites%2Ftinyurl.com+&btnG=Search

Rafal said...

@anonymous - Good Google'ing... I think it's time to do some more research :) [register so we know who you are and can give you credit!]

@m - NICE! Good find.

Mubix said...

So looking at this: http://twitter.com/rafaelgimenes/statuses/1348324209

That @tcrweb posted. It is definitely TinyURL's issue, and it looks like they use db_connect.php to connect to the host: d.tinyurl.com which according to a simple nslookup is not even close to being in the same range as www.

Oh, and I'm adding A-F to my Fierce lookup list. ;-)

Rafal said...

More interesting stuff from the link posted by @Mubix...

If you take the url /home/gilby/sites/tinyurl.com and write it backwards as -->http://tinyurl.com/sites/gilby/home/ you get your re-direct... an interesting insight into TinyURL function for those that aren't familiar with it. Interestingly enough, I wonder what ELSE we can do... More to come, as we continue to research.

Feel free to continue to contribute to this blog!

Rob Fuller (mubix) said...

(Changed display name to display my actual name)

So, first and foremost, Dan did a superb job on the article, however, he needs to vet details before correcting himself. While the commenter was right that TinyURL.com does provide a "Preview" function. It doesn't really matter. If you have enough control, oh say, something like a user called 'root', you control what the user sees. In theory (I don't know the layout of the TinyURL database) an attacker could compromise the server and alter the database to continue to show the correct url during preview, and then forward the user somewhere malicious. (Yes, it would still show the malicious site in the status bar, but there are ways around that as well). I will say that with each step towards the stealth of the attacker, it gets more difficult for them to setup.

But once an attacker gets you (and a million other users) to that point where they are sending you where ever, what then? Well just recently at canSecWest they held a competition called PWN2OWN where a gent that goes by "Nil" compromised fully patched IE8, Firefox 3, and Safari. More about that on the Zero Day blog post. He did so by using drive by downloads. Lets do the math: Massively used URL-Shortening site + undisclosed browsers exploits = ?? Or not even that complicated, the attacker could just use BeEF.

Ok, back the the attack surface though. Now that the php.php script is 'gone' (once on the internet it never goes away). What else is there? Well, I guess they will have to hire Rafal and I to find out. But I will pose these questions:

1. What is usually the case when you find something left default?

2. If you run one thing as root, what is usually the case?

3. Does everyone do dedicated hosting? And what is the vulnerability of not doing so? Remember 1 server can have a ton of IP addresses.

4. What does the folder after /home/ usually coincide with?

5. What can be gathered from "Server:" lines in HTTP responses?

Happy Fixing Gilby!

Rafal said...

** For the record **

Neither Mubix nor I have **ANY** interest in being "hired guns" here. This was a simple glitch that's since snowballed into a bug-hunt to try and keep the Internet public (people who click TinyURL links) safe from an obviously poorly-configured application.

I congratulate the folks over at TinyURL since they're obviously closing these vulns off just as fast as we can point them out in the last hour or so... but seriously - maybe you could be a little less reckless with such a powerful tool? I don't know if you comprehend the power you have with that URL shortening service!

Be responsible, be secure and good luck!

/Rafal

Anonymous said...

The author does not know what he is talking about when he says it is running as root this is neccesary to start httpd which then runs as another user. This is basic knowledge and suggest the author has never even started httpd so really shouldn't be listened to.

Rafal said...

@Anonymous (AKA Kevin "Gilby" Gilberts):

I'm reading what I see in your [publicly avilable] PHP variables page. Interestingly enough, you choose to remain anonymous, and choose to attack the people who found, alerted you to, and then attempted to get you to close what amounts to a *massive* security vulnerability in a very highly public utility.

This is just shameful, please think of your users... and update your security posture.

Steve Daniels said...

I agree with the above anonymous post. Who ever claimed that because the server environment variable equals root is seriously undereducated in the ways of configuring httpd. A formal statement about this should be made asap.

Anonymous said...

You better start understanding that it is not running as root. Use a BSD system (or any Unix-based) and you will understand it a bit better.
And please don't be a cry baby and say I'm Gilby (whoever that is) and simply face the facts.

Google+