Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Kuro5hin.Org cracked and defaced?

By mystic in Internet
Fri Feb 16, 2001 at 09:55:38 AM EST
Tags: Kuro5hin.org (all tags)
Kuro5hin.org

Looks like Kuro5hin has been cracked! According to the cracker who goes by the nick "Mystic" in Kuro5hin(!), it was very difficult to crack Kuro5hin, but a slightly deeper understanding of how Internet works helped him achieve the final result.

The defaced page can be accessed by copying the URL
"http://www.kuro5hin.org&op=displaystory&sid=@0000100.000260.00324.0152/topic=crack"
into your browser URL location and hitting ENTER. If the browser complains of DNS error, you are not using a very good browser. Please try with Internet Explorer or Netscape or try this URL -
"http://www.kuro5hin.org&op=displaystory&sid=@64.176.212.106/topic=crack"

The page is online even now!

Just incase you haven't realised it by now, this is an example of semantic attack, so basically the defacement is a dupe.


This fake defacement might have duped atleast one of you. If it has duped you, you are in danger. Read below if you think you should have know better.

This type of attack is mentioned in the latest issue of Crypto-Gram by Bruce Schneier, under the type "Semantic Attack". At first glance, this looks like a Kuro5hin URL. But the URL does not lead to, or does not redirect from, kuro5hin.org. The page is not Kuro5hin's. The URL is a clever hack that plays with people's assumptions about what a URL is supposed to look like.

This is how the thing works. I read the article on Crypto-Gram, and thought it would be a good experiment to see how many people in K5 will fall for it. So here it goes:
  • I went to www.kuro5hin.org using Internet Explorer and saved the front page in my hard disk. All associated images will also be captured by this "save". I then edited the html file to include that "Kuro5hin.Org: Cracked" notice. After subitting this article I had to play a bit with the URL for "Full Story" and the time_of_submission sections of that "story".
  • I transfered the file and the images into my server and put it all into a directory named topic=crack.
  • Then I made the fake URL http://www.kuro5hin.org&op=displaystory&sid=@0000100.000260.00324.0152/topic=crack/ and posted this story in K5.
The URL works this way:
  • If you examine that URL carefully, you can see that the host name is not "kuro5hin.org" but "0000100.000260.00324.0152" which is the hexadecimal equivalent of my server's IP address, while 64.176.212.106 is my server's IP address.
  • That entire bit before the @-sign -- "www.kuro5hin.org&op=displaystory&sid=" -- is a bluff "username," something allowed by the HTTP specification but rarely used in actual URLs, unless you have been surfing porn sites!

So what is the big deal? To quote from Crypto-Gram
"This is a really clever example of a semantic attack: one that targets people and meaning rather than computer syntax. The attacks are obvious: someone could send a fake e-mail from www.whatever.com, telling them to click on this URL for a free gift. The URL would look like it came from the Whatever company, but would instead go to a look-alike site that harvests the usernames and passwords."

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Frankly, I was ___
o duped for a moment. 16%
o duped all the way. 0%
o not duped. 66%
o Huh? What is all this? 16%

Votes: 6
Results | Other Polls

Related Links
o Kuro5hin
o Crypto-Gra m
o Also by mystic


Display: Sort:
Kuro5hin.Org cracked and defaced? | 44 comments (36 topical, 8 editorial, 0 hidden)
So clever (1.41 / 12) (#1)
by iamabot on Fri Feb 16, 2001 at 03:09:30 AM EST

Can I be as clever as you someday...

Pertinant topic, lame way to go about it.

./bot
Another example exploit: (3.00 / 4) (#2)
by Ryan Koppenhaver on Fri Feb 16, 2001 at 03:10:59 AM EST

As is often the case, the "black hats" have known about this one for a while. Links of the form:

http://www.inocuous-site.com/[long string of garbage]@goatse.cx

have been used on slashdot to foil people who've gotten accustomed to checking the link destination in the status bar of thier browser before clicking.

Not quite (4.00 / 3) (#3)
by cp on Fri Feb 16, 2001 at 03:20:19 AM EST

You can't have the slash in there -- the spec tries to parse the part after the slash as a directory at the leading domain. You can try to get around this visually by using other characters that approximate slashes visually, though individual browser behavior varies.

[ Parent ]
Here's how (3.20 / 5) (#26)
by Value removed on Fri Feb 16, 2001 at 10:32:09 AM EST

link

[ Parent ]
Like this (2.00 / 5) (#16)
by Value removed on Fri Feb 16, 2001 at 08:11:20 AM EST

Example of the technique

[ Parent ]
This site might be useful (4.66 / 6) (#4)
by pty on Fri Feb 16, 2001 at 03:24:41 AM EST

This page "Decimal ip URLs", can generate 11 types of urls. However some of them might not work because of the ip-stack in your os.

http://x42.com/active/ip32.mpl

IP stack? (4.00 / 2) (#20)
by fvw on Fri Feb 16, 2001 at 09:25:27 AM EST

It's got nothing to do with the ip stack, when the ip is passed to your OSes IP stack it'll be in a nice little uint32, no formatting, no glitter. Whether the alternate IP format works is dependant on the browser, and on what url-parsing it uses.

[ Parent ]
Saw this in risks (3.33 / 3) (#5)
by bjrubble on Fri Feb 16, 2001 at 04:18:51 AM EST

There was some discussion about this on RISKS recently. In this spoof, at least for me, the browser revealed the true name of the server, giving away the trick. But any site without a lot of server processing and using relative links will maintain the basic illusion.

The exact URL of the concerned article is (3.50 / 2) (#7)
by mystic on Fri Feb 16, 2001 at 04:40:17 AM EST

this

[ Parent ]
Nice one - got tricked (3.00 / 5) (#6)
by TheEye on Fri Feb 16, 2001 at 04:37:27 AM EST

May be it was not so much of a surprising feat to someone knowledgeable! Yet for a careless reader like myself I like getting warned/kicked for something like this, before something nasty happens due to mere carelessness. Given the crowd of k5 though, one might better have put it in 'technology' or 'internet'. |R

Hmmm..... (2.80 / 5) (#8)
by Vainamoinen on Fri Feb 16, 2001 at 05:14:57 AM EST

Similar techniques are possible that actually do compromise a sites security eg - http://www.hotbot.com/ demonstrates the capability to execute client side script from a malicious GET op. However it becomes far more insidious when one considers how many developers do not perform server side validations on their Request.form ops, relying instead on client side JavaScript - which is more than easily defeated. This leaves wide open spaces for a cracker to enter - consider your average login script - if x = y then do (whatever) else (gotohell). Now realise that x is a database sourced variable, and y is a passed variable, normally froma POST op. Now if one can make a pretty good guess at what a developer might call the particular recordset returned, we could attempt to replace this y var with a escaped sequence that would just call the data again. Basically - y=x and then if x = y (login) else (logout)

You get my drift


**** Windows has detected a mouse movement. Please restart your computer so changes can take effect ****
Input validation is still a very important issue (3.00 / 1) (#39)
by swr on Fri Feb 16, 2001 at 08:07:25 PM EST

Now if one can make a pretty good guess at what a developer might call the particular recordset returned, we could attempt to replace this y var with a escaped sequence that would just call the data again. Basically - y=x and then if x = y (login) else (logout)

Commonly, a lot of "web developers" stick user-supplied data into a SQL query. For example:

select * from documents where document_id = "$document_id"

If the coder forgets to properly filter/escape the characters in $document_id, or does the checking on the client side in javascript (very lame but I've seen it before) then it is trivial to pass arbitrary SQL commands...

http://www.example.com/get_document&document_id=whatever%22%3b+update+usertable
+set+password+%3d+%22cracked%22+where+username+%3d+%22Joe+Sysadmin

The resulting SQL that gets executed is:

select * from documents where document_id = "whatever"; update usertable set password = "cracked" where username = "Joe Sysadmin"

Everything between the first quote and last quote is user-supplied.

If you use Perl DBI, use placeholders religiously and you can avoid such problems. In languages/shops where you aren't able to use placeholders you must remember to quote (or filter using a "default deny" approach) the arguments before passing them to SQL. And you must remember every single time.

It's a lot like the old problem of escaping shell metacharacters before calling system(). It's amazing how history repeats itself (or at least "rhymes" as Mark Twain once said).



[ Parent ]
some real danger... (4.00 / 4) (#9)
by 31: on Fri Feb 16, 2001 at 05:22:20 AM EST

some browsers (I'm thinking of some versions of IE here specifically, perhaps others), will interpret some forms of hex ips as a local address... so you can put malicous activeX in there, and it will have full security access.

Still, neat little trick. Even knowing about that, it hadn't ocured to me to look for that pesky @ sign...

-Patrick
Clever (3.66 / 6) (#14)
by burton on Fri Feb 16, 2001 at 06:52:06 AM EST

It's nice to see you trust us with your IP Address ;-)


- throughout human history, as our species has faced the frightening, terrorizing fact that we do not know who we are, or where we are going in this ocean of chaos, it has been the authorities... -
Like that's hard. (3.00 / 1) (#40)
by kwsNI on Sat Feb 17, 2001 at 01:47:15 AM EST

Anyone can look that up within seconds given an URL or domain name. All it takes is a whois or nslookup to find that.

kwsNI
I can picture in my mind a world without war, a world without hate. And I can picture us attacking that world, because they'd never expect it. -Jack Handy
[ Parent ]
Humour section? (3.00 / 2) (#15)
by dneas on Fri Feb 16, 2001 at 08:02:50 AM EST

I find this "crack" amusing rather than serious. One world famous example is the Eminem spoof on "mtv.com" recently. They can be quite convincing if you don't have prior knowledge of, say, hex.

This seems to be nothing more harmless than changing the from: field in an email to spoof a friend, or enemies, messages. Anyone tech-savvy (ugh) could easily ignore it.
-- "The car is on fire, and there's no driver at the wheel." Cut out the spam block if you need to email about something.
Nice one, Bruce (3.25 / 4) (#17)
by leviathan on Fri Feb 16, 2001 at 08:41:56 AM EST

There's a good page that explains how all this works, in fairly simply terms at www.pc-help.org. It pretty much covers all the bases, mathematically at least.

Thanks to the theregister for covering this when it happened a couple of months back. I was already prepared when I saw your story (actually, for a split second I thought it was a hissing sid)!

leviathan voted +1:front page; something everyone should know, with an amusing writeup.

--
I wish everyone was peaceful. Then I could take over the planet with a butter knife.
- Dogbert

Nice one, levi (3.50 / 2) (#18)
by leviathan on Fri Feb 16, 2001 at 09:00:37 AM EST

Duh, braindead poster alert.

Try this for a better link to the pc-help article.

Oh, and if you really don't know the register's address, try this

--
I wish everyone was peaceful. Then I could take over the planet with a butter knife.
- Dogbert
[ Parent ]

Almost got me (3.00 / 2) (#21)
by Vygramul on Fri Feb 16, 2001 at 09:35:45 AM EST

I was tipped off by the fact that the cracker and the poster of the story was the same person. It made me re-read it before trying to go to the "cracked" page.

Nice one, though. I like it!
If Brute Force isn't working, you're not using enough.

The Spammer Sensation That's Sweeping The Nation (4.00 / 2) (#22)
by WWWWolf on Fri Feb 16, 2001 at 09:46:44 AM EST

Oh dear. One more URL abuse.

My own prediction is that spammers will think "Oh, cool, another interesting way to scam people" and start using this technique a lot.

Then comes some witty conman who tries to sell that as a "highly sophisticated proprietary URL encryption/decoy scheme" to the spammers themselves.

This already happened when the spammers realized they could use decimal numbers as IP address substitute... Oh, the stupidity of L33t Internet Entrepreneurs!

Clever, yes...

...though I liked the MailMarshall comment in the Crypto-Gram more - that E-mail package had thought some Crypto-Gram was naughty, because it had words "blow" and "job" (not in the same context, of course)...

- WWWWolf, currently skimming Applied Cryptography

-- Weyfour WWWWolf, a lupine technomancer from the cold north...


Start? they already do! (5.00 / 1) (#35)
by darthaggie on Fri Feb 16, 2001 at 05:06:59 PM EST

My own prediction is that spammers will think "Oh, cool, another interesting way to scam people" and start using this technique a lot.

They've been doing URL obsfucation for awhile now, usually to throw-off the amateur spam hunters from tossing complaints into the web hosts abuse mailbox.

James
I am BOFH. Resistance is futile. Your network will be assimilated.
[ Parent ]

Octal ip's? (2.50 / 2) (#24)
by fvw on Fri Feb 16, 2001 at 10:04:42 AM EST

Are octal ip's actually required by any standard? Else, I don't see how not supporting this would make a browser 'not very good'.

Could be usefull? (none / 0) (#25)
by eWulf on Fri Feb 16, 2001 at 10:07:40 AM EST

Does anyone know of a way of getting at the username bit from a CGI or ASP script as this could be quite a nice touch?

HTTP auth rules (none / 0) (#31)
by h2odragon on Fri Feb 16, 2001 at 02:28:47 PM EST

REMOTE_USER for the user name; I don't know if that requires real authentication or if it's filled in even when a user name is supplied without authentication being required. Probly varies on different servers.

[ Parent ]
REMOTE_USER (none / 0) (#42)
by J'raxis on Sat Feb 17, 2001 at 08:46:45 AM EST

My experience with PHP at my own site is it is not filled in ($GLOBALS[REMOTE_USER]) except where authentication was explicitly required. The username is still sent along as a request header line though -- it shows up in the HTTP logs whether or not the specified page required authentication.

-- The PHP Raxis

[ J’raxis·Com | Liberty in your lifetime ]
[ Parent ]

Oh good god... (1.25 / 4) (#27)
by TheLocust on Fri Feb 16, 2001 at 11:11:12 AM EST

now i fear i will be duped into yet another Goatsex link.
.......o- thelocust -o.........
ignorant people speak of people
average people speak of events
great people speak of ideas

Didn't anyone ever tell you... (none / 0) (#29)
by 0xdeadbeef on Fri Feb 16, 2001 at 12:24:42 PM EST

that links to that site are LAME LAME LAME?

[ Parent ]
Actually (none / 0) (#41)
by Quark on Sat Feb 17, 2001 at 07:06:55 AM EST

the more we link to it, the higher it becomes valued by Google. Now how about that?

So much bandwidth, so little time...
[ Parent ]
Look at the logo's ALT tag (3.00 / 1) (#28)
by PhilHibbs on Fri Feb 16, 2001 at 12:13:05 PM EST

When I hover my pointer over the logo, it says "Kuro5hin.org: technology and culture, from the trenches -- Slackware 0wns j00 ;)". Is this related?

Umm... (none / 0) (#32)
by Elendale on Fri Feb 16, 2001 at 03:15:52 PM EST

Actually... *guilty glance at Inoshiro* this happens to be in reference to the (highly admirable) distro of Linux K5 runs on. It appears someone at this site has placed it in the text, although it indeed was not placed as part of the 'defacement': it was there last week.

-Elendale
---

When free speech is outlawed, only criminals will complain.


[ Parent ]
Try this.. (none / 0) (#38)
by mystic on Fri Feb 16, 2001 at 06:21:36 PM EST

Try pointing your mouse over the K5 logo in Kuro5hin.org!

All I did extra was add that extra Meta "Story".

[ Parent ]
Nothing to see here! (none / 0) (#43)
by Inoshiro on Mon Feb 19, 2001 at 05:43:10 AM EST

Move along...



--
[ イノシロ ]
[ Parent ]
Slight problem! (3.66 / 3) (#34)
by regeya on Fri Feb 16, 2001 at 03:43:08 PM EST

If you examine that URL carefully, you can see that the host name is not "kuro5hin.org" but "0000100.000260.00324.0152" which is the hexadecimal equivalent of my server's IP address, while 64.176.212.106 is my server's IP address.
Hate to be the one to point it out, but 0000100.000260.00324.0152 is octal, not hexidecimal. Big difference. :-)

[ yokelpunk | kuro5hin diary ]

Yup.. I realised that mistake just after posting (none / 0) (#37)
by mystic on Fri Feb 16, 2001 at 06:17:40 PM EST

Thanks for the pointer.

[ Parent ]
Not Duped (4.00 / 1) (#36)
by tnt on Fri Feb 16, 2001 at 05:26:37 PM EST

My clue was from the ampersand (&) appearing right after the www.kuro5hin.org... without there being a slash (/).

Admitantly, I did not notice that it was a `user name' in the http-url. But when I see a whole slew of stuff (instead of a `normal' http-url), I'm usually careful.



--
     Charles Iliya Krempeaux, B.Sc.
__________________________________________________
  Kuro5hin user #279

Seriously (none / 0) (#44)
by rinkjustice on Tue Feb 20, 2001 at 10:20:54 AM EST

We can all chuckle about this now, but should you find this sort of deceptive URL masking while surfing the internet on any version of Internet Explorer, please visit http://support.microsoft.com/isapi/support/pass.idc?Product=Bill%20Gates%20Asshole%202000 and report it immediately.



Secrets of getting stronger, faster, leaner - ZerotoSuperhero

Kuro5hin.Org cracked and defaced? | 44 comments (36 topical, 8 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!