Openhack database gets cracked

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/eweek/stories/general/0,11011,2604981,00.html

By Timothy Dyck, eWEEK Labs, eWEEK
July 18, 2000 12:18 PM PT

The jewel of eWEEK Labs' Openhack e-commerce site -- the database --
has been cracked, and the hack has revealed four previously unreported
security vulnerabilities in two components we used in the site.

The crack was performed by none other than Spanish security consultant
Lluis Mora, the same person who felled eWEEK Labs' previous security
test site. On July 15, at about 3:30 am GMT, Mora, who goes by the
handle JFS, retrieved protected information from the database server
of the Labs' and security firm Guardent Inc.'s online Openhack
security test.

As part of his crack, Mora surgically dissected the test site. In the
process, he discovered four previously unknown security
vulnerabilities: three in Akopia Inc.'s storefront package MiniVend
(which provided an entryway to the internal site network) and one in
an optional component in the Solaris 8 operating environment.

The MiniVend holes provide an attacker with the ability to run
commands on the MiniVend server as a MiniVend user account.

Both Mora and eWEEK have contacted the affected vendors to alert them
to these vulnerabilities. We aren't identifying the security
vulnerabilities any further yet, as we don't want to tip off any
malicious crackers. We will publish more details when the affected
vendors have had a reasonable time to analyze and fix these issues.

Password unprotected

The stated goal of the database crack was to access a table called
"secret," which contained the message "75% of all users choose bad
passwords." We turned out to be part of this majority, because a bad
password was one of the Openhack site's vulnerabilities.

After breaking through a number of other defenses, Mora found an
Oracle account -- the MDSYS user, created by the Oracle installer to
manage Oracle's Spatial Data Option package -- that had administrator
privileges and thus is able to read any data on the system. When we
installed Oracle 8i 2.0 on a Sun Enterprise E4500 server running
Solaris 8, we accidentally missed changing the default password for
this account. (We set the passwords for all the common Oracle
administrator accounts to 10-character random strings.) Using the
MDSYS account, Mora was able to access and read the secret -- and
ironic -- contents of the secret table.

As reported earlier, Austrian hacker Alexander Lazic on July 3
penetrated our MiniVend e-commerce storefront by finding and
exploiting two previously unknown application security holes.

The Openhack test will continue through July 21. Still up and
crackable are the Active Directory, Exchange 2000 and Apache Web
server. We will publish complete details of the Openhack cracks, plus
a post-mortem of the entire test and what we learned, online and in
the July 31 issue of eWEEK.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".