Information Security News mailing list archives
Openhack database gets cracked
From: InfoSec News <isn () C4I ORG>
Date: Thu, 20 Jul 2000 03:17:01 -0500
http://www.zdnet.com/eweek/stories/general/0,11011,2604981,00.html By Timothy Dyck, eWEEK Labs, eWEEK July 18, 2000 12:18 PM PT The jewel of eWEEK Labs' Openhack e-commerce site -- the database -- has been cracked, and the hack has revealed four previously unreported security vulnerabilities in two components we used in the site. The crack was performed by none other than Spanish security consultant Lluis Mora, the same person who felled eWEEK Labs' previous security test site. On July 15, at about 3:30 am GMT, Mora, who goes by the handle JFS, retrieved protected information from the database server of the Labs' and security firm Guardent Inc.'s online Openhack security test. As part of his crack, Mora surgically dissected the test site. In the process, he discovered four previously unknown security vulnerabilities: three in Akopia Inc.'s storefront package MiniVend (which provided an entryway to the internal site network) and one in an optional component in the Solaris 8 operating environment. The MiniVend holes provide an attacker with the ability to run commands on the MiniVend server as a MiniVend user account. Both Mora and eWEEK have contacted the affected vendors to alert them to these vulnerabilities. We aren't identifying the security vulnerabilities any further yet, as we don't want to tip off any malicious crackers. We will publish more details when the affected vendors have had a reasonable time to analyze and fix these issues. Password unprotected The stated goal of the database crack was to access a table called "secret," which contained the message "75% of all users choose bad passwords." We turned out to be part of this majority, because a bad password was one of the Openhack site's vulnerabilities. After breaking through a number of other defenses, Mora found an Oracle account -- the MDSYS user, created by the Oracle installer to manage Oracle's Spatial Data Option package -- that had administrator privileges and thus is able to read any data on the system. When we installed Oracle 8i 2.0 on a Sun Enterprise E4500 server running Solaris 8, we accidentally missed changing the default password for this account. (We set the passwords for all the common Oracle administrator accounts to 10-character random strings.) Using the MDSYS account, Mora was able to access and read the secret -- and ironic -- contents of the secret table. As reported earlier, Austrian hacker Alexander Lazic on July 3 penetrated our MiniVend e-commerce storefront by finding and exploiting two previously unknown application security holes. The Openhack test will continue through July 21. Still up and crackable are the Active Directory, Exchange 2000 and Apache Web server. We will publish complete details of the Openhack cracks, plus a post-mortem of the entire test and what we learned, online and in the July 31 issue of eWEEK. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Openhack database gets cracked InfoSec News (Jul 20)