Security
Searching for Insecurity
Google and other search engines provide an invaluable service for people looking for web-based information, but, as several automatic teller machine (ATM) vendors found out recently, search engines can also be useful for people looking for information that might better stay hidden. Google searches have recently turned up operator manuals for several ATM models which include information on how to enter maintenance mode, along with default administrative passwords. This information was promptly put to use in ways not intended by the manufacturers. ATM manufacturers are not the only folks who should be concerned about this, search engines store a wealth of sensitive information and for those with malicious intent, they are a gold mine.
Two weeks ago, a news report about someone reprogramming an ATM led a security researcher to see what information was available about the ATM model shown in a CNN report. It turns out that it was not difficult to come up with information that could be used to make the ATM believe that it was handing out $5 bills when it was really providing $20 bills. Neither the researcher (nor, presumably, the unknown ATM reprogrammer) confirmed that it was a web search that led to the information, but a subsequent report makes it clear that the manual was available via a simple Google query.
Other ATM vendors' products were then targeted with the same results. The major security issue in these cases appears to be the well known 'default password' vulnerability. The default administrative passwords were listed in the operator's manual, which is not unreasonable, but, like default passwords everywhere, they were not routinely changed as part of the installation.
This kind of vulnerability is not at all specific to ATM machines; various kinds of hardware (routers, servers, PBX systems, etc.) have been or are susceptible. Of course, it is not just hardware that suffers from well known or easily discovered default passwords, many software packages have exactly the same problem. Finding vulnerable installations of those packages has been made a great deal easier with search engines, particularly Google with its rich set of searching operators.
Many software packages, especially web-based packages, show that they have been installed correctly by displaying a default page. The Apache web server on many Linux distributions installs a page that indicates its presence (and its version, which may come in handy the next time an Apache vulnerability is discovered) and the fact that it has not been completely configured. Searching for these default pages, especially for packages (like portals, blogs, picture galleries, etc.) that have a default administrative password, will generate a list of sites that may not have done anything more than install the package. This is a pretty good place to start trying default passwords.
Web searching can also generate lists of sites that are vulnerable to known exploits simply by looking for sites displaying 'VulnerableApp v0.0.1'. In many cases, the applications were installed at one point and then orphaned but not removed and the administrator has completely forgotten about their presence. It can be difficult to keep up with security updates for an application that one has forgotten is even installed.
This just scratches the surface of the kinds of information, useful to those with malicious intent, that can be found via search engines. Johnny Long has done various conference presentations and written a book, Google Hacking for Penetration Testers describing these techniques. His homepage has a great deal of information on using Google to find interesting things on the web.
Using these techniques against your own site is one of the best ways to determine how vulnerable you are. Finding web applications that were forgotten or were never completely configured is just one step in the right direction. These techniques could also find directories that provide indexes or publicly exposed documents that were believed to be secure. It is almost always an eye opening experience to find out how much information the search engines have about one's site.
New vulnerabilities
openssh: remote denial of service
| Package(s): | openssh | CVE #(s): | CVE-2006-4924 CVE-2006-5051 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 27, 2006 | Updated: | September 17, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Openssh 4.4 fixes some security issues, including a pre-authentication denial of service, an unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort could be used to determine the validity of usernames on some platforms. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
TikiWiki: arbitrary command execution
| Package(s): | tikiwiki | CVE #(s): | CVE-2006-4299 CVE-2006-4602 | ||||
| Created: | September 26, 2006 | Updated: | September 27, 2006 | ||||
| Description: | A vulnerability in jhot.php allows for an unrestricted file upload to the img/wiki/ directory. Additionally, a cross-site scripting vulnerability exists in the highlight parameter of tiki-searchindex.php. | ||||||
| Alerts: |
| ||||||
webmin: cross-site scripting
| Package(s): | webmin | CVE #(s): | CVE-2006-4542 | ||||||||||||
| Created: | September 26, 2006 | Updated: | October 24, 2006 | ||||||||||||
| Description: | Webmin before 1.296 and Usermin before 1.226 does not properly handle a URL with a null ("%00") character, which allows remote attackers to conduct cross-site scripting (XSS), read CGI program source code, list directories, and possibly execute programs. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>