The United Nations web site [1] has been defaced this morning. (screenshot)
The speeches of the Secretary-General Ban Ki-Moon [2] have been replaced with the following lines:
Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ãsrail and Usa
dont kill children and other people
Peace for ever
No war
screenshot
While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don’t.
There’s a technical reason for the missing apostrophe, though, because messing with this very character (‘) is part of the technique apparently used by the attackers.
As you can easily verify by opening this URL, the site is vulnerable to an attack called SQL Injection.
This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile web site. [3]
If only prepared SQL statements were used properly*, this embarrassing incident would have been easily prevented.
And yes, prepared statements are available even in the very obsolete ASP “Classic” + ADODB Microsoft setup they’ve got. (screenshot)
*properly means strictly constant statement strings and type checked bound parameters, see Roland Bouman’s comment and my answer below.
I will write some other time about prepared statements and database layer security.
In the meanwhile, if you’re a planetary organization and you’re planning to cut the budget for the security training of your web developers staff, please dont… er… do not ;)
1. 12-AUG-2007, 15:20 UTC update:
The main link now says “temporarily unavailable due to scheduled(!) maintenance“, but the other ones should still work.
[back]
2. 12-AUG-2007, 17:20 UTC update:
The speeches have been restored as well, but you can still check this screenshot. Moreover, the hole seems not to be patched yet, thus the site could be defaced again at will: not the best order for fixing stuff, is it?
[back]
3. 13-AUG-2007, 6.00 UTC update:
U.N. staff put a patch to hide the most obvious vulnerability (the one linked here), but the flaw is still there and could be easily exploited again.
I won’t post any other hint for script kiddies here, but I’m submitting a report to the U.N. IT security staff under the RFPolicy and will keep you posted.
[back]
4. 13-AUG-2007, 16.00 UTC update:
Looks like not only the hole at the main site is still open, but some branches (e.g. UNEP, the UN Environment Programme), still bear the hacktivist mark. (screenshot)
'; select 'just checking' from vulnerabilities; --'If you are going to dish it, you better be able to take it…
@That guy…:
you certainly know better than me that once you know a query parameter passes with unescaped quote, plus make and model of the RDBMS in use (Microsoft SQL Server via ODBC), next steps are quite obvious ;)
‘; select ‘just checking’ from vulnerabilities; –‘
smile
You are on Slashdot!
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/143394743/article.pl
@That guy:
sorry, didn’t notice yours were actual attempts to crack this site, rather than didactics about SQL injections.
Please let WordPress guys know if you find something.
The one above is the last comment of yours I moderate, though, because it would quickly get boring for other people.
I can’t believe they don’t shut it down. It’s still vulnerable!
‘ OR 1=1”
…damn.
Oh well, worth a try. ;-)
ASP is not obsolete in any sense other than the fact it has been superceded, but new is not always the same as better. Personally I still think classic asp (using JScript not VBScript) is far easier to work with, maintain and use than asp.net. The use of .net won’t stop SQl injection attacks – that’s just rubbish coding done on the cheap by some outsourcer who either does not know or care about security. Desktop apps, well that’s a different kettle of fish – .net FTW!
Hi there,
I think they do use prepared statements, look at this:
ADODB.Recordset.1 error ‘80004005’
SQLState: 37000
Native Error Code: 8180
SQLState: 37000
Native Error Code: 156
[MERANT][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword ‘database’.
[MERANT][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared.
/apps/news/infocus/sgspeeches/search_results.asp, line 85
“statement(s) could not be prepared”
It is just that despite using prepared statements, they don’t use parameter placeholders ;)
Hi Roland,
That’s exactly why I said “If only prepared SQL statements were used properly“.
And it’s even worse than not using them at all: if you dynamically construct the SQL query by string concatenation (as they apparently do), you don’t only expose yourself to injection, but also decrease or neutralize the potential performance gain of preparing statements, while imposing an useless extra memory burden over the RDBMS.
Rofl, you did this? Funny :-)
christ1an: check this, someone exploited a persistent xss vuln to demonstrate against some politics:
http://www.un.org/apps/news/infocus/sgspeeches/
christ1an: pretty cool
Ryan Cartner: wow thats really cool
Hi christ1an,
welcome here!
Was that an IRC conversation? which channel?
On a side note, what about Planet? do I need to hit /. front page twice in a week to get your attention? ;)
“There’s a technical reason for the missing apostrophe […]” I’m not going to try anything on the website (I don’t agree with linking directly to the vulnerable .ASP), however it’s normally not a problem to inject a ‘ character using char(39) on SQL Server or hex-escape 0x27 on MySQL.
@Hubert Seiwert:
you said
… or doubling the
<quote>character to produce a “<quote symbol>” on any SQL-92 compliant implementation, for the matter.But I hope you’ll concede that my apostrophe innuendo was quite an amusing narrative device…
Skip the vulnerability and its coders… the infrastructure should have been protected. That is… don’t they have budget for Intrusion Prevention Systems? If they have IPS… I wonder which one they are using so I know which one not to buy! I am not saying IPS provides the altruistic “silver bullet” for security… I am just saying that my IPS blocks this attack and I just expect theirs to do the same.
@comment #12
“The use of .net won’t stop SQl injection attacks – that’s just rubbish coding done on the cheap by some outsourcer who either does not know or care about security”
Actually it is more likely that this was created by someone internal – possibly not someone trained in Computer Science but someone who did of web development at home and got lumped with this job. But for such a large organisation this type of coding is shocking. Don’t they have code reviews? I imagine each department has it’s own IT guys and policies. Just shows you what a mess the UN is!!
And as for accessibility, web standards and clarity of content. Jeeez…. this site is BAD!!!
Oh my …cking god! This is absolute classic and a disgrace to UN…
Why does the U.N.’s Anonymous IIS user account have UPDATE priveleges on their SQL Server? Makes you wonder what else you can do with their Anonymous IIS user account? TRUNCATE TABLE anyone?
This is not first hack, check out here :http://www.zone-h.org/content/view/14039/30/
It’s full of cases like that outside. Try to take a look at the italian marina militare (italian navy) website. They use the URL as a sort of SQL client:
Incredible. And they’re not alone, it seems to be a sort of ASP based CMS.
Hi Fulippo,
welcome here — been a long time ;)
Yes, it’s full of this kind of stuff out there.
The most incredible thing, though, is how a widely publicized case like this has been handled so far.
They just tried to hide the most obvious exploitation sample, while the same resource is still fully vulnerable to the very same attack…
Yeah, really long time.
Giorgio you have to understand them, in the end it’s just a matter of quotes..
hi boyds
i thınk this: /ecosoc/photos_detail.asp?nicaID=148479′
@Azad:
yes, that’s one of the many holes still open.
can you explain more in detail…abt the SQL injection attack???…i plan to inculde this as an example for attacks in my thesis…..
The vulnerability is not patched still. :)
guys !! who.int hacked
http://www.searo.who.int/en/section1174/section1462/
mirror : http://www.turk-h.org/defacement/view/188089/
@#43 madem türkçe yazdın türkçe cevap verelim sana senin amacın bariz belli aslında ama neyse :) UN Resmi sitesi Türkler tarafından SQL Injection yapılmış evet doğru bizzat olay mahalindeydim yine olsa yine yapılır.. Sen şu microsoft`da gördüğün bariz açıkları bizede söylesene ;)
interesting article +1
LOL, NO ONE could hack my site. I do all the security myself. beatthecourt.com
These kind of attacks are more common now. Recent one is Kaspersky official site attacked by SQL injection