SQL Injection discovered on NASA sub domains

by Steve Ragan - Dec 8 2009, 16:40

Over the weekend, someone who goes by c0de.breaker posted images and details related to weak security on NASA's Instrument Systems and Technology Division and their Software Engineering Division websites.

The two sites, sed.gsfc.nasa.gov and istd.gsfc.nasa.gov, were both offline at the time this article was written. Gunter Ollmann, VP of Research Damballa and ex-IBM Chief Security Strategist, speculated that based on the screen captures offered by c0de.breaker, it would appear that NASA was vulnerable to SQL Injection as well as poor access controls.

In a posting to TinKode, c0de.breaker pointed out that earlier media reports assuming there was more than one person behind the NASA disclosure were wrong. “SQL injection was made only by me,” reads a comment linking to a story on the TinKode posting.

As for the reasons behind the attack itself, “The reason was simple! Because I could, and they were vulnerable. As you can see, I didn’t change anything.”

The TinKode posting, which is here, lists several tables and links to various images of the NASA vulnerability. Included with the details were 25 administrator accounts used to run the two NASA sites, as well as the database structure information.

NASA has not issued a statement, and as the sites are offline, we have no idea if this is to address the issues, or simply because NASA wanted to remove the sub domains. The date listed on the record is 2006, so it could be that these sites were not heavily used.

Earlier this year, NASA was blasted by a report from the Government Accountability Office, when they reported that NASA, “had not yet fully implemented key elements of its information security program.”

“As a result, highly sensitive personal, scientific, and other data were at an increased risk of unauthorized use, modification, or disclosure,” the report said.

In February 2009, the NASA SOC altered an agency center about traffic associated with a Seneka Rootkit Bot. In this case, NASA found that 82 NASA devices had been communicating with a malicious server since January 2009, the report noted. A review of the data revealed that most of these devices were communicating with a server in the Ukraine. By March 2009, three additional centers were also infected by the bot.

During fiscal years 2007 and 2008, NASA reported 1,120 security incidents to US-CERT related to either unauthorized access, denial of service, malicious code, improper usage, scans, probes, or attempted access.

Around the Web