Unu of HackersBlog talks about Kaspersky and BitDefender vulnerabilities

by Steve Ragan - Feb 11 2009, 11:43

In the past few days Kaspersky, BitDefender, and even Linden Lab’s Second Life, have all had SQL and code vulnerabilities exposed. The cause for the vulnerabilities, code errors related to unchecked user input, is nothing new. The reason for the exposure of these flaws, as well as countless others, is a whitehat (perhaps a little grey) hacker named Unu and his team at HackersBlog.

The first thing you should know is that HackersBlog is a community effort. There are several others on the site, researching and testing Web site vulnerabilities in an effort to force companies to clean up their code. They are not malicious in nature, but the public will see what they do as spiteful, and sadly criminal in some cases.

Unu is just one of the many faces on HackersBlog. His work is known, thanks to the press coverage given to two posts he made in the past few days.

One post deals with Kaspersky. The Russian security company was exposed as to having unchecked parameters in the support area of its U.S. portal. The attack yielded all sorts of information and allowed full access to the database on the backend of the site. The tables completely visible when accessed included codes, users, admin_users, and retail_users, as well as fields related to versioning information and product information.

In an official statement, Kaspersky said: “The attack was unsuccessful and, despite their attempts, the hackers were unable to gain access to restricted information stored on the website. Claims by the hackers responsible for the attack that they had managed to gain access to user data are untrue.”

The Tech Herald spoke to Unu and asked for his thoughts on the comment.

[Note: e-mail translated from Romanian. Emphasis added by Unu left for context.]

“First of all, it starts from a negative premise. It was not about any kind of attack. [This was not] my intention. I am not a thief. I'm just a guy who likes to do security testing, penetration. It’s like any other hobby,” Unu wrote in the e-mail.

“I do not break, I do not delete, I do not change, and I NEVER save anything. In the data that I can access in this way, I just show that it is possible, that the site is vulnerable. That is all. The same thing happened [in the] Kaspersky case. It was about a banal parameter that was not good or not [sanitized enough].”

“The SQL Injection was even easier,” he added, sending an example of an SQL Injection used.

“Since I could extract tables, columns, [I don't] see what could stop me [from concating] it and extract [the] data, if this was my intention. The only protection was, I think, that Magic Quotes was on, and for the integration with query WHERE the name of the Columns had to be changed into ASCII.”

hxxp://usa.kaspersky.com/support/208279383000+UniOn+aLL+SelECT+1,COLUMN_name,3,4+ROM+INFORMATION_schema .columns+WHERE+TABLE_name=CHAR(117,115,101,114,115)--/

[Note: the link you see here will not work, but serves as an example of what an SQL Injection string looks like. In this example CHAR(117,115,101,114,115) = users]

The second post from Unu, one day after the Kaspersky post, focused on a reseller for BitDefender. The site, bitdefender.pt, is located in Portugal and maintained by Uptrend Software.

Vitor Souza, Global Communications Manager for BitDefender, told The Tech Herald that, “As a result of this attack, BitDefender worked with our partners, reevaluated their Web defense strategies and where necessary took corrective action to avoid this type of attack, ensuring they have the support and resources necessary for adequate web defense.”

“All BitDefender owned sites execute routine protection processes to ensure that these severely limit vulnerability to these types of attacks. While we can't control how [our] partners manage their sites, we do work with them to foster best practices in protection.”

What stands out from the e-mail sent to The Tech Herald from BitDefender is that it takes a different stance compared to Kaspersky -- which called the issue a hacker attack -- with regard to what Unu did.

“During investigation, it appears that the attack was not intended to steal information, but simply to show vulnerability,” said BitDefender.

Unu explains that there was a different method used for the BitDefender vulnerability. While it was still an SQL Injection, the strings were different.

“[In] BitDefender’s case [an] exchange was easier and faster because was performed by a single query that showed all lines… (the function LIMIT was not necessary) So [it was] possible to extract and save the data much easier.”

He provided another example of a string used in his recent work. This one was used in the BitDefender testing.

hxxp://www.bitdefender.pt/solucoes.php?p_id=1234999+UNION+SELECT+0,concat(0x3a,0x3a,0x3a,0x3a,table_name, 0x3a,0x3a,0x3a,0x3a),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+FROM+ INFORMATION_SCHEMA.tables-- )

Press coverage surrounding the research performed by “hackers” is often listed as an attack or given spin to make the research, the exploitation of the vulnerability, or reporting it, criminal or malicious in intent. Considering the scope of the interview and the vulnerabilities released by Unu, we asked his opinions as to why the term “hacker” was viewed in such a slanted light.

What follows are his thoughts. What they offer is a unique insight from one of the masses online who do this type of research day in and day out.

“The word HACK has recently acquired a negative meaning. When you hear the word Hacker you relate it directly with something bad, but since you are a white hacker, you do ethical hacking; my opinion is that you should be appreciated and even encouraged for this.

“You do the work of a [pentesting firm] that could test the security of the site or [sic] server at the request of the owner. The difference is that the firm makes this for a big sum of money, a very big sum of money, and we do it as a hobby, for pleasure, free, and most of the times we do that much better, but we don’t even get a simple Thank you.

“[These] vulnerabilities exist when [Web developers, site administrators, etc.] put [vulnerable] code on site (there are good jokes that the vulnerabilities that we showed [existed], but just for a couple of hours get real... makes no sense) So if I could have access the database, somebody else could do that too, maybe somebody who has more knowledge about SQL Injection than me, and that person still will be able to do it if I or somebody else wouldn’t announce the problem.”

[The jokes he makes mention of stem from both Kaspersky and BitDefender reporting that the vulnerable code was only accessible for a few hours at best. The humor here is that those few hours do not account for the time they went unnoticed by the public, but could have been accessed by others who never reported them. Underground researchers love this type of spin from companies as they scramble to put out potential PR fires.]

“...maybe that person could have bad intentions or take advantage of it. What mind many people is that we make it public, these vulnerabilities, and not keep it low, send a mail to the admin in secret. Of course we choose this way because we want that the firms put a bigger accent on the security. At least in this way something is moving, they make a report, analysis, they have to check again, etc.

“If we just send an email, without making it public they would fix only that parameter that we announced and it is possible to be others too. (I’m talking in general and not about a certain site.) So for what I do, I do not consider myself a malefactor, I'm not a criminal, I [am] not a burglar.”

Unu added that one thing that separates him from other underground research teams is that he does not use a proxy service.

“As [proof I used] a real IP, I [sic] had nothing to hide,” he said. He also noted that because of this he is waiting on word of legal action from Kaspersky. The Tech Herald has e-mailed the company to see if this was indeed the case.

Unu added that his work and research will continue. Not long after his e-mail to The Tech Herald, Unu disclosed an issue on SecondLife.com that was discovered last November. The issue, an SQL Injection vulnerability, was quickly patched by Linden Labs (Unu said it took about three days).

The debate about disclosure, the role underground researchers play in vulnerability testing, or the proper use of the word "Hacker", will remain under intense debate. The good thing is researchers like Unu, despite remaining underground, are the good guys. You can question their methods, but not their ethics. Unu could have sold his information, or used it for nefarious means, instead he went public and the issues are now fixed.

Sadly, for every researcher underground who has a sense of ethical fiber, two will find flaws and tell no one.

Around the Web