My name is Kenneth and I write cool Mac and iPhone software. This is my personal weblog where I post about stuff I find interesting. I usually write about Mac development, the business of shareware and the Mac community in general.read more →
From: Sean Collins
Date: July 23, 2007 4:32:35 PM EDT
Subject: Aquatic Prime
I recently read your blog post about Aquatic prime, after I was hunting around inside another application.
I would like to perhaps exchange some notes, because I think I might have found at least an individual application that uses the PHP authentication of the AquaticPrime framework, and I suspect that it would be vulnerable to SQL Injection attacks, as well as using what I believe to be, a cookie that never expires that is baked into the executable, which could lead to some other interesting things.
Let me know if you’d be interested in a chat!
1:42:24 PM seanwdp: [Hey], it’s Sean C
1:42:48 PM anonymous: hey sean.
1:43:10 PM seanwdp: The app in question is called Exces
1:43:22 PM seanwdp: part of that MacHeist deal they were doing a week ago
1:43:35 PM anonymous: ok
1:43:58 PM anonymous: and what can you do exactly? (re-reading your email)
1:44:13 PM seanwdp: I don’t have any POC just yet, just some leads.
1:44:41 PM seanwdp: just looking through the executable, found some little things
1:45:04 PM seanwdp: the app uses the PHP part of the AP framework
1:45:14 PM seanwdp: to do registration keys and such
1:45:20 PM anonymous: k
1:45:44 PM seanwdp: let me give you the executable dump
1:45:55 PM anonymous: k
1:47:27 PM anonymous: can i just strings it?
1:47:57 PM seanwdp: yeah, already did and sent it to you as a txt
1:48:52 PM seanwdp: one of the stings contains his license check
1:48:53 PM anonymous: ok
1:48:59 PM seanwdp: it’s a PHP script
1:49:09 PM seanwdp: if you connect to it with just a browser you get a bunch of mysql errors
1:49:10 PM anonymous: http://www.seosoft.info/app_rsrc/exces_licence_check.plist.php
1:49:13 PM anonymous: yeah i see
1:49:14 PM seanwdp: exactly
1:49:23 PM seanwdp: so I think that the cookie is a few lines below
1:49:25 PM seanwdp: that has the login data
1:49:43 PM anonymous: and that is based on the AP sample code you think?
1:49:52 PM seanwdp: I’m not entirely sure
1:49:59 PM seanwdp: If it is the AP sample code
1:50:02 PM seanwdp: that’s pretty bad
1:50:11 PM seanwdp: I was going from the thinking that he tried to extend the AP
1:50:18 PM anonymous: so have you actually tried to inject anything?
1:50:32 PM seanwdp: I’ve been looking for a way to feed it some bad data
1:50:38 PM seanwdp: I was doing some pretty simple stuff
1:50:47 PM seanwdp: the license key I think is through stenography
1:50:57 PM seanwdp: so I was trying to see what it takes as a dragging source
1:51:12 PM seanwdp: see if I could craft some bad data, then capture the packets
1:51:22 PM anonymous: heh ok
1:51:30 PM seanwdp: What makes me wonder, is the fact that he has another part, his bug reporting
1:51:39 PM anonymous: ap uses real encryption though
1:51:51 PM seanwdp: right
1:51:52 PM anonymous: no stenagraphy no faking
1:52:13 PM seanwdp: but my thinking is that the app will send a user/pass
1:52:30 PM seanwdp: since you get the error about not having a user or database selected
1:52:35 PM seanwdp: when you visit that register page
1:53:22 PM anonymous: what user/pass?
1:53:28 PM anonymous: a bit confused
1:53:44 PM seanwdp: okay. Know how you visit that registration page with a regular browser?
1:53:53 PM anonymous: y
1:54:10 PM seanwdp: notice those mysql errors
1:54:16 PM anonymous: right right
1:54:22 PM seanwdp: Line 2 is the host
1:54:27 PM seanwdp: line 3 is the database
1:54:46 PM anonymous: looks like he’s on a dreamhost box
1:54:50 PM seanwdp: right
1:54:59 PM seanwdp: I’m thinking those variables
1:55:02 PM seanwdp: the PHP ones
1:55:22 PM seanwdp: that set the host, database name, and possibly user/password combo are in the app
1:55:26 PM anonymous: ok
1:55:32 PM anonymous: i’d be real surprised
1:55:36 PM seanwdp: as would I
1:55:48 PM anonymous: in fact i doubt its likely at all
1:56:05 PM anonymous: knowing dreamhost (used to be a customer) they firewall off the mysql server
1:56:24 PM anonymous: the info would be embedded in the php
1:56:33 PM anonymous: it looks to me as if the guy has a f-ed up php
1:56:45 PM anonymous: either the mysql server is down, or something is misconfigured
1:56:52 PM anonymous: i dont think the username password are in the app
1:56:56 PM anonymous: unless you’ve found them?
1:57:08 PM seanwdp: only guesses at this point, nothing jumped out in the strings
1:57:14 PM anonymous: what happens when you packet sniff?
1:57:23 PM seanwdp: still trying to get that running
1:57:27 PM anonymous: ok
1:57:29 PM seanwdp: I might have to do what you did
1:57:33 PM seanwdp: with the code injection
1:57:37 PM seanwdp: just force it to connect
1:57:43 PM anonymous: ah
1:57:54 PM anonymous: so it doesn’t connect to that url normally?
1:58:02 PM anonymous: until you register it perhaps?
1:58:05 PM seanwdp: yeah
1:58:08 PM seanwdp: and there’s a cookie
1:58:13 PM seanwdp: expires never
1:58:27 PM seanwdp: I wondered if that might be a good lead.
1:58:33 PM anonymous: AP is designed for client side validation
1:58:39 PM anonymous: he’s doing it server side too perhaps
1:59:03 PM seanwdp: I mean the guy just sold like 100k licenses or something
1:59:09 PM anonymous: no shit?
1:59:11 PM seanwdp: yeah
1:59:12 PM seanwdp: macheist
1:59:16 PM seanwdp: so I mean, it’s gotta work
1:59:19 PM anonymous: heh
1:59:20 PM anonymous: yeha
1:59:24 PM anonymous: unless it is a dead url
1:59:29 PM anonymous: isn’t used any more
1:59:33 PM anonymous: or is in there to throw you off
1:59:34 PM seanwdp: true, maybe he baked a new version for macheist
1:59:39 PM anonymous: maybe
1:59:53 PM seanwdp: I dunno, I can’t imagine him being too smart
2:00:06 PM seanwdp: his app just hands off the dirty work to disk utility
2:00:09 PM anonymous: i’d _hope_ he is if he’s releasing an encryption app
2:00:11 PM anonymous: ah
2:00:12 PM anonymous: haha
2:00:19 PM seanwdp: yet still manages to have a “limit” of 10gb
2:00:26 PM seanwdp: for his “vaults”
2:00:48 PM seanwdp: it’s right in the code, he calls hdiutil
2:01:03 PM seanwdp: all he’s got is a pretty GUI
2:01:31 PM anonymous: yeah
2:01:35 PM anonymous: another Disco app
2:01:38 PM seanwdp: yep.
2:02:00 PM seanwdp: At least Disco has “ismoke”
2:02:05 PM seanwdp:
2:03:30 PM seanwdp: so what are your thoughts?
2:04:17 PM anonymous: i dunno. i’d be really surprised if the app relies on it for registration
2:04:30 PM anonymous: AP is vulnerable once you have it in your hands.
2:04:44 PM anonymous: it just depends on how much work the guy has done to obfuscate it
2:04:56 PM anonymous: and even then you can always find (and then replace) the public key used
2:05:04 PM seanwdp: right
2:05:11 PM seanwdp: but what about the risks to his website
2:05:20 PM anonymous: i’d be surprised if there are any
2:05:28 PM anonymous: it could just be the mysql server is fubared
2:05:32 PM anonymous: something is misconfigured
2:05:41 PM anonymous: hard to say
2:05:50 PM anonymous: any badly written php could be vulnerable
2:05:54 PM seanwdp: right
2:06:04 PM anonymous: to find out for sure you need to sniff the packets and find out what it sends
2:06:07 PM seanwdp: well I mean he has a bug reporter, where all the stuff is sent using the $_GET array
2:06:19 PM anonymous: any suspicious looking printf style strings?
2:06:32 PM anonymous: stuff that could be a http url request?
2:06:47 PM anonymous: “%@&%@&%@” type stuff?
2:07:01 PM seanwdp: lemme see
2:07:09 PM anonymous: you could try hacking the bug reporter
2:07:11 PM seanwdp: I swear I saw some
2:07:22 PM anonymous: if that is vulnerable then the license check probably is too
2:07:27 PM seanwdp: yeah
2:07:40 PM seanwdp: I mean, it’s much easier to crack the bug reporter
2:07:52 PM seanwdp: since I guess the database connection info is in the script
2:07:56 PM seanwdp: *not guess
2:07:59 PM seanwdp: it is
2:08:07 PM anonymous: that makes no sense
2:08:08 PM anonymous: why do that?
2:08:16 PM seanwdp: pulled it out of a php book
2:08:16 PM anonymous: easier for it to be server side
2:08:24 PM anonymous: if he has to change the password he’d be fucked
2:08:26 PM seanwdp: right, that’s what I’m saying
2:08:27 PM anonymous: or whatever
2:08:34 PM seanwdp: he’s probably got a mysql_connect.php
2:08:46 PM seanwdp: that has a username, password, host, and all that
2:08:54 PM anonymous: but even then he’d have to jump through hoops to expose his mysql server to the world
2:08:59 PM anonymous: by default DH firewalls it
2:09:07 PM anonymous: so you have to assume he knows how to do that at least
2:09:12 PM seanwdp: yeah
2:09:21 PM anonymous: which is inconsistent with him putting his password in the client
2:09:31 PM seanwdp: it would be
2:09:46 PM seanwdp: it’s just that you don’t get the same error reporting on the bug page as the license page
2:10:15 PM seanwdp: but that could be because someone wrote the bug script better
2:10:24 PM seanwdp: and it doesn’t give out those errors to the user
2:10:38 PM seanwdp: meanwhile someone far dumber left the error reporting on, for the license script
2:11:59 PM anonymous: well focus on the bug reporter see if you can capture what it sends
2:12:05 PM anonymous: i’d be interested to see that
2:15:46 PM seanwdp: yeah
2:15:58 PM seanwdp: I’m pretty sure it just sends three or four variables
2:16:06 PM seanwdp: the PHP script gets them and off they go into the database
2:16:12 PM seanwdp: since they’re right in the url
2:16:23 PM seanwdp: http://www.seosoft.info/app_rsrc/bug_send.php?
2:16:52 PM anonymous: yeah
2:17:15 PM anonymous: so do some injection
2:24:07 PM seanwdp: I’ll let you know what I come up with
2:24:20 PM anonymous: cool
2:24:26 PM seanwdp: work finally threw up their hands and let me run our stuff on Apache
2:24:39 PM seanwdp: the guy running the server (win2003) has NFC
2:24:47 PM seanwdp: and i don’t like or care about IIS
2:24:56 PM seanwdp: thing spent more time broken then up and running
This entry was posted on Thursday, November 22nd, 2007 at 10:59 am and is filed under Apple, Cocoa, English, Internet, Programming. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Add your thoughts!