Nice real world example of the poison null byte attack.

For those who don't know what a null byte attack is, that's where you pass in an http request that turns into a string that explicitly encodes a null byte, \0 at the end. So you insert something like subsection=/../../../../../../../../../../../../../../../../etc/passwd%00. Now the code in the application tries to append something like .txt because "how bad could a .txt file be", and it arrives in C land as "/../../../../../../../../../../../../../../../../etc/passwd\0.txt\0" and C thinks that the string ends at the first \0 and doesn't pay any attention to the .txt bit.

This is a good example of why your escaping mechanism should always be "allow only what is explicitly known to be safe" rather than "block what is known to be unsafe". Because you have no idea what unsafe things there are that you don't know about.

Similar issue a while back with SSL certs wasn't there. When will people learn how to deal with null bytes properly :/

I could similarly ask, "When will people learn that null bytes are a terrible way to terminate data?"

But that ship sailed eons ago.

After mangling a number string operations (and the program memory space) when first learning C I realized how terrible they could be. If I can mistakenly destroy my memory space, what would a malicious mind do with such a thing?

This is a very good reason to use a language with built in memory management.

So the problem is that people are using naive string implementations (character arrays) instead of proper strings?

While this is a clever hack, and I doubt the author had any malicious intent, this article really rubs me the wrong way. To the author of this post, this was most likely nothing more than an intellectual challenge, but from Stephen's perspective, I imagine it feels a whole lot like a mean-spirited breach of privacy. Furthermore, by publishing the details of the breach, he's pressured Stephen & his webmaster to immediately fix this hole or risk a much worse attack on his site. (I'm assuming he didn't notify Stephen before publishing this post. Such courtesy would have been greatly appreciated, I bet.)

There's a security hole in the postal service, too. You can read anyone's mail by stealing it from their mailbox. Doesn't mean it's a good thing to do.

"he's pressured Stephen & his webmaster to immediately fix this hole or risk a much worse attack on his site."

Surely that's a good thing? I agree that Stephen would/will probably be offended (assuming he wasn't notified), but he'll certainly take security more seriously now.

It's a good thing that Stephen was made aware of this security hole, but the author could have informed him a lot more effectively.

If someone broke into my house and I found out about it on Hacker News because they set up a webcam in my living room, I suppose it would be a good thing that I found out about a security problem in my home, but I certainly wouldn't be happy about it.

Fair enough, although it's a much more graphic illustration of the problem actually seeing the results (rather than simply "your site isn't very secure", "your front door lock is a bit loose"). I know it made much more impact on me than it would have if I'd read an article about the possibility of it happening. Although I suspect that if he'd just mailed the username/password to Stephen that would have been example enough.

Kind of scary how many of these sites are almost certainly out there, though.

Xakep is a magazine mostly about the other kind of hacking (the meaning journalists use). Which means there are lots of black hat and script kiddie materials in there, along with the white hat kind of hacks. Btw, 'xakep' is 'hacker' in Russian, but spelled using Latin characters.

This material is definitely on the black hat side of things, but it is still important to be aware of these types of attacks. Sadly, PHP include bugs and SQL injections are still very widespread.

I still lost. Can somebody give me an example of what an "improperly escaped include" would look like?

Was the site author (not the hacker) taking a get parameter and passing it to an include? That seem odd.

I need a little more help understanding this.

Probably a directory of php files like,

   sections/food.php
   sections/shopping.php
   sections/fryclub.php

with different content, then an index page like,

   <!-- common header -->
   <?php include("sections/" . $_GET["section"] . ".php") ?>
   <!-- common footer -->

And then when you access,

   http://fry.com/index.php?section=fryclub

you get the content of fryclub.php with the correct headers and footers. Or you access,

   http://fry.com/index.php?section=/../.[snip]./../etc/passwd%00

and get any file you like, treated like a php file.

Find a file that you can write to (such as the error log), use the above trick to treat it as a php file, use it to make system calls, and the box is yours.

Thanks for that. I wasn't aware that this was a common practice. I assumed it must be something like that, but I wanted to make very sure I understood exactly. Don't want any hacker news stories about my sites!

EDIT: Errr, at least, not this sort of story.

You can actually search for this vulnerability on Google Code Search, and it finds a few results that look exploitable. I don't know how to go about informing people with that code that their systems are vulnerable. Many are open source projects, so anyone using those tools are vulnerable too.

It's a pretty common attack. I have several identical attempts against my website on a daily basis (can easily tell from the access logs).

Can anyone explain the injection part? I didn't understand how getting the passwd file helped in any way with injecting a php error, and why code got executed in the end.

The passwd file didn't help, it just showed him that he could retrieve arbitrary files via an open/improperly escaped PHP include().

His injected worked by causing an error to be written to a log, and then reading that log back through the PHP include. The error that was logged contained an arbitrary string (the HTTP request, with the malicious PHP code), which was executed by the server.

That was an interesting read, nice 'peek' into a (I guess) lot used method of defacing a site; without the defacing that is.

This is the exact kind of thing App Armor can be used to shield against. Problem is, it's a PITA to setup right.

Apache's mod_security can also protect against this with the SecFilterForceByteRange directive.

Stephen Fry is a good person.

:-(

I don't think any one is denying that.

True, but I think some people might need reminding.

Also, he tries to use his twitter account to promote good causes. Depending on his reaction to this episode, this might have been put at risk.

Nothing was put on risk. The person/group who did this not only removed the fake tweet in question but also showed enough respect (if you actually read the whole article).

> "P.S. I deleted that post from his micro-blog a few minutes later, cause my delicate mental organization didn’t allow me to injure a huge army of Stephen Fry fans."

Assuming the "hack" was real (no way to prove it IMO), I rather be hacked by this person than someone else with malicious intent. No harm done, as a matter of fact this will probably help to secure whatever hole was in the system. Do you think we would give a flying-frack if the twitter account in question didn't belong to Stephen Fry or anyone famous?

I doubt it.

> Nothing was put on risk. The person/group who did this not only removed the fake tweet in question but also showed enough respect (if you actually read the whole article).

Would knowing that Stephen Fry suffers from bipolar disorder, and has threatened to quit Twitter not long ago (http://www.guardian.co.uk/technology/2009/oct/31/stephen-fry... ) change your view?

>Would knowing that Stephen Fry suffers from bipolar disorder, and has threatened to quit Twitter not long ago (http://www.guardian.co.uk/technology/2009/oct/31/stephen-fry.... ) change your view?

No. I would be more concerned about him quitting blogging than him quitting twitter. He is an amazing writer and speaker and using twitter is a disservice to his talent. IMO.

So you agree that Mr. Fry's further use of Twitter was put at risk, but you just don't care about it?

I care about it as much as I care about Sarah Palin not using twitter.

How many times did twitter itself got hacked? From DNS hack to brute force password cracked (was no failed password limitation) to phishing attack to twitter employees account getting compromised to XSS attack to every single twitter account (earlier this year).

Twitter account of famous people getting hacked is part of the experience of using twitter. If someone stops using twitter for this, I don't feel bad about it.

Its twitter, not the end of the world.

It's Twitter, it IS a big deal. It is the direct link between the artist (or politician) and his public. Over one million people follow Fry's tweets daily, and a multiple of that hears about them or reads about it on other websites (in fact, several times BBC News has reported on his tweets). You can be sure that I would defend a list of a million followers tooth and nail, and not just for monetary purposes.

Some weeks ago Stephen Fry was watching some live sporting event from his sofa, wrote a tweet about it, and got a reply from the presenters ON AIR. In a program broadcast to millions.

I think your position is that you don't care about these people and their use of Twitter. Fine, but THEY care.

Besides, a tweet like this from Sarah Palin is worth more than ten press releases: http://twitter.com/SarahPalinUSA/status/6823906156

>Nothing was put on risk.

Do you know Stephen Fry well? Is he 'nothing'? Can you predict how he will feel about this?

>if the twitter account in question didn't belong to Stephen Fry or anyone famous?

I didn't say famous, I said good.

Btw, check out the author's disclaimer:

>Neither the editors nor the author shall not be liable for any possible damage caused by the materials of this article.

>Do you know Stephen Fry well? Is he 'nothing'? Can you predict how he will feel about this?

I think you are being a bit too emotional here. Its not like Fry got kidnapped from his house, hog tied and thrown out of london bridge. His twitter account got compromised by someone, who was well intentioned enough not to screw around with it. If the person didn't write about the hack, you wouldn't know about it, Fry wouldn't know about it and he would wake up the next morning and have his "eggie in the basket" and no one would care.

Saying Awwww but "Stephen Fry is a good person. :-(" adds nothing to a discussion about something that has to do with web security.

>> "These days he is more accurately described as a political figure than an actor."

What??? I guess you don't watch BBC TV do you.

  QI (Fantastic series).
  Kingdom.
  Stephen Fry's America
  Last chance to see
  etc etc

(Most of these from the last year or 2). He's first and foremost known as a fantastic comedian and maker of good quality TV.

Perhaps I assume too much of the attackers, but their decision to post "from Russia with love" vs "Sorry, X is dead, please unfollow" probably depends on whether they think the guy is a good person or a bad person.

Even though his site's security was not completely up to snuff, he did have a pretty good password.

Unfortunately, the chain is only as strong as the weakest link.

FWIW, the vulnerability is listed in the OWASP 2007 Top 10 as Malicious File Execution http://www.owasp.org/index.php/Top_10_2007-A3