Anonymizing RFI Attacks Through Google

netbuzz writes "Noam Rathaus on his SecuriTeam blog describes a technique by which 'Google can be utilized to hack into websites — actively exploiting them (not information gathering by the use of "Google hacking," although that is how most of the sites vulnerable to RFI attacks are found).' He cites examples in the wild and even mentions that the technique could be used as a 'covert' communications channel."

but is it a crime...

[Sensor]

There is actually quite an interesting aside to this, would someone who used this technique actually be guilty of hacking? Afterall they don't run the exploit and arguably can't guarentee that anyone will.

If I happen to create a utility capable of cracking a site but then store it for research, never distribute and never actively use then I've not committed a crime. If I distribute it to other researchers in good faith then I'm covered - at present its only the person who actively uses it that is guilty of a crime.

However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location. I'm not sure that would completely stand up given the recent ammendment to the UKs computer misuse act (i.e. reasonable belief that the tool would not be used in that fashion), but still...

As always it comes down to people...

PS:
Aas an aside I am currently running a survey for my MSc dissertation on IT admin access to confidential information. If you'd like to help out (and would like a shot at winning a £25 or $40 amazon voucher) then please take a look at:

https://msc-survery.priogenus.com/amazon.php [priogenus.com]

Re:

[MartinJW]

I'm not so sure. The intent is there to commit the crime, and it's safe to assume that once the attack has taken place, the malicious user will be utilising the now open security hole for further ends. I guess it's a bit like getting a friend to kill someone - you would still be guilty of murder - wouldn't you?

Re:

[Sensor]

Technically "conspiracy to murder", but could you prove the case if you left a note in your "private" diary that you thought someone could be killed in a certain fashion... and someone then read your diary and chose to act upon it?

Re:

[MartinJW]

But you are not leaving a note on 'how it can be done'. You are putting a cyanide tablet in your grandmas teapot so that she pops off the vicar next time he calls.

Re:

[Sensor]

as someone who's father actually is a vicar I can see how that would be a problem (although they do drink less tea than you might expect).

But I'm still not sure I agree, it might be equivalent to choosing to store your own rat poison in your own teapot in a flat that you didnt lock.... I'm certainly not saying its morally ok, but its probably closer to reckless endangerment than anything else.

Re:

[Opie812]

as someone who's father actually is a vicar...

Are you new to slashdot? The proper way to phrase this....ummmm...phrase is as follows:

My father's a vicar you insensitive clod!

:)

Re:

[Ruff_ilb]

I, for one, welcome our new Vicar overlords.

Re:

[Not_Wiggins]

but could you prove the case if you left a note in your "private" diary that you thought someone could be killed in a certain fashion...

I'll preface this by saying IANAL...
Prove? No. Provide circumstancial evidence? Yup.

As the grandparent stated, the real judgment behind this crime is one of intent. The nature of these links is so specific, targeted and intentional, that even if one didn't get accused of willful attacking, he'd be guilty of negligence.

Maybe it doesn't seem as clear-cut because we're "j

Re:

[mysticgoat]

However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location.

IANAL, but it seems to me that there is a long history of "public nuisance" and "reckless endangerment" in common law [wikipedia.org] that could be applied here (at least in countries like the UK and the USA whose legal systems are grounded on common law).

At present, if you created such a link and I discovered your link was accessable from

Anonymous?

[tttonyyy]

Aside from triggering the attack, how does this make it anonymous?

Surely the "http://URI-with-malicious-code.php" section will still create logs on the victim server pointing to the source of the malicious code (but perhaps not who triggered it).

Re:Anonymous?

[Zedrick]

Yes, but the URI-with-malicious-code is usually something like: http://www.geocities.com/xxxxxxx/xxx.txt [geocities.com]

At least that's what I usually see every time I check the logs of a website I'm going to shut down for allowing foreign includes (to be run).

Re:

[kestasjk]

Exactly; you can use linkto:mysite.com to find who has been linking to you. Hardly makes finding your attacker any harder; why not just use Tor, go to an internet cafe, or go wardriving?

This seems like something clever and pointless just for the sake of it.

Re:

[Mike89]

Exactly; you can use linkto:mysite.com to find who has been linking to you

I don't know about anyone else, but this doesnt actually work for my site.. on closer inspection, it doesn't work on my friends URL either.. hell, it doesn't work for Slashdot either!
http://www.google.com/search?q=linkto%3Aslashdot.o rg [google.com]

Re:

[Umbrae]

That's because it's not linkto, it's link:

http://www.google.com/search?as_lq=slashdot.org&bt nG=Search [google.com]

Re:

[ArsenneLupin]

Surely the "http://URI-with-malicious-code.php" section will still create logs on the victim server pointing to the source of the malicious code

Nope, googlebot doesn't fill in the referer :-(

However, it's not anonymous either. You can bet that if the victim server's admin understands how this was done, he will have no problem getting the relevant data from google's log, and there goes your little scheme!

So, this trick should never be used "on its own". It's still useful however, and here's how:
Don't pu

change behaviour for bots

[cucucu]

In your server, you can code the logic to take another action if the user agent is a bot.
Here [robotstxt.org] you have a db of web robots.

Re:

[Anonymous Coward]

If you do that, prepare to be delisted from search engines or at least severely downranked. Showing different pages to bots than to regular clients is called cloaking and, since it is a technique primarily used to spam search engines, the major search engines test for cloaking and punish it. Technically a page is addressed by the URL, cookies, user agent, referrer and other pieces of request information, but search engines expect that you deliver the same main content for the same URL, all other request dat

Re:

[LiquidCoooled]

No, you should not have to change your site.
Excluding google usually causes more issues (especially when management chirp up and say why aren't we being indexed).

This is a problem between google and the destination site.
Google are the ones here that are not verifying the URLs and attempting to use bad links.

The destination site should be using the best web server they can which is known to handle these kind of problems properly.
The web is broken in so many ways, google should have a good idea which are well

Re:

[kimvette]

Google are the ones here that are not verifying the URLs and attempting to use bad links.

Googlebot presumes all provided links are good until it touches each one and sees the response header. If a 200 or 302 comes back, obviously it's a valid URL handled by the server. Whether the target of that URL is malicious or not is not really for Google to determine; all they do is crawl linked and submitted sites via an automated process. The responsibility is shared between Microsoft and the server admin to ensure

In reality...

[lpiob]

It's a feature, not a bug.

Reminds me of this post

[epsalon]

The Spider of Doom [thedailywtf.com] at The Daily WTF.

Glasshouses...

[ArsenneLupin]

... The Daily WTF runs on ASPX. These are bold people. Very bold people.

RFI

[kevin_conaway]

Could someone define the RFI acronym? Neither the summary, article or google can explain it clearly.

Re:

[Anonymous Coward]

Nice explanation here. [lwn.net]

Remote File Inclusion

[Bogtha]

Remote File Inclusion. It's a pretty poor term for this type of attack, because it's not the act of inclusion that causes the problem, it's the act of requesting the file in the first place.

Re:

[shoolz]

Actually, it's a perfectly good name for the attack, since the request causes a .PHP file hosted on a remote server to be included and subsequently run. Perhaps a hyphen might help those who are hung up on it: "Remote-File Inclusion".

Here's [uni-stuttgart.de] an example of an RFI attack designed to exploit a bit of sloppy coding in PHP Nuke.

Re:

[Loconut1389]

I always think of Radio Frequency Interference, but oh well. As defined above, Remote File Inclusion.

Re:

[that this is not und]

RFI is a prominent acronymn in the technical community. It means, as you say, Radio Frequency Interference. Apparently, though, it's a cool sounding acronym that some other circle decided to latch onto it. I strongly doubt it will EVER mean 'Remote File Inclusion' outside a narrow subculture, however.

Re:

[Loconut1389]

Off the top of my head, I couldn't think of another way to say remote file inclusion any better- so I at least grant that they seem to have a valid overlapping use for the acronym.

Re:

[nacturation]

Off the top of my head, I couldn't think of another way to say remote file inclusion any better- so I at least grant that they seem to have a valid overlapping use for the acronym.

It's a pretty good acronym if you actually are discussing including files. However, this attack is like me linking to http://site.com/database.php?hack-in-querystring [site.com] which has nothing to do with including remote files. Both bots and humans could follow that link and "attack" the site.

Re:

[that this is not und]

True, but when I read 'RFI Attacks' I automatically assumed it was somebody interfering with some form of wireless communications. So long as they want to use an acronym that obscures meaning. Oh, wait... it's a narrow subculture we're talking about here....

(nothing wrong with narrow subcultures, btw. nerds of any flavor are okay most times)

How not Who

[MartinJW]

If your web application is vulnerable to attack then I would have thought it makes no difference where that attack comes from - be it a 'real' person or a search bot. You should spend more time worrying about whether your application is secure, the how is more important than the who.

Re:

[deryckh]

Agreed. The problem I have with these sorts of things is they act as if the problem is with Google. It's not (or any other search engine for that matter). The problem is with the site that is vulnerable. Fix the security hole and there's nothing to worry about.

RFI? How about defining this?

[Ashtead]

Radio Frequency Interference? Request for Information? Radio France Internationale? Rodent Fangs Implementation? WHAT?

How about explaining what such an ambigious acronym actually means initially. As neither TFA nor the summary seems to have done so, I therefore will have do it here, just to make heads and tails of the rest of the discussion and perhaps illuminate someone else. Hit Google, slog through a pile of links indicating one of the above, or some company whose name includes the three letters. There are many of these. On Page 3 I found the Wikipedia page for this TLA, on which there is a dead link to what this must be: Remote File Inclusion.

How about that.

I was wondering if it was just me, that I had been off-line for too long (like 2 days) and missed out on the latest and greatest buzzword, again?

Re:

[MartinJW]

I guess it is a result of the rush to submit an article first, thus a frantic cut-and-paste job pulls the TLA out of the context in which TFA was posted, where it probably made perfect sense.

Re:

[Fatalis]

Yes, WTF is a TLA.

Re:

[owlnation]

how about Really F***ing Irritating?

Re:RFI? How about defining this?

[hey!]

I'm guessing from the text of the article it is Remote File Inclusion.

The description of the mechanism doesn't really makes sense. If you can exploit a victim site by feeding it an evil URL in a form parameter, why use Google at all? You've lost anonymity by including the URL.

Looking at the described effects, it sounds like what they do is feed google some malicious code wrapped up in something that looks like a URL on the victim site. Then Google spiders the URL, placing malicious content in the form parameters.

So, suppose you have a malicious SQL injection attack that causes your database dump the password table to a remote database. The trick is that you get Google to launch the attack for you. You have the malicious code obfuscate the destination, and it isn't clear skullduggery is going on by casual inspection of the logs. It won't show up in the database logs either because its not a transaction.

Re:

[ladadadada]

Strangely enough, the anonymity and the remote file inclusion are not the only issues here. I recently discovered Yahoo's Slurp running these sorts of queries (they were parameters to a search page) on several different sites that we host. The "attacker" had realised that we use the same code across several sites and could use exactly the same "exploit".

The interesting part was that the goal of the "attacker" was not to run an exploit against our machines but to attempt to inject a link into the page that

Simple solution

[vivekg]

Seriously, I hate to read article like this one. They don't offer any solution.....this kind of attacks are not new at all, you can find tons of such attacks from access.log file/p> tail -f /var/log/httpd/access.log

First get rid of fat apache and use like small and secure lighttpd if you are running a *small personal* web site. Second put lighttpd / Apache in chrooted jail and no one can install *php/perl* shell. I have documented the procedure for putting lighttpd in jail:

http://www.cyberciti.biz/tips/howto-setup-lighttpd -php-mysql-chrooted-jail.html [cyberciti.biz]

Both yahoo and google runs entire webserver in chrooted jail. Other choice is use OpenBSD which runs Apache in chrooted jail out of box.

Re:

[AlXtreme]

Don't think that you're safe in your chroot'ed jail. If your website for example uses mod_php and you run an old package of Mambo, then you will be exploited despite your jail.

Yes, you are correct that such a setup will save you from certain attacks, however this isn't an alternative for proper, secure coding. Besides, anyone still using system() via a webserver (be it Apache or LightTPD) should be shot, regardless.

Re:

[nacturation]

Don't think that you're safe in your chroot'ed jail. If your website for example uses mod_php and you run an old package of Mambo, then you will be exploited despite your jail.

How so? You'll also need to install the PHP libs and old Mambo package inside the jail and run as non-root. Are you saying that PHP+Mambo can break outside a chrooted jail in OpenBSD? Worst case, they hack the jail but your base system hasn't been compromised.
 

don't need google

[cucucu]

Who needs google? There is always that ./ mob willing to click through any url [tinyurl.com] without giving a second thought, no matter how long the way and how worthless its end.

Re:

[TheLink]

Heh I was expecting goatse.cx

Anyway you can turn on the preview feature for tinyurl - so it displays the url first without taking you straight to it. I recommend that.

But the other url shortening services may not have such a feature.

Anyway, if you do the attack mentioned in the article it might be a good idea to use tinyurl or other similar sites, so that it is google and friends that expand the resulting url, so it is harder for the victim to figure out who hosted the original shortened url - since they on

In Soviet Russia - with a twist

[davidwr]

In Soviet Russia, Google Hacks ...

I c-can't do it. *sob*. This is too easy. It's like taking candy from a baby. I'm sorry.

[walks away]

Against the System: Rise of the Robots

[lazy321]

Check http://www.phrack.org/archives/57/p57-0x13 [phrack.org] by Michal Zalewski from 2001

Prior art

[Beryllium Sphere(tm)]

This was described in Zalewski's _Silence On The Wire_.

It's not "HACKING WITH GOOGLE" it's using google

[itz2000]

It's not "HACKING WITH GOOGLE" it's using google to exploit vulnerabilities via the search
In the particular example it's searching in the code where's cmd.gif to use it to enable malicious via remote site.

It's not like using google to hack a specific site but just those who are vulnerable site (it's like searching for which site has phpbb2.6 and to use known exploits to "hack it" [with sql injuction or something).

This discovery is for script kiddies, not for real hackers who wants to hack a specif

no - doesn't require searching.

[tendays]

rtfa again - this *is* used for targetting specific sites. Google is used as an anonymiser.

The article suggests searching cmd.gif to demonstrate that that method is being used, and indeed some of the results show that google's index carries urls containing attacks.

To inject those urls into google's index the attacker doesn't even need to run a search or even contact google a single time - he puts the attack (mentioning the specific host the attacker wants to attack) on some webpage and then waits for google

Covert communications channel?

[pipingguy]

Couldn't the gibberish (designed to defeat filters) contained in spam also be a "Covert communications channel"?

I studied this 3 years ago

[mrkitty]

I started doing this a few years ago. Check out the link below and view source. I got the data from over a year however it is a few years old. I was studying which engines could be abused in the 'best way'. Short answer, all of them.... http://web.archive.org/web/20030426184220/http://w ww.cgisecurity.com/ [archive.org]

In Other News

[RAMMS+EIN]

In other news, vulnerabilities in your application can be exploited not just by the cracker, but also by an agent working for the cracker.

Remember, you heard it here first!