Security Issues in most public Private Servers

»jD« · 12/11/2013, 08:30

Greetings Mortals!

Hope you are all well this festive season

I decided to audit some "publicly" available backpage releases for security issues and was surprised by how many public servers were actually run these epic'ly flawed packages. I'd like to disclose this now before I start, I WILL NOT BE RELEASING ANY INFORMATION ABOUT THE SECURITY ISSUES OR DATA RETRIEVED EXCEPT TO THOSE WHO RUN EACH INDIVIDUAL SERVER. In case the bold red words still didn't get it across to you, leave now, or I will hurt you.

Icon8
Lets start with the Icon8 project which from some open web audits around 75% of private servers are running or based on, including LightOrbit, SkyUniverse and other big name servers.

Icon8 not only suffers from massive amounts of SQL Injection holes, but also does nothing to defend against them. Along with that there are numerous issues with the configuration it comes with and the actual GameServer itself is flawed in the fact that you can actually SQL Inject the GAME SERVER itself for information (second order attack). Need proof? Like I said I'm not disclosing any private information here nor am I going to show you how to do it, but I will point out some things so you can fix it if you wish to do so.

Lets start with the way Icon8 handles SQL Injection prevention. Some extracts from its source code show two methods of sanitization: `GetSQLValueString` and `addslashes`. Both are extremely easy to bypass with a bug in character encoding. magic_quotes_gpc is not meant for SQL sanitization either and is just as easy to bypass. This is the only protection used to sanitize EVERYTHING that comes from the user and is poor. It gets worst as there are numerous places where there is no protection at all! Take a look here:

externalSignup.php: Lines 6-12

PHP Code:


			
$MM_flag="MM_insert";

if (isset($_POST[$MM_flag])) {

  $loginUsername = $_POST['signup_username'];

  $LoginRS__query = "SELECT usuario FROM cuentas WHERE usuario='" . $loginUsername . "'";

  mysql_select_db($database_DO, $DO);

  $LoginRS=mysql_query($LoginRS__query, $DO) or die(mysql_error());

  $loginFoundUser = mysql_num_rows($LoginRS);

A simple Error-based MySQL Injection could easily exploit this due to two things. First, they use a POST parameter directly in a query, and second, they `or die` the query, meaning that any error in the query will be printed plain to see by everyone when they try to signup.

Then you have Time-based SQL exploitation in SkyUniverse's "buy.php" script.

For those of you who don't believe it or need more motivation to actually fix it... here is some table schema I dumped from SkyUniverse (Sorry Requi for using you as an example):

Code:

8 tables -
+------------+
| accounts   |
| clans      |
| maps       |
| ranks      |
| servers    |
| settings   |
| ships      |
| useronline |
+------------+

accounts.csv -

id,uridium,ep,pi,hp,gfx,pos,sex,age,lvl,rank,ship,maps,mun2,city,mun1,clan,speed,cargo,hpMax,files,slot4,title,honor,shield,drones,skylab,lastIP,petlvl,config,petname,jackpot,premium,credits,configs,fraction,cargoMax,password,username,interests,bootykeys,shieldMax,inventario,cario,createdate,teihfactory,jump_voucher,ultimaConexion,repair_voucher,status_message

Like I said, I managed to dump almost 50% of their database (it glitched out after their DB died), but those details won't be published here.

More details on other backpage packages will be added here when I get the time to look over them.

Fixing this is reasonably easy to be honest. I'm not gonna teach you how to do decent sanitization of EVERYTHING, but I will show you how to do MySQL Sanitization to stop 99.99% of all SQL Injections (the rest are unknown 0days :P). For starters in Icon8, where ever you use a variable in a query, escape it with the official escaping function, not some makeshift missmatch of other PHP functions. `mysql_real_escape_string` is there for a reason! An example on how to fix the above injection?

PHP Code:


			
$MM_flag="MM_insert";

if (isset($_POST[$MM_flag])) {

  $loginUsername = mysql_real_escape_string($_POST['signup_username']);

  $LoginRS__query = "SELECT usuario FROM cuentas WHERE usuario='" . $loginUsername . "'";

  mysql_select_db($database_DO, $DO);

  $LoginRS=@mysql_query($LoginRS__query, $DO);

  $loginFoundUser = mysql_num_rows($LoginRS);

This prevents against error messages giving away information on your queries AND protects against any SQL Injection in the 'signup_username' parameter. I also suggest replacing every single one of these:

PHP Code:


			
get_magic_quotes_gpc()) ? $_SESSION['MM_Username'] : addslashes($_SESSION['MM_Username'])

with this:

PHP Code:


			
mysql_real_escape_string($_SESSION['MM_Username'])

(Obviously don't just do it for $_SESSION['MM_Username'] but do it anywhere you see get_magic_quotes_gpc and addslashes).
You can also replace every single GetSQLValueString with mysql_real_escape_string

I suggest you to change your password for any accounts where the password is the same as one you have used on any private server, you don't know who has access to it... and the fact that Icon8 uses unsalted MD5 hashes for passwords simply adds to the entire security issues.

-jD

Luffa · 12/11/2013, 08:38

Thumps up jD, i hope some of the servers see this as a wake-up call to start re-doing their coding on the website of theirs.

Best Regards RQ

»jD« · 12/11/2013, 08:46

DrSkyfall, I see your thanks

Just to let you know, there were numerous other issues with LightOrbit that weren't directly related to SQL Injection... PM me if you want more details...

Also, not sure if you took your site down coz you saw me auditing it or if it legit crashed :P

-jD

DrSkyfall · 12/11/2013, 08:56

Yeah it's an automatic system when someone try to SQL injection on LightOrbit

.

No just kidding, I got some problems with nice russians hackers, I just killed the webserver so, you are just unlucky xD.

Yeah I will Pm you.
I think to use POO and PDO soon ..

#Edit : Did you get access to my dedicated server with these ? I'm really mad right now, I'm anothter guy got my FTP, DB and Webserver password today. I don't know if it's about the same problem that you have saw.

Spoiler

DrS.

»jD« · 12/11/2013, 09:45

Quote:

Originally Posted by DrSkyfall

Yeah it's an automatic system when someone try to SQL injection on LightOrbit .

No just kidding, I got some problems with nice russians hackers, I just killed the webserver so, you are just unlucky xD.

Yeah I will Pm you.
I think to use POO and PDO soon ..

#Edit : Did you get access to my dedicated server with these ? I'm really mad right now, I'm anothter guy got my FTP, DB and Webserver password today. I don't know if it's about the same problem that you have saw.

Spoiler

How you maked that ?
[02:38:57] On se connait ? wtf
[02:39:26] skype: I maked that
[02:39:31] skype: We maked that
[02:39:50] I know you or not ?
[02:40:25] skype: No. I'm not one of your haters, u dont know me and i dont know u.
[02:41:24] So I need to know how to fix that, It's possible to everyone to make it ?
[02:42:25] skype: No. Its possible if u have very big skills in hacking and web-site coding
[02:43:19] Ok so you got access from FTP, nothing else, you got files from my Dedicated servers with bypassing the FIlezilla limitation of repertory ?
[02:44:12] skype: No. We got full access to your dedicated servers, filezilla, dbs.
And we got all files.
[02:45:40] Ok, it's possible to fix ? My dedicated server is a Windows Emualted on a Linux one, It's where the problem ?
[02:50:14] And just like that ? Why you need these files ? They already exist on some undergrounds.
[02:51:54] skype: I know that your windows server emulated.
Well u have 7days to pay, and than all files will not be relized.
And we will tell u how to fix that bug.
And i just want to tell you that we have all files from all your servers, different versions(old and new).
[02:58:25 | Modifié (02:58:49)] skype: Good bye. Deadline 12\18\2013 in 10:00

DrS.

Don't pay him. There ask him for proof that he has them, because from what I saw, there isn't any way to exploit that.

-jD

DrSkyfall · 12/11/2013, 09:53

Yeah I don't, But he send me a picture with all my work, vhosts servers, emulator source, ******* crazy, , If it's not about exploit of the website, it's about the fact that my dedicated server was a Windows Emulated on Linux..

500 Euros for files who cost me less than the /2 ..
All Epvp guys will be happy to see PvpU Source thread in 7 days ...

DrS.

Requi · 12/11/2013, 10:22

Was it really needed to use SU?

Well. I didn't give a look for injections yet and the buy.php shouldn't exist anymore. Thought I deleted it, because i'm going to code it on my own.

But thank you for all this

Edit: And you forgot, that SU won't use such crappy emus like icon8 and azure.

Sήøwy · 12/11/2013, 13:57

The main important thing is the server.

The website should have also protection for sql inject. It can be easy hacked if you don't know how to use POST, REQUEST and others. You must know PHP and SQL programming to know what to do.

As i can see you are talking only about the website. I think because they use the same servers and that's why you don't talk about the server application.

UND3RW0RLD · 12/11/2013, 14:54

Hey thx jd I made a fix for the passwords. would you like to link it in your thread?

CrazyLazyGuy · 12/11/2013, 15:32

There are tons of more work on the website part.
P.S. endless in the password encryption why do you use md5 and not sha1?
I am not saying it's wrong or that sha1 is better, I just want to know because maybe I am doing mistakes in using them . I don't argue with you, just a question ;d .
P.S2. jD why don't you use pdo or mysqli ? I prefer mysqli because pdo is a little bit hard for me but .. Again that's not an argue, just a question.
P.S3 Highly recommend to DON'T use $_REQUEST . Or don't use it if you don't know what does it do.

UND3RW0RLD · 12/11/2013, 15:38

Quote:

Originally Posted by CrazyLazyGuy

P.S. endless ... why do you use md5 and not sha1?

it's safe enough.. it's not worth the work to decrypt ^^ (in fact it's almost impossible even with good rainbow-tables..)

linkpad · 12/11/2013, 22:09

Have you find any exploits on

? Just for let me know

cryz35 · 12/11/2013, 22:31

Nice thread, are you going to add aurora-azure security holes? Just wonder.

I know some not important ones, may you see

when you have free time?

»jD« · 12/11/2013, 22:54

Quote:

Originally Posted by CrazyLazyGuy

There are tons of more work on the website part.
P.S. endless in the password encryption why do you use md5 and not sha1?
I am not saying it's wrong or that sha1 is better, I just want to know because maybe I am doing mistakes in using them . I don't argue with you, just a question ;d .
P.S2. jD why don't you use pdo or mysqli ? I prefer mysqli because pdo is a little bit hard for me but .. Again that's not an argue, just a question.
P.S3 Highly recommend to DON'T use $_REQUEST . Or don't use it if you don't know what does it do.

1. You shouldn't be using MD5 or SHA1, bcrypt is industry standard these days as MD5/SHA1 can be brute force pretty quickly!
2. I do use PDO, however I was offering an easy and simple solution without having to give a tutorial on PDO.
3. Yes. $_REQUEST opens up holes in parameter substitutions :P

-jD

linkpad · 12/11/2013, 23:12

Quote:

Originally Posted by cryz35

Nice thread, are you going to add aurora-azure security holes? Just wonder.

I know some not important ones, may you see when you have free time?

Your website is vulnerable, I can dump every database.

Quote:

information_schema
cdcol
chatserver
mysql
newdo

Quote:

users
ships_designs
ships
servers
server_galaxygate
server_1_players_galaxygate
server_1_players
rank
online
maps
equipment
ekipman
clannews
clan

performance_schema
phpmyadmin
test
webauth

I can even access account by decrypting md5 hash...