Defaced UN Web SiteThe United Nations web site [1] has been defaced this morning. (screenshot)

The speeches of the Secretary-General Ban Ki-Moon [2] have been replaced with the following lines:

Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ýsrail and Usa
dont kill children and other people
Peace for ever
No war
screenshot

While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don’t.
There’s a technical reason for the missing apostrophe, though, because messing with this very character (’) is part of the technique apparently used by the attackers.

As you can easily verify by opening this URL, the site is vulnerable to an attack called SQL Injection.
This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile web site. [3]

If only prepared SQL statements were used properly*, this embarrassing incident would have been easily prevented.
And yes, prepared statements are available even in the very obsolete ASP “Classic” + ADODB Microsoft setup they’ve got. (screenshot)
*properly means strictly constant statement strings and type checked bound parameters, see Roland Bouman’s comment and my answer below.

I will write some other time about prepared statements and database layer security.
In the meanwhile, if you’re a planetary organization and you’re planning to cut the budget for the security training of your web developers staff, please dont… er… do not ;)

1. 12-AUG-2007, 15:20 UTC update:

The main link now says “temporarily unavailable due to scheduled(!) maintenance“, but the other ones should still work.
[back]

2. 12-AUG-2007, 17:20 UTC update:

The speeches have been restored as well, but you can still check this screenshot. Moreover, the hole seems not to be patched yet, thus the site could be defaced again at will: not the best order for fixing stuff, is it?
[back]

3. 13-AUG-2007, 6.00 UTC update:

U.N. staff put a patch to hide the most obvious vulnerability (the one linked here), but the flaw is still there and could be easily exploited again.
I won’t post any other hint for script kiddies here, but I’m submitting a report to the U.N. IT security staff under the RFPolicy and will keep you posted.
[back]

4. 13-AUG-2007, 16.00 UTC update:

Looks like not only the hole at the main site is still open, but some branches (e.g. UNEP, the UN Environment Programme), still bear the hacktivist mark. (screenshot)

More updates here »

64 Responses to “United Nations VS SQL Injections”

  1. #1 That guy... says:
    ‘; select ‘just checking’ from vulnerabilities; –’

    If you are going to dish it, you better be able to take it…

  2. #2 Giorgio says:

    @That guy…:
    you certainly know better than me that once you know a query parameter passes with unescaped quote, plus make and model of the RDBMS in use (Microsoft SQL Server via ODBC), next steps are quite obvious ;)

  3. #3 Berita IT » Blog Archive » Website PBB Di-Deface says:

    […] Sumber: Hackademix.net […]

  4. #4 That guy... says:

    ‘; select ‘just checking’ from vulnerabilities; –’

  5. #5 Smile...! says:

    smile
    You are on Slashdot!
    http://rss.slashdot.org/~r/Slashdot/slashdot/~3/143394743/article.pl

  6. #6 Giorgio says:

    @That guy:
    sorry, didn’t notice yours were actual attempts to crack this site, rather than didactics about SQL injections.
    Please let WordPress guys know if you find something.
    The one above is the last comment of yours I moderate, though, because it would quickly get boring for other people.

  7. #7 Benevolent Tech » The Power of Hackers? says:

    […] website was hacked. While the site is in the process of being fixed, you can read more about it here. It’s interesting this happened a few days ago, because last week I was thinking about how a […]

  8. #8 Ysangkok says:

    I can’t believe they don’t shut it down. It’s still vulnerable!

  9. #9 Home of Göran Sandahl - Computers, Networks and Security » Why are website (in)security perticulary interesting? says:

    […] can and should be defended. This afternoon I was notified of the UN website hack. A relatively novel hack which used a very common and easily mitigated vulnerability, exploited using a SQL […]

  10. #10 Metagg says:

    Metagg is tracking this post

    Find out what Social News Sites are discussing this post over at metagg.com

  11. #11 wily says:

    ‘ OR 1=1”

    …damn.

    Oh well, worth a try. ;-)

  12. #12 big_needle says:

    ASP is not obsolete in any sense other than the fact it has been superceded, but new is not always the same as better. Personally I still think classic asp (using JScript not VBScript) is far easier to work with, maintain and use than asp.net. The use of .net won’t stop SQl injection attacks - that’s just rubbish coding done on the cheap by some outsourcer who either does not know or care about security. Desktop apps, well that’s a different kettle of fish - .net FTW!

  13. #13 United Nations Website Hacked - ‘all the knowledge you can eat’ says:

    […] click here for more info No Comments Leave a Commenttrackback addressThere was an error with your comment, please try again. name (required)email (will not be published) (required)url […]

  14. #14 United nations…what a mess! « #define blog_name “b0fh” says:

    […] http://hackademix.net/2007/08/12/united-nations-vs-sql-injections/ […]

  15. #15 » UN website is defaced via SQL Injection | Network Administrator | TechRepublic.com says:

    […] post over at hackademix.net notes the importance of the missing apostrophe.  This is a clue to the technique used by these attackers to deface the website.  What’s […]

  16. #16 My del.icio.us bookmarks for August 11th through August 12th » the billblog says:

    […] hackademix.net » United Nations VS SQL Injections - Lovely analysis - and sarcastic comment […]

  17. #17 El sitio web de la ONU ha sido Hackeado | xkod says:

    […] Fuente : Clic aquí para ir a la pagina ] [ Más información : Clic aquí para ir a la pagina […]

  18. #18 Security News » So Easy even I could do it says:

    […] much above the “script kiddy” level.  So when I hear that the web site for the United Nations was hacked with a simple SQL injection attack, I’m more than a little surprised and annoyed.  This is the sort of attack even I could […]

  19. #19 United Nation’s Website, Hacked » SELaplana says:

    […] Hackademix reported that the United Nation’s official website was hacked and defaced. The hacker gained access to the said highly profiled website by simply using the technique called, “SQL injection”. […]

  20. #20 Roland Bouman says:

    Hi there,

    I think they do use prepared statements, look at this:

    ADODB.Recordset.1 error ‘80004005′

    SQLState: 37000
    Native Error Code: 8180
    SQLState: 37000
    Native Error Code: 156
    [MERANT][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword ‘database’.
    [MERANT][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared.

    /apps/news/infocus/sgspeeches/search_results.asp, line 85

    “statement(s) could not be prepared”

    It is just that despite using prepared statements, they don’t use parameter placeholders ;)

  21. #21 Giorgio says:

    Hi Roland,

    It is just that despite using prepared statements, they don’t use parameter placeholders

    That’s exactly why I said “If only prepared SQL statements were used properly“.
    And it’s even worse than not using them at all: if you dynamically construct the SQL query by string concatenation (as they apparently do), you don’t only expose yourself to injection, but also decrease or neutralize the potential performance gain of preparing statements, while imposing an useless extra memory burden over the RDBMS.

  22. #22 christ1an says:

    Rofl, you did this? Funny :-)

    christ1an: check this, someone exploited a persistent xss vuln to demonstrate against some politics:
    http://www.un.org/apps/news/infocus/sgspeeches/
    christ1an: pretty cool
    Ryan Cartner: wow thats really cool

  23. #23 Giorgio says:

    Hi christ1an,
    welcome here!

    Was that an IRC conversation? which channel?

    On a side note, what about Planet? do I need to hit /. front page twice in a week to get your attention? ;)

  24. #24 Hubert Seiwert says:

    “There’s a technical reason for the missing apostrophe […]” I’m not going to try anything on the website (I don’t agree with linking directly to the vulnerable .ASP), however it’s normally not a problem to inject a ‘ character using char(39) on SQL Server or hex-escape 0×27 on MySQL.

  25. #25 Giorgio says:

    @Hubert Seiwert:
    you said

    it’s normally not a problem to inject a ‘ character using char(39) on SQL Server or hex-escape 0×27 on MySQL

    … or doubling the

    <quote>

    character to produce a “

    <quote symbol>

    ” on any SQL-92 compliant implementation, for the matter.
    But I hope you’ll concede that my apostrophe innuendo was quite an amusing narrative device…

  26. #26 SecAdmin says:

    Skip the vulnerability and its coders… the infrastructure should have been protected. That is… don’t they have budget for Intrusion Prevention Systems? If they have IPS… I wonder which one they are using so I know which one not to buy! I am not saying IPS provides the altruistic “silver bullet” for security… I am just saying that my IPS blocks this attack and I just expect theirs to do the same.

  27. #27 » Site-ul Natiunilor Unite a fost atacat de hackeri ( tehnologie ) says:

    […] Hackerii au atacat site-ul oficial al Natiunilor Unite, postind mesaje impotriva uciderii de copii in razboi de catre Statele Unite si Israel, chiar pe pagina rezervata declaratiilor secretarului general al U.N., Ban Ki-Moon. Ciberprotestul se incheie cu mesajul “No war” si grupul semnatar (”kerem125″, “Gsy” si “M0sted”) se pare ca este format din hackeri turci, nick-urile protestatarilor aparind si pe alte site-uri atacate unde acestia se descriu ca fiind “Turkish defacers”. Atacul a fost posibil datorita unei tehnici, “SQL Injection“, care exploateaza o vulnerabilitate comuna a securitatii bazelor de date de tip SQL. Mai multe despre acest tip de atac, desemnat de hackeri ca fiind rusinos pentru un site de calibrul paginii oficiale a Natiunilor Unite, gasiti aici. […]

  28. #28 Liquidmatrix Security Digest » UN Owned By Hackers says:

    […] read somewhere that this was due to a XSS SQL injection attack but, as of this posting I was unable to find that reference again. So, take it for what it’s […]

  29. #29 Liquidmatrix Security Digest » Security Briefing: August 13th says:

    […] United Nations VS SQL Injections […]

  30. #30 Security Hub » Blog Archive » Site das Nações Unidas sofre deface says:

    […] A notícia original foi publicada aqui. […]

  31. #31 Robin Massart says:

    @comment #12

    “The use of .net won’t stop SQl injection attacks - that’s just rubbish coding done on the cheap by some outsourcer who either does not know or care about security”

    Actually it is more likely that this was created by someone internal - possibly not someone trained in Computer Science but someone who did of web development at home and got lumped with this job. But for such a large organisation this type of coding is shocking. Don’t they have code reviews? I imagine each department has it’s own IT guys and policies. Just shows you what a mess the UN is!!

    And as for accessibility, web standards and clarity of content. Jeeez…. this site is BAD!!!

  32. #32 hackathology says:

    Oh my …cking god! This is absolute classic and a disgrace to UN…

  33. #33 Security Tips » United Nations Website Defaced says:

    […] Hackademix blog cited the problem as a vulnerability to SQL injection […]

  34. #34 Mike C. says:

    Why does the U.N.’s Anonymous IIS user account have UPDATE priveleges on their SQL Server? Makes you wonder what else you can do with their Anonymous IIS user account? TRUNCATE TABLE anyone?

  35. #35 The Click Heard Round the World says:

    UN website pwned by hacktivists over weekend

    CNET, Wired and the hackademix blog are reporting that the United Nations website was briefly hacked over the weekend by an international team of hackers exploiting a well known SQL weakness. Apparently, these hackers weren’t out to do damage or

  36. #36 Netmedia » Blog Archive » El lado oscuro de Internet says:

    […] política de los hackeos perpetrados en Internet. El mensaje depositado en el sitio intervenido pedía a los Estados Unidos y Israel que detuvieran el asesinato de niños. En febrero pasado, una organización que se adjudicó la intrusión al sitio de la Comisión de […]

  37. #37 Arvutikaitse » Blog Archive » Kallaletung ÜRO koduleheküljele says:

    […] Tehnilise kokkuvõtte rünnaku olemusest teeb Giorgio Maone. […]

  38. #38 SQL UNjection » Musings on Database Security says:

    […] UN’s website suffered an SQL injection over the weekend by hackers who defaced the homepage. According to this site the SQL injection […]

  39. #39 hackademix.net » U.N.PATCHED (or Can You Secure a Glass Palace?) says:

    […] United Nations VS SQL Injections 14 08 2007 […]

  40. #40 Laydo.net Webmaster Blog » Blog Archive » BİRLEŞMİŞ MİLLETLER VE SQL INJECTION says:

    […] Hackademix‘te geçen habere göre Birleşmiş milletler sitesi SQL Injection yoluyla hacklenmiş. Yanlış hatırlamıyorsam 2003 yılında bir SQL Injection seminerinin akşamında ülkemizde 500 kadar site hacklenmişti. Uzun süredir gündemde ve de korunulması basit olmasına rağmen hala injection ihmali devam ediyor. […]

  41. #41 Show and tell » the billblog says:

    […] Website defaced: How it was done: US data breach laws: Science and Technology Select Committee: Report: billthompson botnet […]

  42. #42 hackademix.net » SQL Injection Toy says:

    […] hole is still gaped by the way, no matter what the U.N. staffers said so far. As you may recall, I did offer a little free help to fix their bugs (13 AUG), but I’ve not been contacted back, notwithstanding some public […]

  43. #43   Bekle Bizi UN by Haber Yorumla says:

    […] hafta kadar önce oldu sanırım bu olay yazma fırsatım olmadı UN Resmi sitesi gene Türkler tarafından SQL Injection ile hacklenmiş. Hala Microsoft, UN vs. gibi sitelerde SQL Injection görmek özellikle de çok bariz SQL […]

  44. #44 sayit says:

    This is not first hack, check out here :http://www.zone-h.org/content/view/14039/30/

  45. #45 Security News » Virtual Patching During Incident Response: United Nations Defacement says:

    […] Injection vulnerability. A software developer named Giorgio Maone chronicled this incident on his Blog site. Maone partly deduced that SQL Injection was the likely attack vector by the missing […]

  46. #46 Fulippo says:

    It’s full of cases like that outside. Try to take a look at the italian marina militare (italian navy) website. They use the URL as a sort of SQL client:

    Incredible. And they’re not alone, it seems to be a sort of ASP based CMS.

  47. #47 Giorgio says:

    Hi Fulippo,
    welcome here — been a long time ;)

    Yes, it’s full of this kind of stuff out there.
    The most incredible thing, though, is how a widely publicized case like this has been handled so far.
    They just tried to hide the most obvious exploitation sample, while the same resource is still fully vulnerable to the very same attack…

  48. #48 Fulippo says:

    Yeah, really long time.

    Giorgio you have to understand them, in the end it’s just a matter of quotes..

  49. #49 Azad says:

    hi boyds

    i thınk this: /ecosoc/photos_detail.asp?nicaID=148479′

  50. #50 Giorgio says:

    @Azad:
    yes, that’s one of the many holes still open.

  51. #51 Madhu says:

    can you explain more in detail…abt the SQL injection attack???…i plan to inculde this as an example for attacks in my thesis…..

  52. #52 kerems says:

    The vulnerability is not patched still. :)

  53. #53 AZAD says:

    guys !! who.int hacked

    http://www.searo.who.int/en/section1174/section1462/

    mirror : http://www.turk-h.org/defacement/view/188089/

  54. #54 Hackers Deface U.N. Web Site, Leave Political Message says:

    […] to try to hold off any further attacks. Giorgio Maone, an Italian software developer, «hackademix.net», posting screen shots of the […]

  55. #55 C.S.K says:

    @#43 madem türkçe yazdın türkçe cevap verelim sana senin amacın bariz belli aslında ama neyse :) UN Resmi sitesi Türkler tarafından SQL Injection yapılmış evet doğru bizzat olay mahalindeydim yine olsa yine yapılır.. Sen şu microsoft`da gördüğün bariz açıkları bizede söylesene ;)

  56. #56 Alanat Coop News » Hackers Deface U.N. Web Site, Leave Political Message says:

    […] Maone, an Italian software developer, «hackademix.net», posting screen shots of the […]

  57. #57 Hackers Deface U.N. Web Site, Leave Political Message | Alanat IT News says:

    […] Maone, an Italian software developer, «hackademix.net», posting screen shots of the […]

  58. #58 hackademix.net » United Nations, I Hate to Say I Told You So says:

    […] of my first Hackademix posts was about SQL injection vulnerabilities exploited to deface the United Nations main web site. In a later update I explained how, rather […]

  59. #59 hackademix.net » Mass Attack FAQ says:

    […] my previous coverage of similar incidents I also assumed a statistical/demographic reason for targeting IIS, since many ASP developers having […]

  60. #60 advance says:

    interesting article +1

  61. #61 IS YOUR NETWORK PROTECTED AGAINST WEB ATTACKS | Matthijssen Magazine says:

    […] [3] http://hackademix.net/2007/08/12/united-nations-vs-sql-injections/ […]

  62. #62 Tort King says:

    LOL, NO ONE could hack my site. I do all the security myself. beatthecourt.com

  63. #63 Vinoth says:

    These kind of attacks are more common now. Recent one is Kaspersky official site attacked by SQL injection

  64. #64 UN Website defaced - What Jamie Found says:

    […] out the story at BBC: UN’s website breached by hackers, and for more detail at Hackademix: United Nations VS SQL Injections SHARETHIS.addEntry({ title: "UN Website defaced", url: […]

Bad Behavior has blocked 18200 access attempts in the last 7 days.