One of my early Hackademix posts was about SQL injection vulnerabilities exploited to deface the United Nations main web site. In a later update I explained how, rather than fixing their holes properly, the U.N. technicians deployed a pretty useless Web Application Firewall, masking the most obvious attack surface but keeping their sites just as vulnerable as before.

Now WebSense is reporting that both the United Nations and the UK Government have web pages affected by the infamous “Mass Malicious JavaScript Attack”, which has been spreading since January across thousands of sites, bombing visitors with a chain of 8 client-side exploits triggered by an external script hosted on remote servers (e.g.

www.nihaorr1.com

).
These exploits leverage a Microsoft Internet Explorer 7 vulnerability patched last year (bad guys seem not to trust Windows Update effectiveness), “as well as [bugs in] other applications”. Well, since modern browsers embed a lot of “other applications” which are usually quite vulnerable, maybe a good idea (actually the only sane idea, other than reverting to Lynx) is switching to a safe web browser and — shameless plug(in) — making it even safer by preemptively blocking execution of malicious scripts and embedded content. On a side note, Opera’s web site preferences couldn’t help in cases like these, when the compromised site is probably among the ones you trust, allowed to run scripts; NoScript, instead, still blocks the external malicious code even if the main page is in your whitelist.

As previously explained by SANS, the

<script>

tag importing the malicious JavaScript code is inserted into the victim web pages through trivial SQL injection vulnerabilities, so much trivial that an automated tool has been used to find vulnerable sites through Google and infect them with the payload.
The default search pattern of this tool is

inurl:”.asp” inurl:”a=”

: in English, “those web pages developed with Microsoft Active Server Pages technology and accepting query string parameters”. Unsurprisingly, this profile matches the original, still unpatched U.N. SQL injection; as I already said reporting the first accident, I believe crackers primarily target ASP sites (even though they are relatively few nowadays) because of the poor coding standards often shown by ASP coders, who usually have a Visual Basic desktop programming background and are less aware of web application security.

At any rate, some simple googling reveals that some U.N. sites are still infected, while UK Government sites have been “cleaned up”.
The sad truth, though, is that even those “clean” sites are still vulnerable, hence they could be reinfected at any time: some people just never learn…

12 Responses to “United Nations, I Hate to Say I Told You So”

  1. #1 hanna cho says:

    i wonder why an organization like the UN would make a stupid decision

  2. #2 me says:

    It appears that the events, although they live on in the google cache, have been removed from the UN.org site.

  3. #3 Giorgio says:

    @me:
    should we republish those events back? You know that we could ;)

  4. #4 redlab says:

    It’s prolly just all politics. I wouldn’t be surprised that they have to fill in a form and twenty copies and send it to each member of the UN for approval before anything can be changed on the site’s code. (at least that’s what they do in the EU)

  5. #5 hackademix.net » Mass Attack FAQ says:

    […] United Nations, I Hate to Say I Told You So 26 04 2008 […]

  6. #6 Offbeatmammal says:

    at least the current nihaorr1 attack is easy to remove once you know you’re infected - http://tinyurl.com/6g2a95 - but in this day and age anyone maintaining a site open to this sort of attack really does need to spend some time and money on a code and security review!

  7. #7 Giorgio says:

    @Offbeatmammal:
    I couldn’t actually see any removal instruction in your post (but I may be blind).
    Anyway I posted some disaster recovery advices for affected IIS administrators yesterday.

  8. #8 Offbeatmammal says:

    Hey Giorgio - sorry, should have been clearer … I’d added the "fix" as a comment to my original post (wasn’t at home and hate using the web interface to edit posts but pasting into disqus was easy!)
    our solutions look functionally the same - I suspect yours is more elegant/reliable (it’s been a while since I didn’t much development in the real world)

    ironically I first found (and started following) your site a while ago when trying to explain to some folks in a previous job why security actually mattered… this has gone to prove that they should have listened a bit more at the time!

  9. #9 m3rlin23 says:

    It is true, the UN have done nothing to secure their database. It took me no more than a few minutes using a simple perl script to enumerate every column of every table of quite a few of their databases. We know the sql username, server type, hostname etc.I am always harassing our web developers at work over sloppy input validation but they design sites for small web startups. This is the UN for Christ’s sake!

  10. #10 NH says:

    Um and your point is?

    If any site should be hacked it’s the UN. They are the enemies of the USA.

    Why would you want to help our mortal enemies?

    Third world Marxists and despots, looking to conquer the world.

    I guess if they can’t even run a website, I have hope for our freedom.

  11. #11 Giorgio says:

    @NH:
    OMG Commies!
    Department of Hacked Security at rescue…

  12. #12 hackademix.net » PayPal XSSed, Redmondmag.com SQL Injected says:

    […] the party of the ASP/MS SQL Server sites SQL Injected to serve JavaScript malware. Considering the wide coverage this epidemics enjoyed in the past week, I wonder what a “Certified Professional” […]

Bad Behavior has blocked 10611 access attempts in the last 7 days.