The United Nations web site [1] has been defaced this morning. (screenshot)
The speeches of the Secretary-General Ban Ki-Moon [2] have been replaced with the following lines:
Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ãsrail and Usa
dont kill children and other people
Peace for ever
No war
screenshot
While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don't.
There's a technical reason for the missing apostrophe, though, because messing with this very character (') is part of the technique apparently used by the attackers.
As you can easily verify by opening this URL, the site is vulnerable to an attack called SQL Injection.
This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile web site. [3]
If only prepared SQL statements were used properly*, this embarrassing incident would have been easily prevented.
And yes, prepared statements are available even in the very obsolete ASP "Classic" + ADODB Microsoft setup they've got. (screenshot)
*properly means strictly constant statement strings and type checked bound parameters, see Roland Bouman's comment and my answer below.
I will write some other time about prepared statements and database layer security.
In the meanwhile, if you're a planetary organization and you're planning to cut the budget for the security training of your web developers staff, please dont... er... do not ;)
1. 12-AUG-2007, 15:20 UTC update:
The main link now says "temporarily unavailable due to scheduled(!) maintenance", but the other ones should still work.
[back]
2. 12-AUG-2007, 17:20 UTC update:
The speeches have been restored as well, but you can still check this screenshot. Moreover, the hole seems not to be patched yet, thus the site could be defaced again at will: not the best order for fixing stuff, is it?
[back]
3. 13-AUG-2007, 6.00 UTC update:
U.N. staff put a patch to hide the most obvious vulnerability (the one linked here), but the flaw is still there and could be easily exploited again.
I won't post any other hint for script kiddies here, but I'm submitting a report to the U.N. IT security staff under the RFPolicy and will keep you posted.
[back]
4. 13-AUG-2007, 16.00 UTC update:
Looks like not only the hole at the main site is still open, but some branches (e.g. UNEP, the UN Environment Programme), still bear the hacktivist mark. (screenshot)
August 12th, 2007 at 4:06 pm
If you are going to dish it, you better be able to take it...
August 12th, 2007 at 4:26 pm
@That guy...:
you certainly know better than me that once you know a query parameter passes with unescaped quote, plus make and model of the RDBMS in use (Microsoft SQL Server via ODBC), next steps are quite obvious ;)
August 12th, 2007 at 4:36 pm
[...] Sumber: Hackademix.net [...]
August 12th, 2007 at 4:36 pm
'; select 'just checking' from vulnerabilities; --'
August 12th, 2007 at 4:44 pm
smile
You are on Slashdot!
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/143394743/article.pl
August 12th, 2007 at 4:46 pm
@That guy:
sorry, didn't notice yours were actual attempts to crack this site, rather than didactics about SQL injections.
Please let WordPress guys know if you find something.
The one above is the last comment of yours I moderate, though, because it would quickly get boring for other people.
August 12th, 2007 at 5:32 pm
[...] website was hacked. While the site is in the process of being fixed, you can read more about it here. It’s interesting this happened a few days ago, because last week I was thinking about how a [...]
August 12th, 2007 at 5:48 pm
I can't believe they don't shut it down. It's still vulnerable!
August 12th, 2007 at 6:36 pm
[...] can and should be defended. This afternoon I was notified of the UN website hack. A relatively novel hack which used a very common and easily mitigated vulnerability, exploited using a SQL [...]
August 12th, 2007 at 7:18 pm
Metagg is tracking this post
Find out what Social News Sites are discussing this post over at metagg.com
August 12th, 2007 at 8:17 pm
' OR 1=1''
...damn.
Oh well, worth a try. ;-)
August 12th, 2007 at 8:46 pm
ASP is not obsolete in any sense other than the fact it has been superceded, but new is not always the same as better. Personally I still think classic asp (using JScript not VBScript) is far easier to work with, maintain and use than asp.net. The use of .net won't stop SQl injection attacks - that's just rubbish coding done on the cheap by some outsourcer who either does not know or care about security. Desktop apps, well that's a different kettle of fish - .net FTW!
August 12th, 2007 at 9:08 pm
[...] click here for more info No Comments Leave a Commenttrackback addressThere was an error with your comment, please try again. name (required)email (will not be published) (required)url [...]
August 12th, 2007 at 10:01 pm
[...] http://hackademix.net/2007/08/12/united-nations-vs-sql-injections/ [...]
August 12th, 2007 at 10:18 pm
[...] post over at hackademix.net notes the importance of the missing apostrophe. This is a clue to the technique used by these attackers to deface the website. What’s [...]
August 12th, 2007 at 10:28 pm
[...] hackademix.net » United Nations VS SQL Injections - Lovely analysis - and sarcastic comment [...]
August 13th, 2007 at 1:10 am
[...] Fuente : Clic aquí para ir a la pagina ] [ Más información : Clic aquí para ir a la pagina [...]
August 13th, 2007 at 3:37 am
[...] much above the “script kiddy” level. So when I hear that the web site for the United Nations was hacked with a simple SQL injection attack, I’m more than a little surprised and annoyed. This is the sort of attack even I could [...]
August 13th, 2007 at 3:58 am
[...] Hackademix reported that the United Nation’s official website was hacked and defaced. The hacker gained access to the said highly profiled website by simply using the technique called, “SQL injection”. [...]
August 13th, 2007 at 6:24 am
Hi there,
I think they do use prepared statements, look at this:
ADODB.Recordset.1 error '80004005'
SQLState: 37000
Native Error Code: 8180
SQLState: 37000
Native Error Code: 156
[MERANT][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'database'.
[MERANT][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared.
/apps/news/infocus/sgspeeches/search_results.asp, line 85
"statement(s) could not be prepared"
It is just that despite using prepared statements, they don't use parameter placeholders ;)
August 13th, 2007 at 6:46 am
Hi Roland,
That's exactly why I said "If only prepared SQL statements were used properly".
And it's even worse than not using them at all: if you dynamically construct the SQL query by string concatenation (as they apparently do), you don't only expose yourself to injection, but also decrease or neutralize the potential performance gain of preparing statements, while imposing an useless extra memory burden over the RDBMS.
August 13th, 2007 at 7:03 am
Rofl, you did this? Funny :-)
christ1an: check this, someone exploited a persistent xss vuln to demonstrate against some politics:
http://www.un.org/apps/news/infocus/sgspeeches/
christ1an: pretty cool
Ryan Cartner: wow thats really cool
August 13th, 2007 at 7:20 am
Hi christ1an,
welcome here!
Was that an IRC conversation? which channel?
On a side note, what about Planet? do I need to hit /. front page twice in a week to get your attention? ;)
August 13th, 2007 at 7:34 am
"There’s a technical reason for the missing apostrophe [...]" I'm not going to try anything on the website (I don't agree with linking directly to the vulnerable .ASP), however it's normally not a problem to inject a ' character using char(39) on SQL Server or hex-escape 0x27 on MySQL.
August 13th, 2007 at 7:47 am
@Hubert Seiwert:
you said
... or doubling the
character to produce a "
" on any SQL-92 compliant implementation, for the matter.
But I hope you'll concede that my apostrophe innuendo was quite an amusing narrative device...
August 13th, 2007 at 9:00 am
Skip the vulnerability and its coders... the infrastructure should have been protected. That is... don't they have budget for Intrusion Prevention Systems? If they have IPS... I wonder which one they are using so I know which one not to buy! I am not saying IPS provides the altruistic "silver bullet" for security... I am just saying that my IPS blocks this attack and I just expect theirs to do the same.
August 13th, 2007 at 9:27 am
[...] Hackerii au atacat site-ul oficial al Natiunilor Unite, postind mesaje impotriva uciderii de copii in razboi de catre Statele Unite si Israel, chiar pe pagina rezervata declaratiilor secretarului general al U.N., Ban Ki-Moon. Ciberprotestul se incheie cu mesajul “No war” si grupul semnatar (”kerem125″, “Gsy” si “M0sted”) se pare ca este format din hackeri turci, nick-urile protestatarilor aparind si pe alte site-uri atacate unde acestia se descriu ca fiind “Turkish defacers”. Atacul a fost posibil datorita unei tehnici, “SQL Injection“, care exploateaza o vulnerabilitate comuna a securitatii bazelor de date de tip SQL. Mai multe despre acest tip de atac, desemnat de hackeri ca fiind rusinos pentru un site de calibrul paginii oficiale a Natiunilor Unite, gasiti aici. [...]
August 13th, 2007 at 10:32 am
[...] read somewhere that this was due to a XSS SQL injection attack but, as of this posting I was unable to find that reference again. So, take it for what it’s [...]
August 13th, 2007 at 10:45 am
[...] United Nations VS SQL Injections [...]
August 13th, 2007 at 11:24 am
[...] A notícia original foi publicada aqui. [...]
August 13th, 2007 at 12:05 pm
@comment #12
"The use of .net won’t stop SQl injection attacks - that’s just rubbish coding done on the cheap by some outsourcer who either does not know or care about security"
Actually it is more likely that this was created by someone internal - possibly not someone trained in Computer Science but someone who did of web development at home and got lumped with this job. But for such a large organisation this type of coding is shocking. Don't they have code reviews? I imagine each department has it's own IT guys and policies. Just shows you what a mess the UN is!!
And as for accessibility, web standards and clarity of content. Jeeez.... this site is BAD!!!
August 13th, 2007 at 12:55 pm
Oh my ...cking god! This is absolute classic and a disgrace to UN...
August 13th, 2007 at 1:09 pm
[...] Hackademix blog cited the problem as a vulnerability to SQL injection [...]
August 13th, 2007 at 1:16 pm
Why does the U.N.'s Anonymous IIS user account have UPDATE priveleges on their SQL Server? Makes you wonder what else you can do with their Anonymous IIS user account? TRUNCATE TABLE anyone?
August 13th, 2007 at 6:56 pm
UN website pwned by hacktivists over weekend
CNET, Wired and the hackademix blog are reporting that the United Nations website was briefly hacked over the weekend by an international team of hackers exploiting a well known SQL weakness. Apparently, these hackers weren't out to do damage or
August 13th, 2007 at 7:21 pm
[...] política de los hackeos perpetrados en Internet. El mensaje depositado en el sitio intervenido pedía a los Estados Unidos y Israel que detuvieran el asesinato de niños. En febrero pasado, una organización que se adjudicó la intrusión al sitio de la Comisión de [...]
August 14th, 2007 at 6:38 am
[...] Tehnilise kokkuvõtte rünnaku olemusest teeb Giorgio Maone. [...]
August 14th, 2007 at 2:28 pm
[...] UN’s website suffered an SQL injection over the weekend by hackers who defaced the homepage. According to this site the SQL injection [...]
August 14th, 2007 at 11:35 pm
[...] United Nations VS SQL Injections 14 08 2007 [...]
August 15th, 2007 at 6:26 am
[...] Hackademix‘te geçen habere göre Birleşmiş milletler sitesi SQL Injection yoluyla hacklenmiş. Yanlış hatırlamıyorsam 2003 yılında bir SQL Injection seminerinin akşamında ülkemizde 500 kadar site hacklenmişti. Uzun süredir gündemde ve de korunulması basit olmasına rağmen hala injection ihmali devam ediyor. [...]
August 20th, 2007 at 4:33 am
[...] Website defaced: How it was done: US data breach laws: Science and Technology Select Committee: Report: billthompson botnet [...]
August 23rd, 2007 at 4:55 pm
[...] hole is still gaped by the way, no matter what the U.N. staffers said so far. As you may recall, I did offer a little free help to fix their bugs (13 AUG), but I’ve not been contacted back, notwithstanding some public [...]
August 24th, 2007 at 7:31 pm
[...] hafta kadar önce oldu sanırım bu olay yazma fırsatım olmadı UN Resmi sitesi gene Türkler tarafından SQL Injection ile hacklenmiş. Hala Microsoft, UN vs. gibi sitelerde SQL Injection görmek özellikle de çok bariz SQL [...]
August 26th, 2007 at 5:50 pm
This is not first hack, check out here :http://www.zone-h.org/content/view/14039/30/
August 27th, 2007 at 4:16 pm
[...] Injection vulnerability. A software developer named Giorgio Maone chronicled this incident on his Blog site. Maone partly deduced that SQL Injection was the likely attack vector by the missing [...]
August 27th, 2007 at 6:01 pm
It's full of cases like that outside. Try to take a look at the italian marina militare (italian navy) website. They use the URL as a sort of SQL client:
Incredible. And they're not alone, it seems to be a sort of ASP based CMS.
August 27th, 2007 at 6:39 pm
Hi Fulippo,
welcome here -- been a long time ;)
Yes, it's full of this kind of stuff out there.
The most incredible thing, though, is how a widely publicized case like this has been handled so far.
They just tried to hide the most obvious exploitation sample, while the same resource is still fully vulnerable to the very same attack...
August 27th, 2007 at 7:38 pm
Yeah, really long time.
Giorgio you have to understand them, in the end it's just a matter of quotes..
August 29th, 2007 at 6:22 pm
hi boyds
i thınk this: /ecosoc/photos_detail.asp?nicaID=148479'
August 29th, 2007 at 7:23 pm
@Azad:
yes, that's one of the many holes still open.
September 10th, 2007 at 7:08 pm
can you explain more in detail...abt the SQL injection attack???...i plan to inculde this as an example for attacks in my thesis.....
October 9th, 2007 at 11:27 pm
The vulnerability is not patched still. :)
October 11th, 2007 at 4:41 pm
guys !! who.int hacked
http://www.searo.who.int/en/section1174/section1462/
mirror : http://www.turk-h.org/defacement/view/188089/
November 23rd, 2007 at 9:22 pm
[...] to try to hold off any further attacks. Giorgio Maone, an Italian software developer, «hackademix.net», posting screen shots of the [...]
November 25th, 2007 at 5:29 pm
@#43 madem türkçe yazdın türkçe cevap verelim sana senin amacın bariz belli aslında ama neyse :) UN Resmi sitesi Türkler tarafından SQL Injection yapılmış evet doğru bizzat olay mahalindeydim yine olsa yine yapılır.. Sen şu microsoft`da gördüğün bariz açıkları bizede söylesene ;)
November 26th, 2007 at 2:20 am
[...] Maone, an Italian software developer, «hackademix.net», posting screen shots of the [...]
November 27th, 2007 at 1:45 am
[...] Maone, an Italian software developer, «hackademix.net», posting screen shots of the [...]
April 23rd, 2008 at 11:56 am
[...] of my first Hackademix posts was about SQL injection vulnerabilities exploited to deface the United Nations main web site. In a later update I explained how, rather [...]
April 26th, 2008 at 12:53 am
[...] my previous coverage of similar incidents I also assumed a statistical/demographic reason for targeting IIS, since many ASP developers having [...]
September 13th, 2008 at 2:16 pm
interesting article +1
June 10th, 2009 at 1:58 pm
[...] [3] http://hackademix.net/2007/08/12/united-nations-vs-sql-injections/ [...]
June 11th, 2009 at 6:56 am
LOL, NO ONE could hack my site. I do all the security myself. beatthecourt.com
July 18th, 2009 at 7:38 pm
These kind of attacks are more common now. Recent one is Kaspersky official site attacked by SQL injection
August 26th, 2009 at 10:43 pm
[...] out the story at BBC: UN’s website breached by hackers, and for more detail at Hackademix: United Nations VS SQL Injections SHARETHIS.addEntry({ title: "UN Website defaced", url: [...]