phpBB Academy at StarTrekGuide

phpBB3 MODs and Styles Development - Olympus MOD Database - phpBB programming Academy

Skip to content

"One-click self-update" vulnerability challenge

Learn about Security for code and servers. Learn how to secure your site and your code. Learn about hacking prevention, finding and identifying exploits, and recognising vulnerabilities. Plus, Weekly Security tips and Tutorials.
Forum rules
Post questions related to security, analyse and learn about vulnerabilities and exploits within code to protect yourself against hackers.
Post a reply

"One-click self-update" vulnerability challenge

Postby Obsidian » 08 Feb 2012, 13:08

Note: this lesson encompasses a bit of programming theory...

I was doing some digging into a ever-so-popular web application which will remain unidentified for the time being (to not spoil the solution to this challenge) to figure out how it was handling its much-touted "one-click self-update".
Internally, it polls a remote API (served over HTTP) for updates, then notifies the administrator and asks to download. If given consent by the site administrator, it will then download a ZIP archive and then attempt to unpack its files and overwrite local files with those provided in the ZIP.

As a hint, the URL to the remote ZIP archive is like follows:
Code: Select all
http://www.popularsoftwaredomain.tld/software-versionstamp.zip



In a spoiler'd reply, identify the vulnerability, and if you can (in a separate spoiler) provide a solution that protects against the attack vector.

Hint:
Spoiler:
Think: remote code execution
うるさいうるさいうるさい!

StopForumSpam Spam Reporting Database
Giving xrumer and friends a great big "screw you" since 2007.
User avatar
Obsidian     Damian
Supporter
Supporter
 
Posts: 2250
Joined: 04 Mar 2008, 23:35
Gender: Male
phpBB Knowledge: 10
Top
Advertise on StarTrekGuide/phpBB Academy



phpBB Academy at StarTrekGuide
Support STG
Using PayPal Donate

Re: "One-click self-update" vulnerability challenge

Postby Obsidian » 08 Feb 2012, 22:50

Another hint:

Spoiler:
Image
うるさいうるさいうるさい!

StopForumSpam Spam Reporting Database
Giving xrumer and friends a great big "screw you" since 2007.
User avatar
Obsidian     Damian
Supporter
Supporter
 
Posts: 2250
Joined: 04 Mar 2008, 23:35
Gender: Male
phpBB Knowledge: 10
Top

Re: "One-click self-update" vulnerability challenge

Postby Techie-Micheal » 10 Feb 2012, 00:15

Spoiler:
I wondered if you were talking about that ...


Spoiler:
SSL of course is a given. Providing checksums is also a good idea.


Now go answer mine. :P
Techie-Micheal     Bob
STG Development
STG Development
 
Posts: 63
Joined: 26 Oct 2007, 21:35
Gender: Male
phpBB Knowledge: 10
Top

Re: "One-click self-update" vulnerability challenge

Postby Obsidian » 10 Feb 2012, 13:49

Techie-Micheal wrote:
Spoiler:
I wondered if you were talking about that ...


Spoiler:
SSL of course is a given. Providing checksums is also a good idea.


Now go answer mine. :P

Spoiler:
SSL would *help*, assuming there's no nasty coverall ssl certs laying around.

Checksums wouldn't matter unless they're also securely distributed, though.

Best solution is code signing. :)



Also, for the record, the software that contains this opening?

Spoiler:
None other than WordPress of course, as of the latest versions - 3.3.0 and 3.3.1!
うるさいうるさいうるさい!

StopForumSpam Spam Reporting Database
Giving xrumer and friends a great big "screw you" since 2007.
User avatar
Obsidian     Damian
Supporter
Supporter
 
Posts: 2250
Joined: 04 Mar 2008, 23:35
Gender: Male
phpBB Knowledge: 10
Top
Post a reply

Return to Security Class

Who is online

Users browsing this forum: No registered users and 1 guest

Advertise on StarTrekGuide/phpBB Academy


Support STG Using PayPal Donate
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
© 2006 StarTrekGuide / phpBBAcademy

Time : 1.292s | 18 Queries | GZIP : On