Ubuntu puts forums back online, reveals autopsy of a brag hacker
Canonical hardens security, shows Sputn1k_ only wolfed down useless salted hash
Ubuntu Forums are back to normal following a serious hack attack that exposed the usernames, email addresses and hashed passwords of 1.8 million open source users.
Parent firm Canonical restored the forums on Tuesday as well as publishing a detailed summary of what went wrong and the broad steps it has taken to beef up security.
Canonical blames the breach on a "combination of a compromised individual accounts and the configuration settings in vBulletin, the Forums application software".
Only the forums and not the popular Ubuntu Linux distribution nor any Canonical or Ubuntu services, namely Ubuntu One and Launchpad, were affected. "We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings," a statement by Canonical on its official blog explains.
The blog post goes on to give a blow-by-blow account of how the high-profile hack was carried out:
At 16:58 UTC on 14 July 2013, the attacker was able to log in to a moderator account owned by a member of the Ubuntu Community.
This moderator account had permissions to post announcements to the Forums. Announcements in vBulletin, the Forums software, may be allowed to contain unfiltered HTML and do so by default.
The attacker posted an announcement and then sent private messages to three Forum administrators (also members of the Ubuntu community) claiming that there was a server error on the announcement page and asking the Forum administrators to take a look.
One of the Forum administrators quickly looked at the announcement page, saw nothing wrong and replied to the private message from the attacker saying so. 31 seconds after the Forum administrator looked at the announcement page (and before the administrator even had time to reply to the private message), the attacker logged in as that Forum administrator.
Based on the above and conversations with the vBulletin support staff, we believe the attacker added an XSS attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker.
Once the attacker gained administrator access in the Forums they were able to add a hook through the administrator control panel. Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the ‘user’ table to a file on disk which they then downloaded.
The attacker returned on 20 July to upload the defacement page.
Canonical's postmortem of the attack concludes that the hacker(s) would have gained full access to the Forums database. This access was used to download the "user" table which contained usernames, email addresses and salted and hashed (using MD5) passwords for 1.82 million users.
The audit concludes that the hacker(s) was not able to gain any access to any other Canonical or Ubuntu services. The Ubuntu code repository and update mechanism were also beyond the reach of the hacker/s, the investigation concludes.
The open-source firm admits it hasn't yet gotten to the bottom of how the attacker gained access to the moderator account used to start the attack or what type of cross-site scripting attack was subsequently brought into play. "The announcement the attacker posted was deleted by one of the Forum administrators so we don’t know exactly what XSS attack was used," it said.
The initial compromise went unnoticed and it wasn't until the Ubuntu Forums were defaced on Saturday 20 July that the site was pulled offline. A Twitter user using the profile @Sputn1k_ subsequently claimed responsibility for the defacement.
Sputn1k_ subsequently said he hadn't planned to crack the stolen ubuntuforums.org credentials in a statement that suggested pure devilment and perhaps a desire to expose security flaws or gain bragging rights were behind the hack.
If I do get into a website, most of the time there's no REAL malicious intentions. Grab the database, leave a message. That's it. I don't like to over-do things. Might cause some downtime, but what if it WAS the "syr14n c3b3r 4rmy" (not that their brain-dead brains have the power to do anything whatsoever), and they did have malicious intentions, and they did leak the database and use it to their own advantage?
XSS (cross-site scripting) attacks are a common class of website vulnerability that allows (potentially malicious) content from a hacker-controlled site to be presented to surfers as if it came from a vulnerable site they are visiting. The ruse most often crops up in phishing attacks but it has other applications as well, as the Ubuntu Forums hack graphically illustrates.
Canonical's post goes on to provide a detailed description of steps it has taken to beef up its security and defend against future attacks.
The whole explanation is a model of openness and clarity that concludes with an apology about the data leak and downtime that came as a result of the breach.
Although users were inconvenienced by the breach - which left them without access to the forums for a week and obliged them to change their passwords - the restoration process was designed so that no data (posts, private messages etc) would be lost during the disaster recovery process. ®