Welcome to In Depth Defense. In Depth Defense LLC is a privately owned Information Security Consulting company owned and operated by Mark Baggett. In Depth Defense specializes in Penetration Testing and Incident Response. At this time In Depth Defense is not accepting any new client work, but we are happy to speak to you and point you to other resources in the community.

Mark Baggett has been active in Information Security for 18+ years. I've served in a variety of roles from software developer to CISO. You can find archives of older blog entries below and read my newer posts on http://www.pauldotcom.com, http://isc.sans.edu and http://pen-testing.sans.org

Saturday, August 16, 2008


I recently had the no so pleasurable task of dissecting an 0wn3d host to determine what happened.  The attacker did the system owner a favor and tagged the site with a defacement image making detection pretty easy.  The image appeared in small title frame on the top of the page.   My initial guess was they had a directory traversal vulnerability in the image upload engine and some weak permissions on a folder structure.   We took a look at the date/time of the defaced pic and it showed the image had change the previous evening.    "find / -mtime 0" showed a few other files that had changed around the same time.   One of them was a new PHP file.   vi revealed it was a variant of the c99 PHP Shell.    So we go to the apache logs and find the attackers IP and try to figure out how he got in.     There are two interesting entries:

[14/Aug/2008:22:18:42 - - [14/Aug/2008:22:18:42 -0400] "POST /index.php?option=com_user&task=completereset HTTP/1.1" 301 -
[14/Aug/2008:22:18:44 - - [14/Aug/2008:22:18:44 -0400] "GET /administrator/ HTTP/1.1" 200 4121

A check for recent vendor patches lead us to this..


This is a very interesting vulnerability.   Its a SQL injection vulnerability in the password reset function.   The code that actually resets the password is this..

$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));

Token is  supposed to a verification code that is sent to your email address when you request a password reset.   BUT if you just say your token is an ampersand then the SQL statement looks like this...

SELECT id FROM jos_users WHERE block = 0 AND activation = ''

Which select the first account in the database (ADMINISTRATOR) for a password reset.   The next screen that appears is where your prompted for a new admin password.    Sorry Dude,  Your website was 0wn3d by a single character.

Once the attacker had admin access, he added his own php code (c99 shell) and had full access to the apache instance (as the apache user).     So why only a small image in a small frame when he had access to SO much more?    Who knows.   Perhaps good fortune.    Perhaps they caught it early.   The attack certainly did not require much work.   Just about anyone could pull it off.   Maybe he didn't know what he was doing, but my guess is there were a TON of websites  out there that required his attention.   The PUBLIC disclosure of the PHP vulnerability was about 48 hours old at the time.    48 hours isn't enough time to move through most change control processes.   There were probably many more fish to fry.

If you haven't patched.   Go ahead and do it and save yourself some heartache.