Microsoft Defaced, again!

27/06/2007 Written by Giovanni Delvecchio & Roberto Preatoni

 Very lit­tle time has passed from the last Microsoft deface­ment (Microsoft Tech­net), when yes­ter­day Saudi Ara­bia crack­ers suc­cess­fully com­pro­mised another Microsoft web­site: Microsoft​.co​.uk at the page http://​www​.microsoft​.co​.uk/​e​v​e​n​t​s​/​n​e​t​/​e​v​e​n​t​d​e​t​a​i​l​.​a​s​p​x​?​e​v​e​n​t​i​d​=8399.

At the time being, the deface­ment is still up and run­ning even though not every browser will be capa­ble to show it as too many users are try­ing now to load the hacker’s injected CSS (Cas­cad­ing Style Sheet) located on an exter­nal host (h.1asphhost.com) which now has is suf­fer­ing slow response time.

By ana­lyz­ing the HTML source code of the defaced page we can see some “extra” HTML code:

”<link xhref=http://h.1asphost.com/remoter/css.css type=text/css rel=stylesheet>”.

The tech­nique used by the attacker to deface Microsoft’s page is prob­a­bly based on a kind of SQL flaw (sql injec­tion). In fact, after a short inves­ti­ga­tion we noticed how the V2 para­me­ter passed to the PreRegister.aspx script, allows to exe­cute both Cross Site Script­ing attacks (www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p8399&v2=”><script>alert(/XSS/)</script>) as well as SQL injec­tion attacks, as you can deduct from the debug error mes­sage gen­er­ated by the appli­ca­tion.

Most prob­a­bly, the attacker exploited the site by means of SQL injec­tion to insert the HTML code “<link xhref=http://h.1asphost.com/remoter/css.css type=text/css rel=stylesheet>” in a field belong­ing to the table which gets read every time a new page is gen­er­ated. To dis­cover the name of the table the attacker might have queried the data­base try­ing to read the sys­tem table “SysOb­jects” or even the INFORMATION_SCHEMA.TABLES view. We are just spec­u­lat­ing here as the DBMS is most prob­a­bly a MS SQL Server.


The result after the deface­ment is this one:

NEWS UPDATE

The attacker has issued a video which shows some proof of con­cepts related to SQL Injec­tion flaws affect­ing http://​www​.microsoft​.co​.uk/.
In the video it is pos­si­ble to see the attacker while get­ting user­names and pass­words from Microsoft’s data­base. The video is avail­able here.


Share this content: