Gaining Access to the Oculus Developer Database

oculus_admin_database_management_eval

One of the hackers over at Bitquark popped a shell on on the Oculus Developer Portal giving him full reign over the special admin panel inside. If he felt so inclined, this allowed him edit users, modify projects, add news articles, edit the dashboard, upload SDK files, and variety of other goodies.

The process started by using a SQL injector called BSQLi to test out parameters, cookies, and headers. Injecting into the header revealed that the Oculus team members were inserting X-Forwarded-For headers directly into the database without proper escape formatting. This got him in the door, and with a little assistance from sqlmap, the database was enumerated, and a pattern was recognized. Oculus passwords that were stored in the DB were heavily hashed. However, the user session variables remained unprotected. A SQL query was quickly built, the latest admin session was promptly extracted, and then the information was plugged in granting access to the portal. A bit more snooping around uncovered that the AJAX eval() preview script wasn’t secured by a CSRF token which could easily be exploited by a malicious hacker.

The findings were then turned into Facebook who paid the guy $15,000 for the first vulnerability plus the privilege escalation attack. $5,000 was then awarded for each subsequent SQL injection as the admin account takeover vulnerability that was found, giving the guy a nice payout for a week’s worth of work.

Comments

  1. sqelch says:

    Awesome, more like this?

  2. William DeRieux says:

    You know when a security professional breaks into something (to prove how insecure and vulnerable it really is — with no malicious intention of any kind) — needs to be rewarded in some way. When someone does this ‘to help out’, and doesn’t get rewarded or acknowledged — what’s to stop them the next time from doing something malicious?
    So, I’m glad facebook paid the guy — rather than report him to the authorities.

    • targetdrone says:

      That’s a very delicate question, and it can go many different and unpredictable ways. Right now if you accidentally discover a vulnerability on your bank’s site, and report it to them, it’s a toss up whether they’ll thank you, reward you, or turn you over to the authorities. For many security people, they have reduced their personal risk by turning to gray market selling of vulnerabilities: cash up front, no questions asked. But by offering a bounty, the owners can at least state their intentions up front: “we will pay you and not prosecute you as long as you disclose them to us on our terms and conditions.” It’s safer for the hacker, and safer for the site.

  3. icanhazadd says:

    So strange to see pentesting on Hack A Day. O_O

  4. Bob says:

    I have spent many years in web development and server management so I have a lot to do with web security. However I come to this site for the hardware hacking content.

    It’s a huge leap from hardware hacking to web hacking and that is going to be far too big a leap for many visitors here. HAD may pick up more hits but it will be at the expense of your user base.

    I personal don’t want to see this sort of content here and that is coming from someone who you may expect to find this relevant.

    • Andrew says:

      Cool story, bro’.

    • Leithoa says:

      There’s a tipline so you can help show more of the content you’re interested in.

      http://hackaday.com/contact-hack-a-day/

      As evident by the diverse archive categories this site doesn’t specialize in hardware or software hacks. Occasionally the featured hacks don’t even involve electronics!

    • Quin says:

      Web development isn’t assembly, but security is security. Paying attention to that is something every hardware, and software, hacker should know too.

      And why is your opinion so valuable on this topic of what stories should be posted? Look back in the archives, see how few stories were posted per day early on; and compare that to now. Do you think that this short little story cluing folks in to a fairly big problem is going to eat up the author’s time so much that you’ll be deprived of stories you really want to read?

      Or, tell the truth, you wrote the POS interface that got busted and just don’t want anyone to notice.

      • Bones says:

        Why the aggro, dude?

        • millsy says:

          I like how he just gets slowly angrier and angrier. You can imagine that by the 5th paragraph it’s pure abuse, by the 6th it’s degraded to a stream of curses before finally approaching the 7th paragraph of !$%”£!”

          • Quin says:

            I was hoping I got that across well. I kept editing things til I thought the aggravation elevated at the right order, but one can never be sure. The original post progressed the same way (I don’t like this, other people won’t like this, HAD shouldn’t do this at all) so I wanted to try an extreme response.

            Glad the joke wasn’t missed entirely.

        • Quin says:

          See my reply to millsy; but I wanted to try to troll in the same pattern that the classic “i hate this post” troll poster uses. Maybe Bob really does hate this and think it will ruin Hack A Day, but it’s also a pretty classic troll even in the usenet days. See “concern troll”; plus Bob’s self’s righteous “I personal don’t want to see this sort of content here and that is coming from someone who you may expect to find this relevant.” just aggravated me into action.

          I actually spent a good bit of the time writing it giggling and trying to figure out how much I could get away with before the admins tossed my post. Seems I managed so far.

    • Bones says:

      Disclaimer: As a software dev, I find this story very interesting.

      Even so, I kindof agree with your point. I come here to see people use common materials to do the awesome, as well as hardware/electronics hacks and great designs.

      I don’t think you’re saying “don’t do this”, but more “don’t do this to excess”. Which is something I can get behind.

    • I am Shirley says:

      It’s not like they tossed up a story about some random site, this was a very specific article. It is relevant as it pertains to a piece of hardware which has been previously posted on HAD.

  5. JoesToes says:

    I don’t want to come over as negative but this is pretty much sql injection 101. It’s literally just pointing a program/script at a site which tests various types of injection to try find an unescaped SQL query.

    The only reason why it’s news worthy is because FB bought Oculus Rift and they have a good policy of paying out for ‘exploits’.

    This is the same way most sites are “hacked” now days and is why open source, openly tested platforms are generally safer than a homegrown CMS.

  6. chris0x00 says:

    I found this content interesting and relevant. The HaD community is aware of the Oculus Rift, it might be of interest then to the community to be aware that an unauthorized party gained access to private data within that company. I enjoy reading about hardware hacks, but I also enjoy reading an occasional CTF challenge write up. I therefore welcome the ablility to scratch both itches at one site when there is a natural cross over given the aforementioned community relevance of the subject. To those not interested in the software security arena, I suggest reevaluating those views. Our hardware is increasingly software driven, and our software problems in the server and desktop domain increasing have direct relevance within the embedded platforms context.

  7. I for one liked this story. I may have felt differently if there was no connection to the Oculus Rift as this is a pretty cut and dry SQL injection attack (although putting together a working control panel was a nice touch).

    The part of the story that saddens me is that we’re *still* leaving sites vulnerable to injection. I’ve run into this scenario on http://stackoverflow.com so many times that I wrote a blog post to point people to so I didn’t have to explain it every time:

    http://www.richquackenbush.com/2011/02/bind-variables.html

  8. Haku says:

    Why the Keyboard Warrior article in a site that primarily caters for the Soldering Iron Warrior?

  9. I thought hackaday was all about hacking and not cracking?
    Nice story with a bit of sunshine in the end but I concur with (most of) the audience – this is perhaps not the best forum for such a story.
    Had he build a hardware-gizmo to hack the DB it’d be a different story altogether…

  10. notmyfault2000 says:

    I for one rather enjoy reading articles like this. Keep them coming!

  11. Paul says:

    Its not a hardware hack but there’s no reason to hate. And if there is then maybe HAD should stop working on Mooltipass. Since that is combatting password insecurity which at its roots is mainly websites getting hacked. Some of them through SQL injection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,964 other followers