logo NTT APPSEC
EventsVulnerabilities

Hackers Never Let April Fools’ Day Go to Waste

“Since March began thirty days and two,”[1] hackers’ distinctive humorous style has continually regaled.

Whether you’re a fan of obscure literary references or just like a good pop culture pun, one thing is for sure, hackers seem to love witty wordplay! While the attacks themselves can spell disaster, we can all appreciate the attempt at a clever ruse – as long as we aren’t left playing the fool while enjoying the joke. On this most reverent of days, April Fools’ Day, we thought you’d appreciate a couple tales of shenanigan hacks; try not to hack the fast lane or deny the LOLz!

SELECT clever FROM ticket hacks;

As speed trap and tollway cameras have become commonplace, hackers have found a clever way to trick the Optical Character Recognition (OCR) software and exploit license plate databases to get out of tickets. Most likely, neither the original developers of the OCR software, nor the system admins of license plate databases ever considered the possibility of a SQL Injection license plate attack!

Typical OCR software in automatic license plate scanners was designed to recognize characters of license plates — recognizing all characters present, digitizing the results, and storing that output somewhere in a database. Also, it is a standard operation for applications to leverage user-supplied data to dynamically generate SQL database statements. But if an application fails to properly construct SQL statements, and those malformed statements are processed by the database, it is possible for a bad actor to execute hostile commands.

So, the basic premise is that the would-be ticket hacker creates a SQL Injection statement, either with a customized vanity license plate or banner on their car, with the hopes of coercing the database to delete the record of their license plate. The ticket hacker is exploiting the unfiltered trust of the OCR software inputs into the operations of the license database. And in truth, it is the OCR software itself that is executing the database attack on behalf of the ticket hacker. 

And who doesn’t like a good case of the LOLz?

You’re probably familiar with the expression ‘laughter is the best medicine’. But that was not the case for the 1962 outbreak of laughing plague in Tanganyika (present-day Tanzania), nor for servers that suffered from the Billion Laughs Attack in the previous decade.

For XML Entity Expansion (XEE) CWE-776, attackers specifically inject a custom entity that overwhelms parsers of XML documents in web applications. Also known as an XML Bomb, the attack recursively defines a set of custom entities at the top of an XML document that force parsers to iterate almost indefinitely. Such <!ENTITY> expansion uses up available system resources and can result in a buffer overflow or denial of service. Now in true hacker fashion, imagine playing an April Fools’ prank by attacking a server with a ’laughing bomb’ and letting the LOLz rip!

 

 

Risk and Remediation

Although highly amusing, this SQLi license plate attack is a long shot – sorry to those future would-be ticket hackers. In terms of risk assessment and threat modeling, yes, the severity of the vulnerability is critical. But no, the probability of a successful attack is unlikely. This hack depends on assuming and testing the limitations of the character recognition functionality, input field sanitation mechanisms, database configuration, and access control permissions.

But as a general comment on SQL Injection vulnerabilities, a surprising number of major websites and applications still fail to properly sanitize their inputs. To guard against SQLi, developers should handle SQL with parameterized statements.

The Billion Laughs Attack was first reported as early as 2002 but became popular in 2008. Defenses against this attack include disabling the Document Type Definition (DTD), or capping the memory allocated in an individual parser, or treating entities symbolically. In terms of risk assessment threat modeling, the vulnerability severity is moderate to critical as it relates to a specific service, however, the probability is low since this style of attack is somewhat outdated.

So as a general comment on XEE, security testing for this vulnerability should be a priority in legacy applications.

Stay in the Green!

While its customary to enjoy the harmless joke on April Fools’ Day, when it comes to cyber security, no one wants to be pranked by an attack, regardless of how clever the name is. NTT Application Security can help your organization be shenanigan free by addressing vulnerabilities and delivering secure applications rapidly so that you can protect your business.

——————————————————————————————————————————————————————————————————————
[1] “Nun’s Priest’s Tale” from the Canterbury Tales by Geoffrey Chaucer