Research, demonstrations, and popcorn

Vulnerability Found: Smith & Wesson

This is an older vulnerability I am posting for the sake of getting all my old content moved over to the new site.

While browsing Gun Broker, I noticed several Smith and Wesson ads embedded in the page. After looking at the URL, I noticed the it looked like a normal PHP URL with GET parameters.

After testing the URL out by appending AND 1=1 and seeing the correct page results, I tried again with AND 1=2.  This second attempt resulted in an error. Anyone with basic knowledge of SQL will know at this point that this means the values in X=Y are being evaluated by SQL.  This generally indicates that the site is vulnerable to SQL Injections.

I played with the URL a little bit more and found that the site was indeed vulnerable. Even worse, I found that the MySQL account utilized by the ad redirect URL had full root permissions to the database server.  I pulled a list of databases, tables from one database, and columns in that one table, but did not pull any further information in order to prevent accessing any customer or government contract information.

I contacted Smith & Wesson, but after six weeks of getting no response, I left a voicemail for my contact letting them know I was getting an article ready to publish online about the vulnerability.  That same day I received a call from Craig requesting I hold off on publishing anything until they had a chance to resolve the issue.  This vulnerability was resolved as of December 6th, 2013.

  • Vulnerability Type:  SQL Injection and Unsecured Account.
  • Implications:  Unauthorized access to database information: Customer data, government contract information, and advertising data.
  • Company Response:  No response for six weeks, followed by a quick patch.
  • Date Reported:  September, 2013.

Kalypto • November 3, 2014

Previous Post

Next Post