14 DAY TRIAL // The Iranian hacker who compromised a Comodo reseller and used its credentials to obtain rogue SSL certificates for high-profile domains claims the original point of entry was an SQL injection vulnerability.
When asked by Robert Graham, CEO of Errata Security, in an email exchange how he broke into the first machine at globaltrust.it, the hacker said: "SQL injection, then privilage [sic] escalation, got SYSTEM shell, remote desktop, investigation and I discovered trustdll.dll."
A new message posted on pastebin.com by the hacker as a result of people doubting his claims, describes in more detail how the hack went down.
He claims that after exploiting the SQL injection vulnerability, he set up a remote desktop (RDP) connection to their server, but this was relatively quickly detected by the firewall and blocked.
The hacker says that two days later he managed to work his way around the firewall restriction and gained access to the system again.
This is particularly troubling, because Global Trust should have taken the server offline immediately after realizing that someone accessed it without authorization.
The Comodo hacker claims he did more than just steal trustdll.dll, the file which he reverse engineered to find out Global Trust's credentials for requesting certificates.
Additional actions included formatting the server's external backup HDD, stopping IIS and wiping all logs using a secure method.
A second backup on an additional drive suffered the same fate and as his last action the hacker left a Notepad document opened on the desktop with the text "SURPRISE!"
To prove once and for all that he is the person who stole the certificates, the hacker released his private key, the unique string of characters he used to sign the certificates.
"Note that even the 'Certificate Authority' who signs a key does not know the private key. When somebody requests a certificate, they only send the 'hash' to the certificate authority. Therefore, nobody, not even Comodo, should know the private key," explains Robert Graham, who verified its authenticity.