14 DAY TRIAL // A Lebanese hacker is taking credit for a security breach on the PEO Soldier Army website. By exploiting an SQL injection vulnerability, he allegedly obtained full access to the underlying database and the information contained within.
After we recently reported about a Proof-of-Concept attack performed by a Romanian grey hat hacker against the U.S. Army's Housing OneStop (AHOS) website, we received an e-mail documenting a similar incident on a different Army server. Sent by someone identifying themselves as "Idahc, a Lebanese grey hat hacker," the message contained partially blotted screenshots and database listings from the Program Executive Office (PEO) Soldier website.
The initial e-mail was followed by a second one, describing the exploitation techniques and the vulnerability in more detail. From the looks of it, the point of entry was an SQL injection vulnerability. This sort of flaws stem from improper validation of user input being passed to a script parameter.
The vulnerability allows an attacker to manipulate the URL in order to execute SQL queries against the database under the credentials of the website itself. Just as in the case of the AHOS website, the peosoldier.army.mil domain appears to be hosted on a Windows Server 2003 system with a Microsoft SQL Server 2000 database engine.
According to an official description, the Program Executive Office (PEO) Soldier "was created by the Army with one primary purpose: to develop the best equipment and field it as quickly as possible so that our Soldiers remain second to none in missions that span the full spectrum of military operations. […] Headquartered at Fort Belvoir, Virginia, PEO Soldier designs, develops, procures, fields, and sustains virtually everything the Soldier wears and carries."
"I doesnt search password and user because i dont want to destroy anything because i want to help," Idahc wrote in his first e-mail to Softpedia. However, given that the website was still online at the time, we held back on publishing anything and proceeded to contact both the army.mil Web team and the peosoldier.army.mil webmaster.
We have since received confirmation that the submitted information was forwarded to the proper channels and the website was taken offline, most likely pending a full review. It's also worth noting that Idahc previously took credit for discovering a similar vulnerability on a NASA website.
