In light of recent mass hacks (HBGary, Sony, Nintendo, etc) one would have thought that collectively, companies would take notice and at least be slightly more aware of the potential implications vulnerabilities in public-facing services could have.
The problem appears to be that these hacks, and indeed hackers, aren’t that technically superior and more often than not, take advantage of simple flaws. Some flaws, like SQL injection, provide so much access on their own that a fairly grim attack scenario can be painted. However, often attackers don’t require such extravagant flaws to gain access. Chained attacks utilising “low risk” attacks can be far more deadly than a single flaw.
We had an interesting scenario recently which demonstrated this. This is one example of how we use these minor flaws to gain access, and also show how the house of cards can fall quite spectacularly when basic security principles are not adhered to. We were on a fairly bread and butter security assessment; perform an analysis of the target (a large multinational) and determine where their weaknesses were from an unauthenticated perspective. Increasingly, we advise against unauthenticated assessments as we feel we can offer more value when you assume the shell is already cracked, but this was a special case.
The web application was good; it soon became clear that the developers had followed guidelines for the development of secure applications and ensured that common attacks were indeed handled in a suitable manner. What they didn’t do, however, was apply a stringent hardening process to the server itself, and as the platitude goes “security is only as good as the weakest link.”
- First blood was nothing more than a simple directory indexing misconfiguration that allowed our analysts to browse the directories unauthenticated. Within these, files containing sensitive information such as usernames and passwords and internal IP addressing schemes were uncovered.
- Next, a popular administrative package was found with the administrator username pre-populated and after a very brief brute-force attempt, a weak password was discovered. This gave the analyst complete administrative access to one of the minor portals.
- Inside was a well-organised list of servers, user names, passwords and comments about each service and server. With minimal effort, a menu of pwnage-possibilities were presented. The assessment was immediately stopped and a conference call arranged with the security team at the client to inform them of the situation. A detailed email (crypted) was sent to the team that showed the path of attack and end result.
What happened next was nothing short of unbelievable.
The analyst had already obtained all administrative user names and passwords (stored in a database with no protection at all) and had logged into a number to confirm access. My email, now forwarded in the clear, was sent to all involved with a stern “fix it”. Since we had access to the mailboxes, we saw an admin send the reply:
“..have changed the password. Ask them to check if the password is strong now, there’s no way they can get in now.”
Yes, the password was indeed strong and certainly constructed in a recommended manner, but the administrator’s account was already compromised and we were monitoring communications. This wasn’t an appropriate response, it’s a bit like using AV to clean a virus from a box, post-infection, instead of rebuilding it. Some data mining through multiple unencrypted mailboxes provided numerous credentials for other servers inside the network. We could pivot through the internal network to our hearts content, while monitoring their comms to make sure our supply line wasn’t under threat.
Takeaway I: Once an attacker is inside the perimeter, trying to control intruder access at the perimeter is a game you’ve already lost. i.e. Blocking the path in, doesn’t mean you’ve blocked the paths in use.
Starting with a simple directory listing flaw, one that Nessus rates as a “low” risk, the house of cards fell at an alarming rate. Security isn’t about looking only at the high risks, because attackers won’t limit themselves the same way.