"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.

Transcription

1 Pwned Bulletin Septemeber 2014 Volume - 6

2 1 index 02 executive summary 03 responsible disclosures 04 smartermail 0-day xss vulnerability 07 siemens simatic S exploit 09 network compromised using Microsoft work document 11 fortigate 310b multiple vulnerabilities 13 corporate laptop backdoor 15 about us

3 executive summary 2 We at CCFIS deliver penetration testing services and while delivering those services we have found some 0-day exploits. In this bulletin, we have showed that how easy it is for a hacker to compromise in your network ever after implementing best security solutions. Unfortunately if your security systems or firewalls are not detecting any attacks or not alerting you about any attack, this doesn t always mean that you are not being attack, may be you are being attacked and these security solutions are not detecting or blocking it. Developers and solution providers are working 9 to 6 to develop the solution but hackers are working 0 to 24 to hack the solutions. Every Web Asset, Hardware device or Application Solution can have vulnerabilities. We at CCFIS find those vulnerabities and report to the organization in our responsible disclosure program. List of our responsible disclosures are attached in next page. It is recommended for everyone to take needful actions when any vulnerability is reported to your organization s assets. Detailed penetration testing report can be shared on request. Please drop a mail at info@ccfis.net and with your intent and purpose and we will send you detailed report after verification. "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards."

4 responsible disclosures by CCFIS 3 and many more..

5 smartermail 0-day xss vulnerability 4 Most of us use SmarterMail as mail server for our organizations and business. It has all smart features and almost everything to run your business smoothly. One client who was very much concerned about his mail server contacted us and explained that he have already implemented 256 bit SSL certificate, so is there anything else he needs to do to secure his mail server from their rival companies. We initially checked for vulnerabilities in Microsoft OS installed on server with enterprise level security & antivirus. On later stage, we found that everything was updated and OS was equipped we were given two dummy accounts to check vulnerabilities inside the application. Unfortunately, we weren t able to find any vulnerability that can be exploited directly but we found several major XSS based 0-days which might be used for gaining few more access. We reported these Vulnerabilities to SmarterTools as Responsible Disclosure and also decided to share same with our readers.

6 5 Stored XSS (Notes) Vulnerability (Steps to reproduce): In SmarterMail there is an option to add Notes. In details Box give a JS code as ><img src=x onerror=prompt (document.domain);> and save it. Now when a user opens notes saved by him, this JS code will execute and XSS will pop up. Reflected XSS (Compose Message) Vulnerability (Steps to reproduce): Select New Message and click on the option to insert link. Then in place of URL, write any URL for example ccfis.net Then again select that URL and edit it with payload - ><img src=c onerror=prompt(document.cookie);>

7 6 Reflected XSS (Image Attachment) While attaching an image named "><img src=x onerror=prompt (document.cookie);>.jpg in SmarterMail using web version, an alert in generated allowing user to inject any arbitrary code that will be executed in server. Issues were reported to SmarterTools 4 weeks ago and the patch for the same is yet to release. Recommendations We cannot recommend the best mail sever as developers are only working 9 to 6 to develop the solution but hackers are working 0 to 24 to hack the solutions. The best practice is to perform periodic vulnerability assessment and penetration testing of your mail server.

8 7 siemens simatic S7-300 exploit Siemens Simatic S is modular mini PLC system for the low-end and mid performance ranges. These appliance are used in manufacturing plants, assembly lines, hospitals and wherever automation required. After reading about Critical Infrastructures, CIO of a major hospital contacted CCFIS team and asked if we can audit their network. After audit, we found some major vulnerabilities in their network and on later stage those vulnerabilities were fixed and network was secured. After few months, we were called again to audit their SCADA system. We found that hospital was using Siemens Simatic S PLC system and had deployed it in their network to automate and control their system efficiently.

9 CIO mentioned that they purchased it in 2012 and after that its configuration and setting were never changed or modified. Even the security hardening wasn t performed on device. While performing penetration testing, we found this device vulnerable to Remote Memory Viewing exploit. Through this, an attacker can view data on memory of PCL. Exploit code for this vulnerability was written by Dillon Beresford in 2012 with OSVDB-ID: With this exploit, our pen-testing team were able to compromise the Siemens Simatic S and were able to dump the device memory. As the organization requested to not to disclose much information and attack methodologies and hence we are sharing only limited information. Another reason for sharing only brief information is that misuse of these attacks may lead t o m a s s destruction. Recommendations: 8 If you have implemented any SCADA based appliance then make sure you have updated its firmware and implemented best security practices. For self-vulnerability assessment of your SCADA appliances you may use Nessus plugin new-scada-plugins-for-nessus-and-tenable-pvs A periodic vulnerability assessment or penetration testing from any third party outsider vendor is recommended to ensure complete security.

10 9 network compromised using microsoft word document Few months back CCFIS team was conducting penetration testing of an IT firm. The organization was using multiple layer of security with properly configured firewall, latest updated antivirus, IDS/IPS and whatnot. Inside network they had already created active directory with proper security policy for all users, central update server and almost all best security practices. Organizations was also ISO certified. They also trained their employees about cyber security & threats and hence even the weakest line in security chain i.e. the human part was also secured by trainings. During penetration testing of the network, our team didn t found any major exploitable vulnerability through which they can enter into the network. And as per client s requirement, this has to be a complete blackbox testing. The company had an online job portal, through which they were posting current opening and receiving applications through portal. One of our team member, took advantage of MS The vulnerability was the Microsoft word RTF Memory Corruption RTF Zero-Day Attack CVE which allows an attacker to run arbitrary code into client s machine. He immediately binded in house developed backdoor which was less detectable by most of antivirus engines and submitted job application and uploaded his resume which was malicious RTF document.

11 10 Next morning exactly at 9:41 AM, we got reverse connection from a system which belonged to HR department of that organization. When someone from HR checked their ERP and clicked this malicious resume, our exploit worked perfectly fine and established a reverse connection to our server. Later on with this one compromised system using pivoting we found that many more servers and systems were vulnerable to publically knows vulnerabilities. This vulnerability and attack methodology was reported to organization so that they can protect their network from these types of targeted attacks. Recommendations Security is not a onetime investment, it s more of a regular practice. To secure your network, you need to keep checking for possible tiny flaws that may lead to a bigger vulnerability. Make sure, every software and systems are properly updated of your network. ERP or any such system through which you are receiving any files outside your network, should must be sandboxed before bringing directly to production internal network.

12 11 fortigate 310b multiple vulnerabilities CCFIS team works with a quote give us anything, we will find vulnerability. During a presentation, our client asked our sales guy that I am using FortiGate 310B and I am totally secure, why do I need a penetration testing service for my network? Our sales guy committed that your FortiGate device is not secure and our team can find vulnerabilities. Deal was final and we got task to audit latest updated FortiGate 310B. White testing the firewall, we found several major and minor vulnerabilities. Even we were able to reboot or shutdown the firewall without having admin or any credentials. Device was also vulnerable to Cross-Site Request Forgery. Basic functionality of firewall is to stop DoS and DDoS attack targeted to network, We have created an InfoSec lab from where we can simulate almost any attack. DoS and DDoS attacks were performed on firewall for stress testing and the device itself was found prone to DoS and DDoS attacks.

13 12 FortiGate has a Web Filtering Service called FortiGuard. This help network administrators to block certain category of sites in network. No VPN, torr or any other proxy based tool could bypass this fileting mechanisms. CCFIS team were able to bypass this filtering mechanisms using very simple technique in Opera web browser called Off Road mode or Opera Turbo. Even the data stored on CompactFlash card of firewall was not encrypted. In case of any physical compromise to network, these data can be extracted to reveal entire network architecture. These configuration data was deleted but with some basic forensics techniques, we were able to recover the configuration data again. Few more major vulnerabilities was found on firewall. All issues were reported to FortiGate India team. Fortinet India team immediately forwarded those vulnerabilities to Fortinet US team and they acknowledged the vulnerabilities and patch was released and was pushed to all Fortinet devices. Recommendations Use latest model of firewall or at least use the latest firewall OS Choose your firewall brand wisely and do some research before purchasing for some publically available vulnerabilities or exploit. While changing CompactFlash of your firewall, make sure that you have destroyed the previous one as this contains configuration file which can reveal network architecture information. And these data can be recovered even after deleting using some forensics tools.

14 corporate laptop backdoor 13 One of our client which is an educational organization, provide laptops to its students, faculties and other staffs for their educational and official work. MNCs, government and almost every organization order laptops is huge quantity and hence the vendor created a separate model specially designed for that particular organization. Few months back, a vendor reached CIO of organization and gave a laptop for PoC and feasibility testing. Later on this laptop was sent to CCFIS team to check for any possible vulnerabilities. We created a test scenario in our InfoSec lab. Firstly we restored the laptop to its factory setting and downloaded laptop drivers from vendor s official site. Only operating system and drivers were installed on that laptop. Then we connected this laptop directly with lease line and assigned live IP. Our network support team made sure that no other device was connected between or in the network. The PoC laptop was left for few days and all packets were captured using wireshark. After two days of packet capturing, the pcap files were sent to our attack analysis lab where every packet was analyzed by team members for any malicious packet.

15 14 After analysis, we found that this PoC laptop was connecting and sending data to a Chinese IP, and this Chinese IP belonged to an antivirus server. The question here arises that no antivirus or any other software was installed other than original operating system and device drivers. The same process was repeated on Windows XP, Windows 7 and Windows 8.1 and the result was same on every operating system. Hence we concluded that there isn t any fault in software part, it s the hardware which is creating connections and sending data to Chinese IP. This vulnerability was report to the laptop vendor. First of all they ignored and later on denied any involvement in this act. They concluded by saying that they only assemble multiple components purchased from different other vendors, they don t actually manufacture every part that are installed on laptop. This means that they need some more quality and security checking procedures. Recommendations Before distributing laptop or PC in your organization, check it for any possible backdoor installed in it by vendor. We can help in testing and share the testing procedure on request. We can also help in capacity building for creating such a test bench. Before signing contract from any vendor, check if vendor was involved in such activities in past or not. In our case, the vendor was already blocked by government agency of a country.

16 about us 15 Center for Cyber Forensics and Information Security (CCFIS) is a Research Organization incubated at Amity Innovation Incubator which is a Technology Incubator supported by NSTEDB, Ministry of Science & Technology (Government of India). Noida Office HQ : Amity Innovation Incubator, Block E-3,1st Floor, Amity University, Sector-125 Noida, UP , India, Id: info@ccfis.net, Phone no: Lucknow Office: 3rd Floor, AB - 6 Block, Amity University, Malhaur, Lucknow, UP , India Gwalior Office: Amity University Madhya Pradesh, Maharajpura (Opposite Airport), Gwalior Jaipur Office: Amity University Rajasthan, 14, Gopalwadi, Ajmer Road, Jaipur, Rajasthan Manesar Office: Amity University Haryana, Panchgaon, Manesar, Gurgaon, Haryana Disclaimer This report was prepared as an account of work done by CCFIS research and analysis wing. Neither the CCFIS, nor any of their employees, nor any of their contractors, subcontractors or their employees, partners or their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or any third party's use of this report or the results of such use of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Center for Cyber Forensics & Information Security