The Anti-virus Times

When I was running penetration tests for all sorts of companies, I often noticed that port 3050/tcp was left open. The port was used by the Firebird database (FB) whose default login and password (SYSDBA;masterkey) were left unchanged. Further inspection of the hosts showed that the FB was being used by a cornucopia of applications and solutions, ranging from accounting and CRM software to video surveillance and remote banking programs. The port provided access to the entire database of the corresponding application, and by editing the database, one could affect the operation of the respective program.

Databases usually store logins and passwords used to access a program’s features via its UI. So with those credentials easily accessible in the database, one can use the full array of an application's features via its sleek interface without initially knowing any of the system’s logins and passwords.

https://habrahabr.ru/post/277279

Let's see how hard it is to leverage this vulnerability. I don’t think it requires any specific skills. It can be done using standard tools in just a couple of minutes.

Find the FireBird server

Obviously, an attacker’s first priority will be to look for an open 3050/tcp port in a local network. To this end they can download nmap ( nmap.org/download.html ) and use the command prompt to run it as follows:

nmap -sS -p3050 --open 192.168.0.0/24

After some time, nmap will reply by displaying information about all the hosts with an open 3050/tcp in the network 192.168.0.0/24.

Now that the open FB ports have been found, we can use them to establish a connection. We already know the login and password (that's essentially the vulnerability), and a standard path is likely to be used for the database.

So we've connected to the database and can do whatever we please—even things that can't be accomplished via the administrator interface.

The most trivial and harmless way an employee can abuse this security flaw is to alter their timesheet. I did this myself when I was working for a company that used vulnerable PACS (physical access control system) software. I successfully corrected my late-arrival and early-departure times, and although the managers knew about it, they could neither control nor stop it. Sometimes it got to the point that the PACS would indicate I was present at my desk even though I never appeared at the office that day. Therefore, here employers face the risk of lost work hours and lax discipline.

Changing one's access profile is another way to take advantage of the security problem. For example, at my previous place of employment I was unable to exit the building after a certain hour. I had to call security personnel and listen to their grumbling. So I changed my access profile to one with no time limits, or, to be more precise, with no limits whatsoever, and could go unchallenged anywhere, even to the general director's office. So an employee can sneak into any PACS-protected building for espionage or other nefarious purposes.

Create new proximity cards. An attacker can register their proximity card in a database as one belonging to a new employee or even assign it to a real staff member. To keep security personnel at checkpoints from getting suspicious, they can glue any photo to the card. As a result, an attacker can get into secure premises in the guise of an employee.

Sabotage and denial of service (DoS) — a threat actor can access a database to change the credentials of all the PACS specialists to prevent them from accessing the system and lock all the doors on the premises. This will prevent employees from moving between office areas and thus disrupt important business routines. Regaining control over the system will be next to impossible, while disabling it will make all the doors open. Imagine that an attack of this kind commences while you are having a meeting with an important client in your office and you end up locked inside together.

A comprehensive attack, video surveillance. Many PACS solutions can be integrated with a video surveillance system or directly control security cameras. Thus a perpetrator can not only gain unauthorised access to a restricted area, but also disable any of the CCTV cameras so that the surveillance system won't be able to register any malicious activities. By the way, some PACS providers also offer video surveillance solutions, which are just as vulnerable as their physical access control systems. But since I didn't undertake a comprehensive study of CCTV solutions, I won't speak at length about any of those. I assume that one could also use a database to replace a legitimate camera feed with a looped video recording.