Other issues in this category (55)
The little secrets in your applications
With vulnerabilities popping up here, there, and everywhere… and hackers discovering them and software developers releasing security patches for them, we could talk at length about the many aspects of this ongoing battle. However, today we're going to discuss an issue that rarely crosses people’s radar.
In most cases, today’s software developers no longer need to make every effort to maximise the efficiency of their software. So instead of developing and optimising software modules of their own, they often opt for readily available code. Or they even incorporate entire software distributions into their products. For example, product distributions often include databases—designing a modern database solution from scratch will take a huge amount of time, and obviously it’s thought to be pointless to waste time developing and testing one. And here users may be in for an unpleasant surprise.
It is always a good idea to check an application's security settings right after you install it (the Anti-virus Times never tires of repeating: replace a default password with a strong, reliable one). But how many people ever consider the security of third-party software?
When I was running penetration tests for all sorts of companies, I often noticed that port 3050/tcp was left open. The port was used by the Firebird database (FB) whose default login and password (SYSDBA;masterkey) were left unchanged. Further inspection of the hosts showed that the FB was being used by a cornucopia of applications and solutions, ranging from accounting and CRM software to video surveillance and remote banking programs. The port provided access to the entire database of the corresponding application, and by editing the database, one could affect the operation of the respective program.
Databases usually store logins and passwords used to access a program’s features via its UI. So with those credentials easily accessible in the database, one can use the full array of an application's features via its sleek interface without initially knowing any of the system’s logins and passwords.
The review we've just quoted also features a list of companies whose IT infrastructures may have the security loophole. It is quite impressive!
How dangerous is this situation? In most cases, the applications' components can only be accessed from a local network; by default, the databases are not accessible from the Internet. But if a threat actor manages to get inside a network or a company has an unscrupulous employee…
Let's see how hard it is to leverage this vulnerability. I don’t think it requires any specific skills. It can be done using standard tools in just a couple of minutes.
Find the FireBird server
Obviously, an attacker’s first priority will be to look for an open 3050/tcp port in a local network. To this end they can download nmap ( nmap.org/download.html ) and use the command prompt to run it as follows:
nmap -sS -p3050 --open 192.168.0.0/24
After some time, nmap will reply by displaying information about all the hosts with an open 3050/tcp in the network 192.168.0.0/24.
Now that the open FB ports have been found, we can use them to establish a connection. We already know the login and password (that's essentially the vulnerability), and a standard path is likely to be used for the database.
So we've connected to the database and can do whatever we please—even things that can't be accomplished via the administrator interface.
The most trivial and harmless way an employee can abuse this security flaw is to alter their timesheet. I did this myself when I was working for a company that used vulnerable PACS (physical access control system) software. I successfully corrected my late-arrival and early-departure times, and although the managers knew about it, they could neither control nor stop it. Sometimes it got to the point that the PACS would indicate I was present at my desk even though I never appeared at the office that day. Therefore, here employers face the risk of lost work hours and lax discipline.
Changing one's access profile is another way to take advantage of the security problem. For example, at my previous place of employment I was unable to exit the building after a certain hour. I had to call security personnel and listen to their grumbling. So I changed my access profile to one with no time limits, or, to be more precise, with no limits whatsoever, and could go unchallenged anywhere, even to the general director's office. So an employee can sneak into any PACS-protected building for espionage or other nefarious purposes.
Create new proximity cards. An attacker can register their proximity card in a database as one belonging to a new employee or even assign it to a real staff member. To keep security personnel at checkpoints from getting suspicious, they can glue any photo to the card. As a result, an attacker can get into secure premises in the guise of an employee.
Sabotage and denial of service (DoS) — a threat actor can access a database to change the credentials of all the PACS specialists to prevent them from accessing the system and lock all the doors on the premises. This will prevent employees from moving between office areas and thus disrupt important business routines. Regaining control over the system will be next to impossible, while disabling it will make all the doors open. Imagine that an attack of this kind commences while you are having a meeting with an important client in your office and you end up locked inside together.
A comprehensive attack, video surveillance. Many PACS solutions can be integrated with a video surveillance system or directly control security cameras. Thus a perpetrator can not only gain unauthorised access to a restricted area, but also disable any of the CCTV cameras so that the surveillance system won't be able to register any malicious activities. By the way, some PACS providers also offer video surveillance solutions, which are just as vulnerable as their physical access control systems. But since I didn't undertake a comprehensive study of CCTV solutions, I won't speak at length about any of those. I assume that one could also use a database to replace a legitimate camera feed with a looped video recording.
Such is life.#vulnerability #exploit #password #security
Documentation is meant to be read. Neglecting it may have dire consequences. Today's software products are real "monsters", and their respective developers may not even know with 100% certainty what’s inside them. The upshot is:
- If you have installed something, take your time to review the list of installed applications—perhaps, something will stand out to you.
- If your applications use third-party software components, configure their security settings too. And change the default passwords!
- Also find out whether these software components are ever updated.
- Make sure that the software is only accessible in separate segments of your network to make sure that hackers don't get their hands on it.