Introduction
The US Department Vulnerability report program is an initiative that was launched in November 2016. The program was designed for hackers to responsibly report vulnerabilities on the defense.gov domain or any .mil domain through the bug bounty platform hackerone. During this writeup I will summarize the vulnerabilities I was able to identify and report responsibly. The vulnerabilities mentioned are listed in order based on their severity
During my testing, I discovered two websites in scope, that were vulnerable to open redirections. An open redirect is usually considered a minor vulnerability, yet still listed in owasps’ top 10 vulnerability list. It allows you to redirect your victim to a site through a url-parameter. This can be abused to redirect a user to a phishing site, where they might enter their login credidentials or a malware site to infect them. I sent the following urls as Proof of concept of the vulnerabilities, which were fixed rather quickly
https://econnect.dcma.mil/public/acceptDoDBanner?Accept=I Accept these Terms&retURL=http://www.hackerone.com/mthirup&shown=shown
8 Cross Site Scripting (XSS) vulnerabilities
Cross Site Scripting is one of the most common web-based vulnerabilities, and I was able to identify multiple of these on multiple domains belonging to the army aswell as the navy the National Geospatial-Intelligence Agency, The Defense Manpower Data Center and the environmental laboratory. The vulnerability allows an attacker to inject javascript code into a vulnerable parameter, which can be abused for plenty of things, including cookie hijacking or even infecting your victim’s computer with a driveby-exploit.
Vulnerable domains:
www.dmdc.osd.mil abi.army.mil www7320.nrlssc.navy.mil (2 vulns) www.nwd-wc.usace.army.mil (2 vulns) moh.cecer.army.mil msi.nga.mil
www.dmdc.osd.mil abi.army.mil www7320.nrlssc.navy.mil (2 vulns) www.nwd-wc.usace.army.mil (2 vulns) moh.cecer.army.mil msi.nga.mil
Gallery of vulnerable websites: http://imgur.com/a/EXdMK
lms.noradnorthcom.mil password reset vulnerability
This vulnerability was quite unique. All it took was some simple logic to figure out a huge configuration flaw that could allow me to reset the password for any user at the United States Northern Command. As most people are familiar with, a typical password reset function would be like this:
- A user enters his email associated with his account
- An email is sent, which provides a unique link for password reset for the associated account
- The user enters his new password
The issue with this domain was that the “unique link” wasn’t used, while the forms for step 3 were easily found, which allowed me to to skip phase 1 and 2 mentioned above by simply changing the flag value in the url from 0 to 1. Doing this would send me to the forms attached at screenshot 2, where I would be able to change any password for an associated user without any additional information being required
SQL injections at egeoint.nrlssc.navy.mil and moh.cecer.army.mil
As the last part of this writeup I also have two SQL injections at subdomains belonging to the navy and the army. SQL injection is an old critical vulnerability, where an attacker can inject arbitrary SQL code into a parameter, which can compromise the database(s). It’s an old kind of vulnerability that most people learn how to defend themselves against, but unfortunately there are still plenty of incidents where major organisations get compromised this way.
As you can see in the response code, the vulnerability in moh.cecer.army.mil was caused by a vulnerable login form, where the username-field was vulnerable
Conclusion
It’s a great step for both parts that the US DoD allows people in the hacking community to identify weaknesses in their systems for responsible disclosure. Lots of ethical hackers have previously reported weaknesses in DoD systems, but right now they/we can spare a lot of time trying to reach through to the right individuals, now that the people who are running the program at hackerone will take care of that part for you. The only negative thing is the fact that it takes a lot of times for their teams to resolve your reports even after the bugs have been fixed, which is rather a symptome of lots of reports coming in and a limited amount of ressources. Reporting these vulnerabilities put me at an 11th place out of 270 participants the scoreboard at https://hackerone.com/deptofdefense/thanks
The fact that I was able to identify a password reset vulnerability and two SQL injections, while other people have identified other critical vulnerabilities, proves that encouraging ethical hackers to identify and report weaknesses in critical systems is definitely necessary. While the US DoD program doesn’t award people with bounties, it’s a great opportunity for anyone to test their skills and get recognition for their efforts, especially due to its huge scope
Ingen kommentarer:
Send en kommentar