onsdag den 31. maj 2017

Hacking the military for fun and non-profit


The US Department Vulnerability report program is an initiative that was launched in November 2016. The program was designed for hackers to responsibly report vulnerabilities on the defense.gov domain or any .mil domain through the bug bounty platform hackerone. During this writeup I will summarize the vulnerabilities I was able to identify and report responsibly. The vulnerabilities mentioned are listed in order based on their severity

open redirection vulnerabilities on econnect.dcma.mil and login.us.army.mil

During my testing, I discovered two websites in scope, that were vulnerable to open redirections. An open redirect is usually considered a minor vulnerability, yet still listed in owasps’ top 10 vulnerability list. It allows you to redirect your victim to a site through a url-parameter. This can be abused to redirect a user to a phishing site, where they might enter their login credidentials or a malware site to infect them. I sent the following urls as Proof of concept of the vulnerabilities, which were fixed rather quickly

8 Cross Site Scripting (XSS) vulnerabilities

Cross Site Scripting is one of the most common web-based vulnerabilities, and I was able to identify multiple of these on multiple domains belonging to the army aswell as the navy the National Geospatial-Intelligence Agency, The Defense Manpower Data Center and the environmental laboratory. The vulnerability allows an attacker to inject javascript code into a vulnerable parameter, which can be abused for plenty of things, including cookie hijacking or even infecting your victim’s computer with a driveby-exploit.

Vulnerable domains:
www.dmdc.osd.mil abi.army.mil www7320.nrlssc.navy.mil (2 vulns) www.nwd-wc.usace.army.mil (2 vulns) moh.cecer.army.mil msi.nga.mil

Gallery of vulnerable websites: http://imgur.com/a/EXdMK

lms.noradnorthcom.mil password reset vulnerability


This vulnerability was quite unique. All it took was some simple logic to figure out a huge configuration flaw that could allow me to reset the password for any user at the United States Northern Command. As most people are familiar with, a typical password reset function would be like this:

  • A user enters his email associated with his account
  • An email is sent, which provides a unique link for password reset for the associated account
  • The user enters his new password

The issue with this domain was that the “unique link” wasn’t used, while the forms for step 3 were easily found, which allowed me to to skip phase 1 and 2 mentioned above by simply changing the flag value in the url from 0 to 1. Doing this would send me to the forms attached at screenshot 2, where I would be able to change any password for an associated user without any additional information being required

SQL injections at egeoint.nrlssc.navy.mil and moh.cecer.army.mil

As the last part of this writeup I also have two SQL injections at subdomains belonging to the navy and the army. SQL injection is an old critical vulnerability, where an attacker can inject arbitrary SQL code into a parameter, which can compromise the database(s). It’s an old kind of vulnerability that most people learn how to defend themselves against, but unfortunately there are still plenty of incidents where major organisations get compromised this way.

As you can see in the response code, the vulnerability in moh.cecer.army.mil was caused by a vulnerable login form, where the username-field was vulnerable


It’s a great step for both parts that the US DoD allows people in the hacking community to identify weaknesses in their systems for responsible disclosure. Lots of ethical hackers have previously reported weaknesses in DoD systems, but right now they/we can spare a lot of time trying to reach through to the right individuals, now that the people who are running the program at hackerone will take care of that part for you. The only negative thing is the fact that it takes a lot of times for their teams to resolve your reports even after the bugs have been fixed, which is rather a symptome of lots of reports coming in and a limited amount of ressources. Reporting these vulnerabilities put me at an 11th place out of 270 participants the scoreboard at https://hackerone.com/deptofdefense/thanks

The fact that I was able to identify a password reset vulnerability and two SQL injections, while other people have identified other critical vulnerabilities, proves that encouraging ethical hackers to identify and report weaknesses in critical systems is definitely necessary. While the US DoD program doesn’t award people with bounties, it’s a great opportunity for anyone to test their skills and get recognition for their efforts, especially due to its huge scope

Ingen kommentarer:

Send en kommentar

CVE-2017-7384: Reflected XSS in flippdf leaves thousands of websites vulnerable (0day)

From simple bug bounty to mass discovery of XSS vulnerabilities During my testing in a public bug bounty program awhile ago, I discover...