penetration testing report report pt.pdf · 2019-12-23 · p a g epenetration testing report -...

This disclaimer governs the use of this report. The credibility and content of this report are directly derived from the information provided by

IPsafe. Although reasonable commercial attempts have been made to ensure the accuracy and reliability of the information contained in this

report, the methodology proposed in this report is a framework for the "project" and is not intended to ensure or substitute for compliance

with any requirements and guidelines by the relevant authorities. Does not represent that the use of this report or any part of it or the

implementation of the recommendation contained therein will ensure a successful outcome, or full compliance with applicable laws,

regulations or guidelines of the relevant authorities. Under no circumstances will its officers or employees be liable for any consequential,

indirect, special, punitive, or incidental damages, whether foreseeable or unforeseeable, based on claims of IPsafe (including, but not limited

to, claims for loss of production, loss of profits, or goodwill). This report does not substitute for legal counseling and is not admissible in court.

The content, terms, and details of this report, in whole or in part, are strictly confidential and contain intellectual property, information, and

ideas owned by IPsafe. IPsafe may only use this report or any of its content for its internal use. This report or any of its content may be

disclosed only to IPsafe employees on a need to know basis, and may not be disclosed to any third party.

Penetration Testing

ISP – Open Internet

Report

June, 2019 Grey Box PT

Penetration Testing Report - Confidential P a g e | 2

TABLE OF CONTENT EXECUTIVE SUMMARY 6

INTRODUCTION 6

SCOPE 6

CPE/ACS 6

INTERNAL ASSESMENT 6

CONCLUSIONS 8

IDENTIFIED VULNERABILITIES 8

VULN-001 REMOTE CODE EXECUTION (CRITICAL) 8

VULN-002 JUMP/RADIUS SERVERS TAKEOVER (CRITICAL) 8

VULN-003 INSUFFICIENT CONFIGURATION HARDENING (HIGH) 8

VULN-004 WEAK ADMIN CREDENTIALS (HIGH) 9

VULN-005 IMPROPER NETWORK SEGMENTATION (MEDIUM) 9

VULN-006 INSECURE ACS CONFIGURATION (MEDIUM) 9

VULN-007 MAN IN THE MIDDLE (MEDIUM) 9

VULN-008 INSECURE PORT FORWARDING (MEDIUM) 9

VULN-009 DEFAULT ADMIN CREDENTIALS IBMC (MEDIUM) 9

VULN-010 ACCESSIBLE ADMIN PANEL (LOW) (MEDIUM) 9

VULN-011 WEAK DEFAULT FIREWALL CONFIGURATION (LOW) 9

VULN-012 WEAK MIDDLEWARE CONFIGURATION (LOW) 9

VULN-013 INFORMATION DISCLOSURE – ACS SERVER (LOW) 10

VULN-014 IMPROPER ERROR HANDLING (LOW) 10

VULN-015 SECURITY FEATURES AND CONTROL FILTER BYPASS (LOW) 10

VULN-016 EXTERNAL ACCESSIBLE SERVICES (LOW) 10

VULN-017 SENSITIVE DATA DISCLOSURE (LOW) 10

VULN-018 INSECURE PCB DESIGN (LOW) 10

VULN-019 INFORMATION DISCLOSURE – ZTE ROUTER (LOW) 10

VULN-020 OLD VERSION SUPPORT (LOW) 10

VULN-021 INSECURE COOKIE (LOW) 11

FINDING DETAILS 12

VULN-001 REMOTE CODE EXECUTION

12

RISK ANALYSIS 12

VULNERABILITY DESCRIPTION 12

VULNERABILITY DETAILS 12

RECOMMENDED RECTIFICATION 14


VULN-002 JUMP/RADIUS SERVERS TAKEOVER

14

RISK ANALYSIS 14




VULN-003 INSUFFICIENT CONFIGURATION HARDENING

19

RISK ANALYSIS 19




VULN-004 WEAK ADMIN CREDENTIALS

21

RISK ANALYSIS 21




VULN-005 IMPROPER NETWORK SEGMENTATION

23

RISK ANALYSIS 23




VULN-006 INSECURE ACS CONFIGURATION

24

RISK ANALYSIS 24




VULN-007 MAN IN THE MIDDLE

25

RISK ANALYSIS 25




VULN-008 INSECURE PORT FORWARDING

26

RISK ANALYSIS 26



EXECUTION DEMONSTRATION 26


VULN-009 DEFAULT ADMIN CREDENTIALS IBMC

28

RISK ANALYSIS 28





VULN-010 ACCESSIBLE ADMIN PANEL

33

RISK ANALYSIS 33



EXECUTION DEMONSTRATION ERROR! BOOKMARK NOT DEFINED.


VULN-011 WEAK DEFAULT FIREWALL CONFIGURATION

37

RISK ANALYSIS 37




VULN-012 WEAK MIDDLEWARE CONFIGURATION

38

RISK ANALYSIS 38





VULN-013 INFORMATION DISCLOSURE – ACS SERVER

39

RISK ANALYSIS 39




VULN-014 IMPROPER ERROR HANDLING

41

RISK ANALYSIS 41




VULN-015 SECURITY FEATURES AND CONTROL FILTER BYPASS

42

RISK ANALYSIS 42




VULN-016 EXTERNAL ACCESSIBLE SERVICES

43

RISK ANALYSIS 43





VULN-017 SENSITIVE DATA DISCLOSURE

45

RISK ANALYSIS 45




VULN-018 INSECURE PCB DESIGN

46

RISK ANALYSIS 46




VULN-019 INFORMATION DISCLOSURE – ZTE ROUTER

49

RISK ANALYSIS 49




VULN-020 OLD VERSION SUPPORT

51

RISK ANALYSIS 51




VULN-021 INSECURE COOKIE

53

RISK ANALYSIS 53





APPENDICES 54

METHODOLOGY 54

APPLICATION TESTS 54

INFRASTRUCTURE TESTS 56

FINDING CLASSIFICATION 58


EXECUTIVE SUMMARY

INTRODUCTION

IPsafe`s penetration-testing team was requested to conduct penetration testing of the “GPON” infrastructure

for “ISP”. Our test aimed to uncover vulnerabilities and logical bugs that can put “ISP” and its users at risk.

During the audit, the team reviewed the ability to map the infrastructure and the ability to withstand attacks.

The different tests aimed to uncover misconfigurations and vulnerabilities. The report contains suggestions

to mitigate them and enhance the security of the systems in use, to increase the overall safety of the data

they contain.

The grey-box security audit was performed against the “ISP Network” infrastructure during June 2019

SCOPE

CPE/ACS The penetration testing started at Naples HQ against the CPE(ZTE-F680) and its infrastructure with no prior

knowledge of the environment.

The main goal of this part was to uncover flaws which a malicious actor can exploit and mitigate them,

focusing on the provided CPE.

INTERNAL ASSESSMENT The second part of penetration testing was performed from the London HQ against ISP`s infrastructure with

no prior knowledge of the environment.

The main goal of this part was to uncover vulnerabilities and misconfigurations inside the internal LAN, which

might assist a potential malicious actor in lateral movement and exploitation.

The audit included:

General Injection attacks and code execution attacks on both Client and server sides.

OWASP Top 10 possible vulnerabilities, including CSRF tests and advanced hacking techniques.

Inspection of sensitive data handling and risk of information disclosure.

Tests for advance logical bugs and cross-account actions.

Hardening inspection

TEST LIMITATIONS The audit was conducted mostly on the production environment, and thus automation and DOS attacks were

excluded.

Also, the lateral movement inside the internal network was excluded as well due to GDPR issues.

SUMMARY The penetration testing team was able to find a critical vulnerability (RCE) on the ACS server, which allowed

them to gain access from the client’s environment to ISP`s internal network.

The vulnerability was based on the insufficient input validation of the FreeACS server used by the company.


Inside ISP`s network, the penetration testing team uncovered few misconfigurations and weak credentials,

which allowed the team to penetrate the radius and the jump servers.

If these bugs would be exploited by an attacker, he could exfiltrate sensitive information from the network

and its devices.


CONCLUSIONS

From our professional perspective, the overall

security level of the system is Low -Medium.

The current environment is vulnerable to Remote

Code Execution which allows a malicious threat actor

to gain access to the local network and as well, it is

possible to perform multiple malicious actions

against this infrastructure, for an example:

Execute Remote code inside ISP`s LAN and

perform lateral movement

Perform DNS Hijacking on all of ISP`s client using

a hidden admin user or by pushing malicious

configuration from the ACS

Abuse weak admin credentials on servers such as the “Ponte” server and run crypto miners and

ransomware on multiple sensitive networks.

Abuse misconfiguration and weak credentials to hijack network devices.

Gain access to unprotected critical assets such as Hadoop database.

Exploiting most of these vulnerabilities requires a Medium – High technical knowledge.

IDENTIFIED VULNERABILITIES

VULN-001 REMOTE CODE EXECUTION (CRITICAL) A Remote Code Execution vulnerability can provide an attacker with the ability to execute malicious

code and take complete control of an affected system with the privileges of the user running the

application.

VULN-002 JUMP/RADIUS SERVERS TAKEOVER (CRITICAL) A Server Takeover allows the attacker to execute any commands of his choice on a target machine. It is

commonly used in remote code execution vulnerability to describe a software bug that gives an attacker

a way to take complete control of the system.

VULN-003 INSUFFICIENT CONFIGURATION HARDENING (HIGH)

Application server configurations play a vital role in the security of a web application and routers. These

routers are responsible for serving content and invoking applications that generate content. Also, many

routers provide several services that the end user can use. Failure to manage the proper configuration

of your router can lead to a wide variety of security problems.

Vulnerabilities

Critical High Medium Low Informative

21


VULN-004 WEAK ADMIN CREDENTIALS (HIGH)

A Weak Admin Credentials makes it easier for attackers to compromise user accounts. An

authentication mechanism is only as secure as its credentials. For this reason, it is essential to restrict

users to strong passwords.

VULN-005 IMPROPER NETWORK SEGMENTATION (MEDIUM)

When a particular client or server is compromised by an attacker, the impact could be minimized by

separating between them. Client separation is required between different types of systems or

applications that are not supposed to communicate with each other internally, to ensure that a security

breach won't affect the entire network.

VULN-006 INSECURE ACS CONFIGURATION (MEDIUM) An Insecure ACS Configuration may lead to full ACS takeover and various other attacks on the ACS

server itself.

VULN-007 MAN IN THE MIDDLE (MEDIUM)

A Man-In-The-Middle attack allows an attacker to intercepts communication between two systems. In

an HTTP, FTP, SAMBA transactions, the target is the TCP connection between client and server.

VULN-008 INSECURE PORT FORWARDING (MEDIUM)

Services in the local network usually inaccessible from the internet, in order to access a service that

located behind a router the user has to perform a port forwarding.

Insecure Port Forwarding may lead to entire network comprise and sensitive information exposed.

VULN-009 DEFAULT ADMIN CREDENTIALS IBMC (MEDIUM)

A Default Admin Credentials that are set during installation should be changed. An unauthenticated,

remote attacker could exploit this vulnerability by logging in to the affected application, using known

default credentials. If successful, the attacker could access a targeted system with elevated privileges.

VULN-010 ACCESSIBLE ADMIN PANEL (MEDIUM)

An Accessible Admin Panel describes a situation where administrative panels are publicly available.

VULN-011 WEAK DEFAULT FIREWALL CONFIGURATION (LOW)

A Firewall provides protection against attackers and other threats to the application and report about

these threats. Even if a vulnerability exists within the application, the security system could alert an

attempt to exploit it and sometimes block it, if the firewall is not configured correctly the attacker can

bypass it and access the vulnerable service.

VULN-012 WEAK MIDDLEWARE CONFIGURATION (LOW)

Weak middleware configuration occurs when CPE provisioning against the ACS server occurs.

If the user is accessing the web admin panel at this time, he can review and change sensitive settings

and still enjoy the full admin authority which bypasses the business logic of ISP.


VULN-013 INFORMATION DISCLOSURE – ACS SERVER (LOW)

Revealing sensitive and critical information about the system and applications may help attackers focus

their attacks. Sensitive information may appear in the form of HTTP Headers, error messages, source

code comments, informative pages, and more.

VULN-014 IMPROPER ERROR HANDLING (LOW)

A web application must define a default error page for 404 errors, 500 errors, stack traces, and more.

Specifically designed thrown exceptions, prevent attackers from mining information about the

application. When an attacker explores a web site looking for vulnerabilities, the amount of data that

the site provides is crucial to the eventual success or failure of any attempted attack.

VULN-015 SECURITY FEATURES AND CONTROL FILTER BYPASS (LOW)

A lot of personal information goes through the router. Protection against infiltration is, therefore,

paramount. In order to ensure nobody can connect to the router without the user consent, different

security protocols and features are developed.

VULN-016 EXTERNAL ACCESSIBLE SERVICES (LOW)

An External Accessible Service sometimes is highly sensitive and should be adequately secured to

prevent attackers from accessing it. Even when authentication is enforced properly - one should never

expose these services to the outside world.

VULN-017 SENSITIVE DATA DISCLOSURE (LOW)




VULN-018 INSECURE PCB DESIGN (LOW)

Insecure PCB Design allows attackers to map and gather sensitive information about the

Microcontrollers installed on the PCB.

An attacker with physical access to the PCB, can map the connections and interact with the exposed

interfaces of the Microcontrollers embedded in the PCB.

VULN-019 INFORMATION DISCLOSURE – ZTE ROUTER (INFORMATIVE)




VULN-020 OLD VERSION SUPPORT (INFORMATIVE)

What makes it easier for attackers to target software is the virtually guaranteed presence of

vulnerabilities, which can be exploited to violate one or more of the software’s security properties.

Most successful attacks result from targeting and exploiting an outdated old version software’s.


VULN-021 INSECURE COOKIE (INFORMATIVE)

The application utilizes HTTP cookies in order to exchange sensitive information (such as session ID) with

its clients but does not include the “Secure” attributes while creating the cookie.

Without the "Secure" attribute, the browser will send the cookie over a none-encrypted (HTTP) channel,

thereby exposing the content of the cookies any attacker eavesdropping on the network.


FINDING DETAILS VULN-001 REMOTE CODE EXECUTION

RISK ANALYSIS Total Risk Critical Severity Critical Probability Critical Fix effort Medium

TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the ACS, in particular the FreeACS (X.X.X.X)

The entrance point was the CPE network in City_Name.

VULNERABILITY DESCRIPTION Remote Code Execution vulnerabilities can provide an attacker with the ability to execute malicious code and take complete control of an affected system with the privileges of the user running the application.

After gaining access to the system, attackers will often attempt to elevate their privileges through other running services. With escalated privileges, an attacker could steal sensitive information, cause a denial of service, and implement additional malware.

VULNERABILITY DETAILS During the test, we successfully mapped the ACS server version in ISP`s network is “FREEACS” which is detailed on finding “VULN-008”.

In addition, we found that it is possible to abuse and run remote code on the free ACS Server, located at the following address:

X.X.X.X

What's even worse is that the remote code execution occurs inside the Authorization header, which means the user doesn’t need to authenticate to perform the attack and take full control over the FreeACS Web Panel.

In the audit, after we gained access to the sensitive data on the CPE, which referred to the TR069 protocol and exploited the insufficient configuration hardening which is detailed in finding “VULN-002”. Those finding allowed the team to understand when and how the CPE is connecting to the ACS server.

The exploitation took place in the inform message the CPE sends at the begging of the session against the ACS.

The following image demonstrates a typical session between a CPE and an ACS server:


The CPE begins every session by sending an Inform RPC to the ACS, with arguments that include the event that caused the session. This is done over an HTTP POST request.

The XML query which includes the Inform RPC values were exploitable and allowed injection by inserting the following line of code into the authorization header:

And here is the execution point as can be seen in the next image:


RECOMMENDED RECTIFICATION Implement parameter sanitation on the server side.

Consider forking the open source and fixing all the issues for ISP version of the

code.

VULN-002 JUMP/RADIUS SERVERS TAKEOVER

RISK ANALYSIS Total Risk Critical Severity Critical Probability High Fix effort Medium

TARGET HOST AND ENTRANCE POINT The target in this vulnerability were 3 servers in the network 10.246.128.0/24

10.246.x.y – Ponte (Bridge/Jump Server)

10.246.z.m – New Radius

10.246.k.p – Radius

The entrance point was a phycsicaly connected cable to the network 10.246.g.k/24 in the

London server room.

VULNERABILITY DESCRIPTION Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and

software that enables remote access servers to communicate with a central server to

authenticate dial-in users and authorize their access to the requested system or

service.

RADIUS allows a company to maintain user profiles in a central database that all

remote servers can share. A RADIUS server provides better security, allowing a

company to set up a policy that will be applied at a single administered network

point.

However, if an attacker will be able to get access inside the RADIUS server, he will be

able to control the complete services which use this access server.

VULNERABILITY DETAILS During our test, we gained access into the ACS server via remote code execution as

described at finding “VULN-001” which allowed us to access into the internal

network, then we performed comprehensive scanning on the internal network and

identified multiple servers and systems some of which had exposed SSH services.

By using specially written scripts, we performed targeted and throttled brute-force

based on a small dictionary of common passwords related to “ISP” and were able to

get access to 3 different servers in the local network:

10.246.x.y – Ponte (Bridge/Jump Server)

10.246.z.m – New Radius

10.246.k.p – Radius

https://searchnetworking.techtarget.com/definition/client-server

https://searchnetworking.techtarget.com/definition/protocol

https://searchsqlserver.techtarget.com/definition/database


The exploitation was successful since these best security practices were not

enforced:

Certificate authentication to sensitive servers

Disallowance of remote connection protocols with power user(root)

Strong password policy

Two of the servers were RADIUS servers, which can be seen in the following

screenshots:

root shell over the “radius” server


root shell over the “newradius” server

After gaining access, we checked if the RADIUS contains any critical information and

found a few sensitive files which included a list of username, passwords, and IP

address as can be seen in the following picture:

Confidential information found on the “radius” server

Besides the radius servers mentioned before, we successfully gained admin access to

the “Ponte” server which has a connection to multiple sensitive networks in addition

to confidential services such as DNS and Radius; the following image demonstrates

the access and different interfaces of the server:


Root access on the “Ponte” server

Also, while exploring the servers that we successfully breached we found the clear

text DCN secret key of the following clients:

83.224.q.w

91.80.z.x

Identified clients

The located clear text keys

A potential attacker might exploit this vulnerability to gain unauthorized access to

these sensitive networks and server and cause severe damage, such as confidential

data exfiltration, DoS, and more.

RECOMMENDED RECTIFICATION Disallow remote connections to the system with administrative users such as “root”

and use a standard permission user for authentication purposes.


It is recommended to change the authentication method for critical servers to

Certificate-based authentication rather than password authentication. If not possible,

enforce firm password policy:

Password must be at least 8-10 characters long, ideally longer (especially for

administrative accounts).

Password Complex with alpha and numeric characters, including special

characters (#$%).


VULN-003 Insufficient Configuration Hardening

RISK ANALYSIS Total Risk High Severity Medium Probability Critical Fix effort Low

TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.

The entrance point was a phycsicaly access to the CPE in City_Name.

VULNERABILITY DESCRIPTION Applicative server configurations play a vital role in the security of any devices and routers. These routers are responsible for serving content and invoking applications that generate content. Also, many routers provide several services that the end user can use. Failure to manage the proper configuration of your router can lead to a wide variety of security problems.

VULNERABILITY DETAILS During our test, we have found that it is possible to revert the secure configuration of the router to default, which is quite insecure.

The action can be performed simply by pushing the factory reset button.

The reset button

By reverting to the default configuration, the end user can access features which were intentionally hidden in the router and view sensitive information like the TR069 configurations and address, dial-up configuration, and much more.

The following image shows the differences between the versions:


before and after settings reset

when inspecting the settings after the reset process, we found the TR069 configuration settings and information, which isn’t accessible by the user in the updated version:

`

This could allow a malicious threat actor to expose sensitive data and flaws inside the

ISPs`s network topology.

It is essential to mention that during the audit, we leveraged these flaws, and they

played a vital role in the RCE against the ACS.

RECOMMENDED RECTIFICATION Make sure to override the factory reset partition with a secure configuration; this

way factory reset will not uncover hidden functionality.

It is recommended to use a firmware with the final security configuration.


VULN-004 Weak Admin Credentials

RISK ANALYSIS Total Risk High Severity High Probability Medium Fix effort Low


The entrance point was a network access to the CPE.

VULNERABILITY DESCRIPTION Weak Admin Credentials vulnerability describes a situation which allows an attacker to

abuse the administrative credentials to gain unauthorized access to interfaces and

management panels.

VULNERABILITY DETAILS During the test, it was found during the exploitation of insecure configurations hardening that besides the default admin:admin user which has restricted admin access, ISP created another hidden administrative user which allows them to gain full access.

For example, under the Administration tab, a local admin user cannot access the sensitive TR069 settings while the hidden “admin@ISP” user can.

After exploiting the factory reset misconfiguration, we were able to see that under TR069 settings there is a hidden admin user:

User settings after a configuration reset

After several login attempts, we were able to uncover that the password for this user is the same as the username.

Using the same credentials is ubiquitous and not recommended, especially at administrative panels.


To exploit this vulnerability and gain full unauthorized access, you don’t need brute-force the application and can guess the password, making the exploitation probability is higher.

Furthermore, due to the fact that this user is hidden from regular customers, a potential adversary can create a malware which will perform DNS hijacking, Due to the fact that a regular customer who is using ISP`s CPE and even changed the default admin password is not aware of the hidden privileged admin account and for an example, might give someone Wi-Fi access or might be exploited by a malware and more which will allow the threat actor to perform DNS Hijacking.

The following steps elaborate about the actions of the DNS Hijacking:

1. A potential attacker connects to the network and enumerates the router technologies and understand that ISP and ZTE CPE are being used as described in VULN-011.

2. The attacker uses the hidden administrator (admin@ISP) to edit DNS Server settings and make him the DNS Server

3. The attacker redirects the user whenever he wants to malicious websites and steal sensitive credentials

Also, this vulnerability will assist a potential attacker in exploiting other issues like the one described in “VULN-001” by opening more functionality in the system which enhance the attack surface.

RECOMMENDED RECTIFICATION It's recommended to change every username password which is the same for both

authentication fields.



Use complex passwords with alpha-numeric characters, including special characters

(#$%).

Set password max age to 120 days to enforced users to change their password.

Set password min age to 3-7 days to prevent users from changing their password

multiple times in a short time.

Enforce password history so users won’t be able to re-pick the same password over

again.


VULN-005 Improper Network Segmentation

RISK ANALYSIS Total Risk Medium Severity Medium Probability Medium Fix effort Medium

TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the network 10.246.x.y/24

The entrance point was a phycsicaly connected cable to the network in the London server

room.

VULNERABILITY DESCRIPTION Improper network segmentation allows users to access various network resources

which should be restricted by design using Network Segmentation.

Networks which are divided into VLANs are usually separated for security reasons by

network and security engineers to enhance the security of the system or establish

order. Improper routing between the networks, also known as a Flat Network, is

basically deducting the protection from the VLAN segmentation and allows potential

attackers to move between sensitive networks and access sensitive data laterally.

VULNERABILITY DETAILS During our test, we discovered that the network segmentation in the following address range is improper:

10.246.p.t/25

This network is the heart of “ISP” internal servers and thus has to be as secure as possible.

Due to improper segmentation, we managed to laterally move and access different sensitive servers and applications such as the radius and the “Ponte” servers.

Due to the sensitivity of the network, only core services should be inside.

We discovered that there are some stations in the network which poses a threat to the system. A potential attacker may use domain hijacking techniques to try to penetrate one of the computers and get access to all of his connected services and sessions on the network.

RECOMMENDED RECTIFICATION It is recommened to separate user and server networks to enhance the security of

network

It is recommened to use certificate authentication to sensitive servers such as bridge servers.

It is recommened to use NAC solution to administer sensitive networks


VULN-006 Insecure ACS Configuration

RISK ANALYSIS Total Risk Medium Severity Low Probability Medium Fix effort Low



VULNERABILITY DESCRIPTION Auto Configuration Server is a software that manages devices remotely.

The device establishes the connection with the ACS only at specific points in time. It

usually lasts several seconds, just enough to exchange all necessary messages

between CPE and the ACS.

Insecure ACS configuration may lead to various attacks on the ACS itself.

VULNERABILITY DETAILS During our test, after the reboot/factory reset it was revealed that the TR069 allows any ACS to control it and specify the configuration remotely. As seen the parameter in “Connection Request URL” is http://0.0.0.0:58000, which means anyone can send malicious updates to the CPE via port 58000.

TR069 configuration on the CPE

RECOMMENDED RECTIFICATION It is recommended to use a Whitelist which includes only ISP`s ACS servers

Consider updating the default router configuration to force it to connect to ISP ACS at boot.

http://0.0.0.0:58000/


VULN-007 Man in The Middle

RISK ANALYSIS Total Risk Medium Severity Medium Probability Low Fix effort Low



VULNERABILITY DESCRIPTION A Man-In-The-Middle attack allows an attacker to intercept communication between two systems. In an HTTP, FTP, SAMBA transactions, the target is the TCP connection between client and server. Using different techniques, the attacker can split the original TCP connection into two instances, one between the client and the attacker and the other between the attacker and the server. Once the TCP connection is intercepted, the attacker acts as a proxy, reading, inserting, and modifying the data in the intercepted communication.

VULNERABILITY DETAILS During our test, we have found that it is possible to abuse the local services installed on the router.

Most of the router services are unencrypted; which allows the attacker to perform a man in the middle and get access to the data, for example, the router is FTP service which considered insecure:

FTP configuration

There is also unencrypted samba service.

RECOMMENDED RECTIFICATION Use an encrypted channel for all client-server communications (TLS) such as FTPS.

Implement HSTS header to move the HTTP traffic automatically to https.

Consider disabling insecure services, same as you did to telnet which is disabled.


VULN-008 INSECURE PORT FORWARDING

RISK ANALYSIS Total Risk Medium Severity Medium Probability Medium Fix effort Low



VULNERABILITY DESCRIPTION Port forwarding allows external internet connections to contact your router, which

then will be forwarded the computer in the local network and his service.

A malicious attacker can exploit the port forwarding to access internal sensitive data.

VULNERABILITY DETAILS During our test, we have found that, it is possible to access our Public IP address from the internet and access internal services which were automactilly forwarded.

We have monitored the traffic by using Wireshark and found that it is possible to access internal services from a remote target.

To abuse this misconfiguration, a potential adversary can perform a port scanning and access all internal services.

Anyone with a remote website can get the user`s IP address and scan his home network and find out that sensitive services such as the following are accessible:

SMB

FTP

HTTP

EXECUTION DEMONSTRATION The following screenshot demonstrates a samba connection from remote IP address 2.58.x.y:


We also were able to brute force the ftp from remote by using hydra (a hacking tool

to perform advanced brute force) which can be seen in the following image:

Then we connected to the FTP server from remote which should be closed to internet

users.

RECOMMENDED RECTIFICATION Make sure to deny access to the remote IP address and allow only if permitted by the

user via the router configuration and not by default.


VULN-009 DEFAULT ADMIN CREDENTIALS IBMC


TARGET HOST AND ENTRANCE POINT The target in this vulnerability were 4 iBMC Devices in the network 10.40.z.p/24

10.40.x.y

10.40.x.u

10.40.x.p

10.40.x.g

The entrance point was a phycsicaly connected cable to the network 10.40.x.p/24 in the

London server room.

VULNERABILITY DESCRIPTION Default Admin Credentials vulnerability describes a situation in which an attacker can

abuse the administrative credentials to gain unauthorized access to interfaces and

management panels.

VULNERABILITY DETAILS During the test, it was found that the iBMC admin panel and shell can be accessed with default credentials:

root

Huai12#$

Due to this, a malicious user can control the iBMC service and gain full access.

The Intelligent Baseboard Management Controller (iBMC) is Huawei's proprietary system for remote server management. iBMC complies with Intelligent Platform Management Interface (IPMI) 2.0 and SNMP standards and supports various functions, including keyboard, video, and mouse (KVM) redirection, text console redirection, remote virtual media, and hardware monitoring and management.

The following addresses were breached:

10.40.x.p

10.40.x.u

10.40.x.y

10.40.x.g

Admin access to the iBMC server on 10.40.x.y




Further testing revealed that the default credentials allowed access over SSH as well


Admin access to the iBMC server on 10.40.x.u




Admin access to the iBMC server on 10.40.x.q

RECOMMENDED RECTIFICATION It's recommended to change every username password which is the same for both

authentication fields.



Password Complex with alpha and numeric characters, including special characters

(#$%).

Set password max age to 120 days to enforced users to change their password.

Set password min age to 3-7 days to prevent users from changing their password

multiple times in a short time.

Enforce password history so a user won’t be able to re-pick the same password over

again.


VULN-010 ACCESSIBLE ADMIN PANEL


TARGET HOST AND ENTRANCE POINT The target in this vulnerability entire 172.x.y.z network which conatins multiple servers and

services. Almost all of the services found to be unprotected.

The entrance point was a phycsicaly connected cable to the network 172.k.l.m/24 in the

London basement (the room on floor -1 which controlled by some other company).

VULNERABILITY DESCRIPTION Accessible Management Panel describes a situation where administrative panels are

accessible publicly.

Many systems include several management panels to control different parts of the systems. These administrative panels make it easier for system administrators to manage and change preferences. If these panels are accessible to an attacker, he may exploit that to gain administrative access to the system.

VULNERABILITY DETAILS During the audit, we found accessible admin panels on different subdomains of “LI”

network:

Hadoop

Tomcat

A potential attacker might exploit this admin panels for running the command on the servers and eavesdrop for local sensitive information.

EXECUTION DEMONSTRATION The following screenshot demonstrates the administrative panel access page:


Nifi’s exposed admin panel

exposed admin panel


Hadoop’s exposed admin panel

Nifi’s remote command execution panel exposed


Tomcat’s exposed admin panel

RECOMMENDED RECTIFICATION It is recommended to limit access to the component’s management panels to a specific IP

address.

It is recommended to implement an authentication mechanism for the component's

management panels.

Do not allow public access to the admin panels.

Enable access to the management system only from white-listed IP sources.


VULN-011 Weak Default Firewall configuration

RISK ANALYSIS Total Risk Low Severity Low Probability Low Fix effort Low



VULNERABILITY DESCRIPTION Weak Default Firewall configuration occurs when firewall settings are set by default with the lowest security configuration, which put the customers at risk since most customers aren’t technical there is a high probability that these settings won’t change.

VULNERABILITY DETAILS During the test, it was found that the default firewall configuration is set to weakest setting available which is without the “Anti-Hacking Protection” feature and firewall level set to “Low”.

The following image demonstrates weak settings:

The default configuration of the router

since most customers aren’t technical, there is a high probability that this setting won’t change and therefore are potential attackers might exploit them.

RECOMMENDED RECTIFICATION It is recommended to use at least medium security features by default to enhance

customers’ protection from malicious attackers.


VULN-012 WEAK MIDDLEWARE CONFIGURATION




VULNERABILITY DESCRIPTION Weak middleware configuration occurs when CPE provisioning against the ACS server occurs.

If the user is accessing the web admin panel at the provisioning stage, he can review and change sensitive settings and still enjoy the full admin authority which bypasses the business logic of ISP.

VULNERABILITY DETAILS During the test, we found that while the middleware configuration is set by the ACS on the related CPE, the customer can change the ACS IP address or/and define his own DNS server as the routers primary DNS server, which will allow him to gain WAN access and also have permanent access to all of the sensitive configurations such as the TR069 Setting.

A potential attacker might abuse this misconfiguration to research the connection between CPE to ISP and find more misconfigurations and exploit them.

EXECUTION DEMONSTRATION The following screenshot shows that Changing the TR069 ACS server address is allowed as setting a DNS server:

RECOMMENDED RECTIFICATION Restricted user access to sensitive fields which may influence the business logic such

as TR-069 ACS address and DNS Server


VULN-013 INFORMATION DISCLOSURE – ACS SERVER

RISK ANALYSIS Total Risk Low Severity Low Probability Medium Fix effort Low



VULNERABILITY DESCRIPTION An Information Disclosure vulnerability is a misconfiguration problem that provides information about the technology used by the application. This information mostly appears in server responses, errors, or broken functionality.

Response headers and default error pages reveal the server’s type, version, and maybe other technologies in use, which may help an attacker in finding vulnerabilities and plan his attack on the system.

In order to enhance the security of the product, it is essential to manage errors and prevent sensitive information leakage.

VULNERABILITY DETAILS While enumerating the ACS Server that was found on the following IP address:

X.X.X.X/TR069/OK

Server response caught in burp

We saw that the response contains a unique answer “FREEACSOK” which belongs to the open source “FREE ACS Server”, which can be downloaded from GitHub at https://github.com/freeacs

a potential attacker might use this information to focus on this server and plan the attack course.

https://github.com/freeacs


It is essential to mention that we used this information leakage to research the Free ACS server and by doing this we managed to gain RCE as elaborated on finding VULN-001

RECOMMENDED RECTIFICATION Substitute the default answers for unique undisclosed answers which do not reveal

the technologies being used.


VULN-014 IMPROPER ERROR HANDLING RISK ANALYSIS

Total Risk Low Severity Low Probability Low Fix effort Low



VULNERABILITY DESCRIPTION Improper Error Handling can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user or hacker.

These messages reveal implementation details that should never be revealed. Such information can provide hackers essential clues on potential flaws in the site, and such messages are also disturbing to ordinary users.

VULNERABILITY DETAILS During our test, while examining the traffic between the CPE and the ACS, we found

that ACS server discloses private architecture information to the user.

In the following screenshot you can see that ACS disclose that the web server is

“nginx/1.14.2”:

Default NGINX 404 response page

As we demonstrated multiple times during our test, such information can assist the

attacker in order to penetrate the organization.

RECOMMENDED RECTIFICATION Implement a specific policy for how to handle errors should be documented,

including the types of errors to be processed and for each, what information is going

to be reported back to the user, and what information is going to be logged. All

developers need to understand the policy and ensure that their code follows it.

Use custom error pages without information disclosure


VULN-015 SECURITY FEATURES AND CONTROL FILTER BYPASS




VULNERABILITY DESCRIPTION A lot of personal information goes through the router. Protection against infiltration

is, therefore, paramount. To ensure nobody can connect to the router without the

user’s consent, different security protocols and features are developed.

ZTE router contains three security features that intended to protect network

infiltration and filtering:

Mac Filter

IP Filter

Service Control Filter

VULNERABILITY DETAILS During the test, if found that the security features provided by ZTE can be easily bypassed, for example, the attacker can change his IP to avoid the IP Filter or change his Mac address to undergo the Mac Filter.

By spoofing the Mac address and IP address, it is also possible to bypass the Service Control Filter.

RECOMMENDED RECTIFICATION Consider performing IP/MAC-matching with DHCP address and information supplied

by the router to the endpoint device.

Block duplicated Mac/IP network equipment.


VULN-016 EXTERNAL ACCESSIBLE SERVICES




VULNERABILITY DESCRIPTION Devices and Servers configurations play a crucial role in the security of a network. These devices are responsible for serving content and invoking applications that generate content.

Also, many application servers provide several services that users can use, including data storage, directory services, mail, messaging, and more.

Failure to manage the proper configuration of your device can lead to a wide variety of security problems.

VULNERABILITY DETAILS During our test, we have found that the device 2.58.x.y contains multiple services,

and it’s wide open to the internet.This can allow the attacker to try to exploit these

services from a remote location.

Scan results for open ports on 2.58.x.y

It is possible to communicate with the services and create an SSH connection from

the internet to the device:


Scan results for open ports on 2.58.x.y

RECOMMENDED RECTIFICATION Consider limiting access to the device to authorized users/IPs only.

Consider configuring the firewall to hide internal devices.


VULN-017 SENSITIVE DATA DISCLOSURE




VULNERABILITY DESCRIPTION Sensitive data exposure vulnerabilities can occur when an application does not

adequately protect confidential information from being disclosed to attackers. For

many applications, this may be limited to information such as passwords, but it can

also include information such as credit card data, session tokens, or other

authentication credentials.

VULNERABILITY DETAILS During our audit, we managed to get access to TR069 information and other inner CPE

information, one of the parameters we have found was the PON number, which is the

unique user identifier.

By sharing this PON number, users may overlap in the ACS configuration and receive

unauthorized internet access.

RECOMMENDED RECTIFICATION

Consider hiding sensitive information from the end user.


VULN-018 Insecure PCB Design




VULNERABILITY DESCRIPTION Insecure PCB Design allows attackers to map and gather sensitive information about

the microcontrollers installed on the PCB.

An attacker with physical access to the PCB, can map the connections and interact with

the exposed interfaces of the microcontrollers embedded in the PCB.

To accomplish that, we need to the serial number map the “FCCID” which can be found

on the microcontrollers. Some microcontrollers have debugging interfaces and even

file systems which can be extracted

Once the attacker connects the interface, he can gather sensitive information, and

based on the connection also dump the firmware or access directly to the file system.

Without protection, an attacker can steal the intellectual property of the

victim(ZTE/ISP), access the file system, dump the firmware for flaw/vulnerability

research in the application's source code.

VULNERABILITY DETAILS During the audit, it was discovered that the ZTE F680`s PCB which has exposed Debug

Interfaces, for example, the following microcontroller fccid was exposed:

Winbond w29n0


visibility of FCCID on the microcontroller

identifying the FCCID allowed us to find its datasheet, which included the pin

assignment:

https://eu.mouser.com/datasheet/2/949/w29n01hvxina_revc-1489886.pdf

The pin assignment datasheet found for the microcontroller


RECOMMENDED RECTIFICATION Consider Removing any indicators to technologies and microcontrollers in use on the PCB

Consider Disabling any debug interfaces in the Production Printed Circuit boards.

Remove Hardware Test Points

Remove Software support


VULN-019 INFORMATION DISCLOSURE – ZTE ROUTER

RISK ANALYSIS Total Risk Informative



VULNERABILITY DESCRIPTION An Information Disclosure Vulnerability is a misconfiguration problem that provides information about the technology used by the application. This information mostly appears in server responses, errors, or broken functionality.

Response headers and default error pages reveal the server’s type, version, and maybe other technologies in use, which may help an attacker in finding vulnerabilities and plan his attack on the system.

To enhance the security of the product, it is essential to manage errors and prevent sensitive information leakage.

VULNERABILITY DETAILS While enumerating the router Web panel, we discovered that web server response headers contain sensitive information about the server technologies.

The “Server” response header contained the following:

Mini web server 1.0 ZTE corp 2005

A potential attacker might use this information to focus on this server and expand the attack.

Header information disclosure as caught in Burp


Because this Web server is customized for ZTE, the exploitation probability downgrades and yet, it is recommended to dispose of the header.

RECOMMENDED RECTIFICATION Substitute the default answers for unique undisclosed answers which do not reveal

the technologies being used.


VULN-020 OLD VERSION SUPPORT




VULNERABILITY DESCRIPTION

What makes it easier for attackers to target software is the virtually guaranteed

presence of vulnerabilities, which can be exploited to violate one or more of the

software’s security properties.

Most successful attacks result from targeting and exploiting an outdated old version

software’s.

VULNERABILITY DETAILS In the course of our test we have found that ZTE router Is using samba protocol to share files with Windows devices, it is possible to turn on the file sharing from the admin panel as can be seen in the following screenshot:

SAMBA configuration on a ZTE router

The problem is that the configured samba is SMBv1, which contains multiple vulnerabilities and disallowed by default on Windows 10. This version of SMB can expose the system to attacks from hackers.


Windows error when accessing SMBv1

RECOMMENDED RECTIFICATION Upgrade services used by the router to the latest version and consult the vendor

documentation about known vulnerabilities.

Upgrade all used applications to the latest version and consults the vendor documentation about known vulnerabilities.


VULN-021 INSECURE COOKIE




VULNERABILITY DESCRIPTION The application utilizes HTTP cookies to exchange sensitive information (such as Token) with its clients but does not include the "HttpOnly" and the “Secure” attributes while creating the cookie.

Without the "HttpOnly" attribute, the content of the cookie will be accessible to JavaScript code, and in case of an application vulnerable to Cross-Site Scripting, the attacker would be able to steal user’s Token and perform authentication on behalf of the victim.

Without the "Secure" attribute, the browser will send the cookie over a none-encrypted (HTTP) channel, thereby exposing the content of the cookies any attacker eavesdropping on the network.

VULNERABILITY DETAILS During the test, we found that the server is not protection to cookies correctly, we could find any Cross Site Scripting vulnerability, but if in the future the attacker will find Cross-Site Scripting vulnerability in any new features he would be able to steal the token cookie.

EXECUTION DEMONSTRATION The following screenshot shows that both cookies don’t have “Secure” and “SameSite” protection flags enabled:

RECOMMENDED RECTIFICATION Set the "HttpOnly" attribute on sensitive cookies, to prevent access to by malicious client-

side code (JavaScript).

Set the "Secure" attribute on all sensitive cookies, to prevent them from being sent over the

none-encrypted channel.


APPENDICES METHODOLOGY

The work methodology includes some or all of the following elements, to meet client requirements:

APPLICATION TESTS Various tests to identify:

o Vulnerable functions.

o Known vulnerabilities.

o Un-sanitized Input.

o Malformed and user manipulated output.

o Coding errors and security holes.

o Unhandled overload scenarios.

o Information leakage.

General review and analysis (including code review tests if requested by the client).

Automated tools are used to identify security-related issues in the code or the application.

After an automated review, thorough manual tests are performed regarding:

o Security functions: Checking whether security functions exist, whether they operate

based on a White List of a Black List, and whether they can be bypassed.

o Authentication mechanism: The structure of the identification mechanism, checking

the session ID's strength, securing the identification details on the client side, by

passing through the use of mechanisms for changing passwords, recovering

passwords, etc.

o Authorization policy: Verifying the implementation of the authorization validation

procedures, whether they are implemented in all the application's interfaces, checking

for a variety of problems, including forced browsing, information disclosure, directory

listing, path traversal.

o Encryption policy: Checking whether encryption mechanisms are implemented in the

application and whether these are robust/known mechanisms or ones that were

developed in-house, decoding scrambled data.

o Cache handling: Checking whether relevant information is not saved in the cache

memory on the client side and whether cache poisoning attacks can be executed.


o Log off mechanism: Checking whether users are logged off in a controlled manner after

a predefined period of inactivity in the application and whether information that can

identify the user is saved after he has logged off.

o Input validation: Checking whether stringent intactness tests are performed on all the

parameters received from the user, such as matching the values to the types of

parameters, whether the values meet maximal and minimal length requirements,

whether obligatory fields have been filled in, checking for duplication, filtering

dangerous characters, SQL / Blind SQL injection.

o Information leakage: Checking whether essential or sensitive information about the

system is not leaking through headers or error messages, comments in the code, debug

functions, etc.

o Signatures (with source code in case of a code review test): Checking whether the code

was signed in a manner that does not allow a third party to modify it.

o Code obscurification (with source code in case of a code review test, or the case of a

client-server application): Checking whether the code was encrypted in a manner that

does not allow debugging or reverse engineering.

o Administration settings: Verifying that the connection strings are encrypted and that

custom errors are used.

o Administration files: Verifying that the administration files are separate from the

application and that they can be accessed only via a robust identification mechanism.

o Supervision, documentation and registration functions: Checking the documentation

and logging mechanism for all the significant actions in the application, checking that

the logs are saved in a secure location, where they cannot be accessed by unauthorized

parties.

o Error handling: Checking whether the error messages that are displayed are general

and do not include technical data and whether the application is operating based on

the failsafe principle.

In-depth manual tests of an application's business logic and complex attack scenarios.

Review of possible attack scenarios, presenting exploit methods and POCs.

Test results: a detailed report which summarizes the findings, including their:

o Description.

o Risk level.

o The probability of exploitation.

o Details.


o Mitigation recommendations.

o Screenshots and detailed exploit methods.

Additional elements that may be provided if requested by the client:

o Ensuring the development team with professional support along the rectification

process.

o Repeat test (validation) including report resubmission after rectification is completed.

INFRASTRUCTURE TESTS

Questioning the infrastructure personnel, general architecture review.

Various tests to identify:

o IP addresses, active DNS servers.

o Active services.

o Open ports.

o Default passwords.

o Known vulnerabilities.

o Infrastructure-related information leakage.

Comprehensive review and analysis. Automated tools are used to identify security-related

issues in the code or the application.

After an automated review, thorough manual tests are performed regarding:

o Vulnerable, open services.

o Authentication mechanism.

o Authorization policy.

o Encryption policy.

o Log off mechanism.

o Information leakage.

o Administrative settings.

o Administrative files.

o Error handling.

o Exploit of known security holes.

o Infrastructure local information leakage.

o Bypassing security systems.

o Networks separation durability.


In-depth manual tests of application's business logic and complex scenarios.

Review of possible attack scenarios, presenting exploit methods and POCs.

Test results: a detailed report which summarizes the findings, including their:

o Description.

o Risk level.

o Probability of exploitation.

o Details.

o Mitigation recommendations.

o Screenshots and detailed exploit methods.

Additional elements that may be provided if requested by the client:

o Providing the development team with professional support along the rectification

process.

o Repeat test (validation) including report resubmission after rectification is completed.


FINDING CLASSIFICATION

Severity

The finding’s severity relates to the impact which might be inflicted to the organization due to that finding. The severity level can be one of the following options, and is determined by the specific attack scenario:

Critical – Critical level findings are ones which may cause significant business damage to the organization, such as:

- Significant data leakage

- Denial of Service to essential systems

- Gaining control of the organization’s resources (For example Servers, Routers, etc.)

High – High-level findings are ones which may cause damage to the organization, such as:

- Data leakage

- Execution of unauthorized actions

- Insecure communication

- Denial of Service

- Bypassing security mechanisms

- Inflicting various business damage

Medium – Medium level findings are ones which may increase the probability of carrying out attacks, or perform a small amount of damage to the organization, such as –

- Discoveries which makes it easier to conduct other attacks

- Findings which may increase the amount of damage which an attacker can inflict, once he carries out a successful attack

- Findings which may inflict a low level of damage to the organization

Low – Low-level findings are ones which may inflict a marginal cost to the organization, or assist the attacker when performing an attack, such as –

- Providing the attacker with valuable information to help plan the attack

- Findings which may inflict marginal damage to the organization

- Results which may slightly aid the attacker when carrying out an attack, or remaining undetected

Informative – Informative findings are findings without any information security impact. However, they are still brought to the attention of the organization.

penetration testing report report pt.pdf · 2019-12-23 · p a g epenetration testing report -...

Documents