The response of different companies to the vulnerabilities of their resources
In this post I decided to tell a little about my research in the field of IT security.
Some companies will not be named in the article, so as not to spoil the "image".
Resources where vulnerabilities were found: aa.mail.ru, nag.ru, graph.document.kremlin.ru, sencha.com, parallels.com, volgogsm.ru, next-one.ru, as well as tour operator X, and one from subsidiaries of Gazprom.
For a long time I have been interested in conducting research on the safety of various resources. Most of them I had to use myself and it was interesting to find out if my data was safe.
As everyone knows, the mail.ru company launched the game ArcheAge. We will not go into the discussion of whether this is good, and how successful the launch was. The site aa.mail.ru was available service registration and search for guilds. Vulnerability is the most commonplace - sql injection in get search query. And although query filters are used that ban IP, for example, when post / get request “union select”, it was possible to bypass them and get data output from other site tables.
')
Immediately after the discovery, I wrote on the boxes support@corp.mail.ru and security@corp.mail.ru. However, even after a day I received no reply to my letters, except for the automatic ticket number in their system. Vulnerability was also all on the site. After that, I wrote in the personal messages of the mail.ru administration on the aa.mail.ru forum. To which I was told that I had to write in those. specifically support their games, not just mail.ru. And sent to write a ticket there. Well, I wrote. The ticket was listed “in work” for another day, and the guild service was not even closed. And yesterday - finally it was closed. Moreover, the wording of the closing is funny aa.mail.ru/news/309936.html . And now the main thing - my ticket is still hanging "in work".
Bottom line: Hole closed.They didn’t even say thank you.
UPD Agreed on mutually beneficial terms from the comments below .
A long time ago, I decided to test nag.ru for strength. To my endless chagrin, banal misconfigs were found on the forum subdomain. Namely, a test bench with a new version of the forum and with the standard admin password was put into the external display. The worst thing was that all the subdomains were launched on behalf of one user, and having received admin access to the test forum - I got access to the files of all subdomains. All messages from the nag.ru administration did not receive answers. Toli letters flew into spam, toli do not read them. In any case, this hole is now closed.
Bottom line: Hole closed. The administration ignored all the letters.
Again a banal misconfig. Admin was available without a password. In the admin it was possible to change the text of the decrees, write new + technical information about the system.
Bottom line: They also did not respond to my letter, but the hole was closed within 24 hours.
Also a banal case of pofigism administration. Left a leaky version of vbulletin for 3 months after public exploits appeared.
The saddest thing is that this resource is used by a lot of those. specialists of large companies, and passwords were stored there in the clear.
Bottom line: Letters are ignored, vulnerability fixed after a long time.
Again, misconfigs were found on the demo stands of the parallels plesk panel product. The panel itself had no vulnerabilities. And at once it is necessary to notice the stand is on a virtual machine, which automatically returns to its original state every few hours. But in the demo version did not impose enough restrictions on the capabilities of the panel. As a result, rdp access with administrator rights was obtained on windows server. What is strange on the server was the Internet, and a folder on the management server was available for writing.
I sent a letter and received an answer almost immediately. After a conversation on Skype, options were offered on how to limit the demo panel.
Bottom line: Vulnerability partially fixed. As a bonus, 2 licenses for the parallels desktop product were issued.
This is the site of one of the former branches of Smarts, and now Rostelecom. Also misconfig, in the form of a non-closed folder phpmyadmin, and a password to the root database: root
All this allowed access to the billing, because There were a number of errors in the permissions settings in the OS.
Bottom line: Vulnerability fixed for "thanks."
This is the site of one of the regional operators of the Internet. During the study of their personal account, an sql injection was found in a post request to verify the PIN codes of payment cards. As a result of the cunning writing of the request, it turned out to look at any values ​​in the database character by character. As it turned out, all user passwords are stored in clear text.
Bottom line: I had to call 2 times. First time hitting the first line of those. support received the answer “Yes, I do not care. If the internet works for you, then goodbye. ” On the second call it turned out to get to those. department. Vulnerability fixed for "thank you."
In order not to damage the company's image, this story will not contain names or links to the company.
It all started with the fact that I decided to use their services. And since all passport details are entrusted to the tour operator - it was interesting for me to check their strength. As it turned out the site is made in Java - it has such a number of errors that it is just scary to imagine. Many pages with obviously incorrect input data were littered with a stack of traces, disclosing paths. On tomcat, the web-inf folder was not closed, which allowed getting all the addresses of servlets. Not only that, there was a login and password from the Orkal base. Next lay a test directory with garbage and an open index of files. Among the trash was even found the account administrator with a password to the site. But the apogee was different. On a nearby host, intended for broadcasting videos from different resorts, an unclosed oracle manager was discovered, to which the passwords found in the web-inf approached. As a result, full access was obtained to the customer base, document scans, payroll, etc.
Since This is one of the largest tour operators of the Russian Federation - there were urgent attempts to contact the administration. 3 of my letters were simply ignored. When I sent a screenshot from their oracle - I was finally answered.
Bottom line: most of the vulnerabilities have been fixed. Access to the database has been closed. I made a discount of more than 80% on my tour.
One day they called me and offered me a job in the field of IT security in "* Gas". True, having learned that I do not live in Moscow, I was somewhat upset. However, saying that they recommended me as a good specialist (who recommended I did not understand) offered to test their resources in absentia.
As a result of the analysis, another misconfig was found on a ftp server. Which allowed anonymously connect. On this FTP, fresh backups 1c, payroll sheets, personal data of employees, fresh backups of configs of different systems with passwords inside were found.
Outcome: Vulnerability is quickly closed with the receipt of recommendations.
In addition to the cases cited in the article, there are a lot of cases that I was strongly asked not to write about. However, from my own experience I can say that almost all companies have no awareness of the importance of IT security (we do not take into account the largest Internet giants). Some even react negatively to giving them information. And I urge you, as IT specialists in various fields, to always remember: the right distinction between access rights and careful work with configs is 50% of resource protection.
Some companies will not be named in the article, so as not to spoil the "image".
Resources where vulnerabilities were found: aa.mail.ru, nag.ru, graph.document.kremlin.ru, sencha.com, parallels.com, volgogsm.ru, next-one.ru, as well as tour operator X, and one from subsidiaries of Gazprom.
For a long time I have been interested in conducting research on the safety of various resources. Most of them I had to use myself and it was interesting to find out if my data was safe.
1. Vulnerability on aa.mail.ru
As everyone knows, the mail.ru company launched the game ArcheAge. We will not go into the discussion of whether this is good, and how successful the launch was. The site aa.mail.ru was available service registration and search for guilds. Vulnerability is the most commonplace - sql injection in get search query. And although query filters are used that ban IP, for example, when post / get request “union select”, it was possible to bypass them and get data output from other site tables.
')
Immediately after the discovery, I wrote on the boxes support@corp.mail.ru and security@corp.mail.ru. However, even after a day I received no reply to my letters, except for the automatic ticket number in their system. Vulnerability was also all on the site. After that, I wrote in the personal messages of the mail.ru administration on the aa.mail.ru forum. To which I was told that I had to write in those. specifically support their games, not just mail.ru. And sent to write a ticket there. Well, I wrote. The ticket was listed “in work” for another day, and the guild service was not even closed. And yesterday - finally it was closed. Moreover, the wording of the closing is funny aa.mail.ru/news/309936.html . And now the main thing - my ticket is still hanging "in work".
Bottom line: Hole closed.
UPD Agreed on mutually beneficial terms from the comments below .
2. Vulnerability on nag.ru
A long time ago, I decided to test nag.ru for strength. To my endless chagrin, banal misconfigs were found on the forum subdomain. Namely, a test bench with a new version of the forum and with the standard admin password was put into the external display. The worst thing was that all the subdomains were launched on behalf of one user, and having received admin access to the test forum - I got access to the files of all subdomains. All messages from the nag.ru administration did not receive answers. Toli letters flew into spam, toli do not read them. In any case, this hole is now closed.
Bottom line: Hole closed. The administration ignored all the letters.
3. Vulnerability in graph.document.kremlin.ru
Again a banal misconfig. Admin was available without a password. In the admin it was possible to change the text of the decrees, write new + technical information about the system.
Bottom line: They also did not respond to my letter, but the hole was closed within 24 hours.
4. Vulnerability on sencha.com
Also a banal case of pofigism administration. Left a leaky version of vbulletin for 3 months after public exploits appeared.
The saddest thing is that this resource is used by a lot of those. specialists of large companies, and passwords were stored there in the clear.
Bottom line: Letters are ignored, vulnerability fixed after a long time.
5. Vulnerability on parallels.com
Again, misconfigs were found on the demo stands of the parallels plesk panel product. The panel itself had no vulnerabilities. And at once it is necessary to notice the stand is on a virtual machine, which automatically returns to its original state every few hours. But in the demo version did not impose enough restrictions on the capabilities of the panel. As a result, rdp access with administrator rights was obtained on windows server. What is strange on the server was the Internet, and a folder on the management server was available for writing.
I sent a letter and received an answer almost immediately. After a conversation on Skype, options were offered on how to limit the demo panel.
Bottom line: Vulnerability partially fixed. As a bonus, 2 licenses for the parallels desktop product were issued.
6. Vulnerability on volgogsm.ru
This is the site of one of the former branches of Smarts, and now Rostelecom. Also misconfig, in the form of a non-closed folder phpmyadmin, and a password to the root database: root
All this allowed access to the billing, because There were a number of errors in the permissions settings in the OS.
Bottom line: Vulnerability fixed for "thanks."
7. Vulnerability on next-one.ru
This is the site of one of the regional operators of the Internet. During the study of their personal account, an sql injection was found in a post request to verify the PIN codes of payment cards. As a result of the cunning writing of the request, it turned out to look at any values ​​in the database character by character. As it turned out, all user passwords are stored in clear text.
Bottom line: I had to call 2 times. First time hitting the first line of those. support received the answer “Yes, I do not care. If the internet works for you, then goodbye. ” On the second call it turned out to get to those. department. Vulnerability fixed for "thank you."
8. Vulnerability on “Tour Operator X”
In order not to damage the company's image, this story will not contain names or links to the company.
It all started with the fact that I decided to use their services. And since all passport details are entrusted to the tour operator - it was interesting for me to check their strength. As it turned out the site is made in Java - it has such a number of errors that it is just scary to imagine. Many pages with obviously incorrect input data were littered with a stack of traces, disclosing paths. On tomcat, the web-inf folder was not closed, which allowed getting all the addresses of servlets. Not only that, there was a login and password from the Orkal base. Next lay a test directory with garbage and an open index of files. Among the trash was even found the account administrator with a password to the site. But the apogee was different. On a nearby host, intended for broadcasting videos from different resorts, an unclosed oracle manager was discovered, to which the passwords found in the web-inf approached. As a result, full access was obtained to the customer base, document scans, payroll, etc.
Since This is one of the largest tour operators of the Russian Federation - there were urgent attempts to contact the administration. 3 of my letters were simply ignored. When I sent a screenshot from their oracle - I was finally answered.
Bottom line: most of the vulnerabilities have been fixed. Access to the database has been closed. I made a discount of more than 80% on my tour.
9. Vulnerability in a subsidiary of Gazprom - for short, let's call it the organization "* Gas"
One day they called me and offered me a job in the field of IT security in "* Gas". True, having learned that I do not live in Moscow, I was somewhat upset. However, saying that they recommended me as a good specialist (who recommended I did not understand) offered to test their resources in absentia.
As a result of the analysis, another misconfig was found on a ftp server. Which allowed anonymously connect. On this FTP, fresh backups 1c, payroll sheets, personal data of employees, fresh backups of configs of different systems with passwords inside were found.
Outcome: Vulnerability is quickly closed with the receipt of recommendations.
Conclusion
In addition to the cases cited in the article, there are a lot of cases that I was strongly asked not to write about. However, from my own experience I can say that almost all companies have no awareness of the importance of IT security (we do not take into account the largest Internet giants). Some even react negatively to giving them information. And I urge you, as IT specialists in various fields, to always remember: the right distinction between access rights and careful work with configs is 50% of resource protection.
Source: https://habr.com/ru/post/213217/
All Articles