The response of different companies to the vulnerabilities of their resources
In this post, I decided to talk a little about my research in the field of IT security.
Some companies will not be named in the article, so as not to spoil the "image".
Resources in which the vulnerabilities were found: aa.mail.ru, nag.ru, graph.document.kremlin.ru, sencha.com, parallels.com, volgogsm.ru, next-one.ru, as well as the tour operator X, and one from Gazprom subsidiaries.
For a long time I have been fond of conducting security studies of various resources. I had to use most of them myself and it was interesting to find out if my data was safe.
As everyone probably knows, mail.ru launched the ArcheAge game. We will not go into discussion here whether this is good, and how successful the launch was. On the site aa.mail.ru, a guild registration and search service was available. The most common vulnerability is sql injection in get search request. And although query filters are used that ban IP, for example, with the post / get “union select” request, you could bypass them and get data output from other site tables.
Immediately after detection, I wrote to support@corp.mail.ru and security@corp.mail.ru mailboxes. However, even after a day, there was no answer to my letters, except for the automatic ticket number in their system. Vulnerability was still on the site. After that, I wrote in the personal messages of the mail.ru administration on the aa.mail.ru forum. To which they answered that it was necessary to write in those. support specifically for their game, not just mail.ru. And they sent to write a ticket there. Well, I wrote it. The ticket was considered “in operation” another day, while the guild service was not even closed. And yesterday - finally it was closed. Moreover, the wording of the closure is aa.mail.ru/news/309936.html . And now the main thing is that my ticket is still hanging “at work”.
Bottom line: The hole is closed.They didn’t even say thank you.
UPDWe agreed on mutually beneficial conditions from the comments below .
Once upon a time, I decided to check nag.ru for durability. To my endless chagrin, banal misconfigs were found on the forum subdomain. Namely, a test stand with the new version of the forum and with the standard admin password was exhibited. The worst thing was that all subdomains were run on behalf of one user, and after receiving admin access to the test forum, I got access to the files of all subdomains. All messages from the nag.ru administration did not receive a response. Tolley letters flew into spam, felts do not read them. In any case, this hole is now closed.
Bottom line: The hole is closed. The administration ignored all the letters.
Again banal misconfig. An admin panel without a password was available. In the admin panel it was possible to change the text of decrees, write new + technical information about the system.
Bottom line: My letter was also not answered, but the hole was closed for a day.
Also a commonplace case of the administration’s indifference. They left the leaky version of vbulletin for 3 months after public exploits appeared.
The saddest thing is that a lot of those use this resource. specialists of large companies, and passwords were stored there in the clear.
Bottom line: The letters are ignored, the vulnerability is fixed after a long time.
Again, misconfigs were found on parallels plesk panel product demos. The panel itself had no vulnerabilities. And you should immediately notice that the stand is on a virtual machine, which automatically returns to its original state once every few hours. But the demo version did not introduce enough restrictions on the panel's capabilities. As a result, rdp access with administrator rights was obtained on the windows server. What was strange on the server was the Internet, and a folder on the managing server was writable.
I sent a letter and almost immediately received a response. After the conversation on Skype, options were proposed on how to limit the demo panel.
Bottom line: Vulnerability partially corrected. As a bonus, 2 licenses for the parallels desktop product were issued.
This is the site of one of the former branches of Smarts, and now Rostelecom. Also, a misconfig, in the form of an unclosed phpmyadmin folder, and a password in the root: root database
All this made it possible to access the billing, as there were a number of errors in the settings of access rights in the OS.
Bottom line: The vulnerability is fixed for "thank you."
This is the site of one of the regional Internet operators. During the study of their personal account, sql injection was found in the post request for checking the PIN codes of payment cards. As a result of cunning writing of the request, it turned out to look at any values in the database character by character. As it turned out, all user passwords are stored in clear text.
Bottom line: I had to call 2 times. The first time you hit the first line of those. support received the answer "Yes, I do not care. If you have internet, then goodbye. ” On the second call, I managed to get to those. department. The vulnerability was fixed for "thank you."
In order not to damage the image of the company, this story will not contain names or links to the company.
It all started with the fact that I decided to use their services. And since all the passport data is trusted to the tour operator - I was interested to check their strength. As it turned out, the site made in Java has so many errors that it’s just scary to imagine. Many pages with obviously incorrect input data - litter the stack with traces, with path disclosure. On tomcat, the web-inf folder was not closed, which allowed to get all the servlet addresses. Moreover, there was also a username and password from the base of the orc. Nearby lay a test directory with garbage and an open file index. Among the rubbish was even found uchetka admin with a password to the site. But the climax was different. On the neighboring host, intended for broadcasting video from different resorts, an unclosed Oracle manager was discovered, which was approached by the passwords found in web-inf.
Because this is one of the largest tour operators in the Russian Federation - there were urgent attempts to contact the administration. 3 of my letters were simply ignored. When I sent a screenshot from their oracle, they finally answered me.
Bottom line: most of the vulnerabilities have been fixed. Access to the database was closed. I got a discount of over 80% on my tour.
One day they called me and offered a job in the field of IT security in "* Gas". True, when I found out that I do not live in Moscow, they were somewhat upset. However, having said that they recommended me to them, as a good specialist (who recommended it did not understand), they offered to test their strengths in absentia.
As a result of the analysis, the next misconfig was found on the ftp server. Which allowed anonymously connect. On this ftp were found fresh backups 1c, payroll, personal data of employees, fresh backups of configs of different systems with passwords inside.
Bottom line: Vulnerability quickly closed with recommendations.
In addition to the cases described in the article, there are many more cases that I was urged not to write about. However, I can say from my own experience that there is no awareness of the importance of IT security in almost all companies (we do not take into account the largest Internet giants). Some even react negatively to providing them with information. And you, as IT specialists in various fields, I urge you to always remember: the correct delimitation of access rights and careful work with configs are 50% of the resource’s protection.
Some companies will not be named in the article, so as not to spoil the "image".
Resources in which the vulnerabilities were found: aa.mail.ru, nag.ru, graph.document.kremlin.ru, sencha.com, parallels.com, volgogsm.ru, next-one.ru, as well as the tour operator X, and one from Gazprom subsidiaries.
For a long time I have been fond of conducting security studies of various resources. I had to use most of them myself and it was interesting to find out if my data was safe.
1. Vulnerability on aa.mail.ru
As everyone probably knows, mail.ru launched the ArcheAge game. We will not go into discussion here whether this is good, and how successful the launch was. On the site aa.mail.ru, a guild registration and search service was available. The most common vulnerability is sql injection in get search request. And although query filters are used that ban IP, for example, with the post / get “union select” request, you could bypass them and get data output from other site tables.
Immediately after detection, I wrote to support@corp.mail.ru and security@corp.mail.ru mailboxes. However, even after a day, there was no answer to my letters, except for the automatic ticket number in their system. Vulnerability was still on the site. After that, I wrote in the personal messages of the mail.ru administration on the aa.mail.ru forum. To which they answered that it was necessary to write in those. support specifically for their game, not just mail.ru. And they sent to write a ticket there. Well, I wrote it. The ticket was considered “in operation” another day, while the guild service was not even closed. And yesterday - finally it was closed. Moreover, the wording of the closure is aa.mail.ru/news/309936.html . And now the main thing is that my ticket is still hanging “at work”.
Bottom line: The hole is closed.
UPDWe agreed on mutually beneficial conditions from the comments below .
2. Vulnerability on nag.ru
Once upon a time, I decided to check nag.ru for durability. To my endless chagrin, banal misconfigs were found on the forum subdomain. Namely, a test stand with the new version of the forum and with the standard admin password was exhibited. The worst thing was that all subdomains were run on behalf of one user, and after receiving admin access to the test forum, I got access to the files of all subdomains. All messages from the nag.ru administration did not receive a response. Tolley letters flew into spam, felts do not read them. In any case, this hole is now closed.
Bottom line: The hole is closed. The administration ignored all the letters.
3. Vulnerability in graph.document.kremlin.ru
Again banal misconfig. An admin panel without a password was available. In the admin panel it was possible to change the text of decrees, write new + technical information about the system.
Bottom line: My letter was also not answered, but the hole was closed for a day.
4. Vulnerability on sencha.com
Also a commonplace case of the administration’s indifference. They left the leaky version of vbulletin for 3 months after public exploits appeared.
The saddest thing is that a lot of those use this resource. specialists of large companies, and passwords were stored there in the clear.
Bottom line: The letters are ignored, the vulnerability is fixed after a long time.
5. Vulnerability on parallels.com
Again, misconfigs were found on parallels plesk panel product demos. The panel itself had no vulnerabilities. And you should immediately notice that the stand is on a virtual machine, which automatically returns to its original state once every few hours. But the demo version did not introduce enough restrictions on the panel's capabilities. As a result, rdp access with administrator rights was obtained on the windows server. What was strange on the server was the Internet, and a folder on the managing server was writable.
I sent a letter and almost immediately received a response. After the conversation on Skype, options were proposed on how to limit the demo panel.
Bottom line: Vulnerability partially corrected. As a bonus, 2 licenses for the parallels desktop product were issued.
6. Vulnerability on volgogsm.ru
This is the site of one of the former branches of Smarts, and now Rostelecom. Also, a misconfig, in the form of an unclosed phpmyadmin folder, and a password in the root: root database
All this made it possible to access the billing, as there were a number of errors in the settings of access rights in the OS.
Bottom line: The vulnerability is fixed for "thank you."
7. Vulnerability on next-one.ru
This is the site of one of the regional Internet operators. During the study of their personal account, sql injection was found in the post request for checking the PIN codes of payment cards. As a result of cunning writing of the request, it turned out to look at any values in the database character by character. As it turned out, all user passwords are stored in clear text.
Bottom line: I had to call 2 times. The first time you hit the first line of those. support received the answer "Yes, I do not care. If you have internet, then goodbye. ” On the second call, I managed to get to those. department. The vulnerability was fixed for "thank you."
8. Vulnerability on "Tour Operator X"
In order not to damage the image of the company, this story will not contain names or links to the company.
It all started with the fact that I decided to use their services. And since all the passport data is trusted to the tour operator - I was interested to check their strength. As it turned out, the site made in Java has so many errors that it’s just scary to imagine. Many pages with obviously incorrect input data - litter the stack with traces, with path disclosure. On tomcat, the web-inf folder was not closed, which allowed to get all the servlet addresses. Moreover, there was also a username and password from the base of the orc. Nearby lay a test directory with garbage and an open file index. Among the rubbish was even found uchetka admin with a password to the site. But the climax was different. On the neighboring host, intended for broadcasting video from different resorts, an unclosed Oracle manager was discovered, which was approached by the passwords found in web-inf.
Because this is one of the largest tour operators in the Russian Federation - there were urgent attempts to contact the administration. 3 of my letters were simply ignored. When I sent a screenshot from their oracle, they finally answered me.
Bottom line: most of the vulnerabilities have been fixed. Access to the database was closed. I got a discount of over 80% on my tour.
9. Vulnerability at a subsidiary of Gazprom - for brevity, let's call its organization "* Gas"
One day they called me and offered a job in the field of IT security in "* Gas". True, when I found out that I do not live in Moscow, they were somewhat upset. However, having said that they recommended me to them, as a good specialist (who recommended it did not understand), they offered to test their strengths in absentia.
As a result of the analysis, the next misconfig was found on the ftp server. Which allowed anonymously connect. On this ftp were found fresh backups 1c, payroll, personal data of employees, fresh backups of configs of different systems with passwords inside.
Bottom line: Vulnerability quickly closed with recommendations.
Conclusion
In addition to the cases described in the article, there are many more cases that I was urged not to write about. However, I can say from my own experience that there is no awareness of the importance of IT security in almost all companies (we do not take into account the largest Internet giants). Some even react negatively to providing them with information. And you, as IT specialists in various fields, I urge you to always remember: the correct delimitation of access rights and careful work with configs are 50% of the resource’s protection.