Multiple data breaches and brute-force vulnerability found in DLWO environment of dutch university (HvA)

Timeline

;

Introduction

It was possible to retrieve 93.000 Names/departments/usernames, in four different breaches. All the data was returned in one request. There was also no restriction in place to prevent a brute-force attack

Data breach 1

Data breach 1

This request is normally made by the browser for auto-completing names in campus “tweets”

  1. Set maximum returned values to something reasonable.
  2. Change source to return additional properties per account
  3. Change querystring to “.” (All emails contain a “.” so the said criteria will apply to all accounts)

Data breach 2

This SharePoint endpoint wasn’t used by the system, but was left enabled for some reason

Data breach 3

Data breach 3

This SharePoint endpoint wasn’t enabled by the system, but was also left enabled for some reason

  1. Change querystring to “.” (All emails contain a “.” so the said criteria will apply to all accounts)
  2. Set maximum returned values to something reasonable.
  3. Change source to return additional properties per account

Data breach 4

Data breach 4

Yet another SharePoint endpoint that wasn’t enabled by the system, but that was left enabled for some reason

Brute-force vulnerability

DLWO Brute Force

As displayed in the image above, you can see I was able to login to my own account after 9999 failed attempts. Next, I’ll put it all together and talk about the attack scenarios.

Attack scenario 1

An attacker could very easily launch a brute-force attack against all accounts, he has all the usernames, he is able to make as many login attempts as possible. He has everything he needs.I did not extensively test/exploit the brute-force vulnerability. However displayed in the image below, you can see I was able to login to my own account after 9999 failed attempts. An attacker could launch such an attack against all users. He could start by using the 1000 most used passwords and move up from there. A more complex attack would be to generate a password list per user,using information previously obtained like his/her: department or first/last name.

DLWO Brute Force

Attack scenario 2

An attacker could also launch a mass phishing campaign using the information previously obtained. For every user he would know

  • Their email
  • Their full name
  • Their department
  • Their username

It would not be hard to systematically send a convincing email to each user, tricking them into going to a malware infected site, or entering their password on a malicious site. Depicted in the image below, is an example of an phishing email an attacker could send to each user. The information is specific information about the person that is available to the attacker, the hyperlinks with a red border would refer to a malicious site. To be fair, I did not test the spam filter so I do not know if the email depicted below would be flagged.

Phishing

 

Q&A

What did you do with the data?
When I do projects like this, I create a RAM disk where I store things like BURP sessions, Python data parsers to create the statistical information I provide in this disclosure. The contents of a RAM disk are lost when you power down the computer(assuming you don’t live in a freezer). All the obtained data is gone, with exception of some screenshots I used in this disclosure, which are stored on an encrypted drive.

How did they verify the data wasn’t obtained by anyone else?
I asked the same question. They will provide me with more information on that topic before 03/08/2016.

Feedback

Positive:

Less positive:

  • Placed special restrictions on my student account specifically, which doesn’t solve anything. However I was notified of this by them later on.
  • Didn’t disable vulnerable parts of the system until they were patched, exposing private information of (aprox) 100k students for an additional 1.5 months.
  • After doing the above, threaten anyone who might have obtained the data they failed to protect, with monetary/disciplinary punishment. Unsure if they are addressing me. But if they are, I would find it very amusing(in an “incrementally losing all hope for humanity” kind off way).
 

Author

Nelson Berg (Information Security Advisor @ Securify B.V)

Contact me

Follow me