RCE Vulnerability in real estate CRM/CMS exposed 304.186 highly sensitive documents and 80 databases

Timeline

;

Core Story / Summary

In the process of registering for an appartment I found that due to a vulnerability in the IDD klantdossier software a total of 304.186 highly sensitive documents and about 80 databases were exposed.

The documents generally consist of:

  • Passport copies
  • Employer statements
  • Bank statements
  • Pay slips
  • Annual statements

The databases generally contained equally sensitive information. I immediately contacted the software vendor to inform them about this. I did not download any documents, but I did collect metadata in order to assess the damage.

Introduction/Short

Our story starts when I was registering at a real estate agent for an apartment on the Wibautstraat.
I was required to upload multiple documents (ID, payroll, contract) and noticed that the document controller took two integers as parameters, with their validity provided, 302’d the user to the actual location. As I was playing with the variables (turning them into arrays, null bytes, etc) I noticed the following.

Image 1:Full stacktraces/Improper validation
Image 1:Full stacktraces/Improper validation

 
Big fat red flag. After some closer examination I concluded that;
Due to a vulnerability in file upload functionality, it was possible to access the documents of all the users (including those that were registered under different real estate agents/outlets). I immediately contacted those responsible for the software with this information, they have handled the situation very professionally.

A total of 304.186 documents and about 80 databases were exposed.

The documents generally consist of:

  • Passport copies
  • Employer statements
  • Bank statements
  • Pay slips
  • Annual statements

The databases generally contained equally sensitive information, will elaborate on this later.

Vulnerability

The application is used to automate the processing of documents/information that clients (people that apply for an apartment/rental cars etc.) are required to upload.
It was possible to upload and execute code by exploiting the same file upload that is used for handling these highly sensitive documents. I did not download these sensitive documents, however, I did collect some metadata about these documents so that I could assess the damage, I will elaborate on this later in the disclosure

 Image 2: Uploading the ASPX payload. Note: if you’re evil, and don’t want communication between you and your payload tracked in the access log, use POST instead of GET, if you are evil AND paranoid, use asymmetrical encryption (Also, in the ProccessStartInfo, set the WindowStyle to hidden and Minimize to true, as a sys admin might spot the open command window)
Image 2: Uploading the ASPX payload. Note: if you’re evil, and don’t want communication between you and your payload tracked in the access log, use POST instead of GET, if you are evil AND paranoid, use asymmetrical encryption (Also, in the ProccessStartInfo, set the WindowStyle to hidden and Minimize to true, as a sys admin might spot the open command window)
Image 3: Invoking commands on server, using the payload we uploaded in Image 2.
Image 3: Invoking commands on server, using the payload we uploaded in Image 2.

To make matters far, far, worse; all the files were hosted under the same IIS user.

Once you could execute code/access files on the subdomain of one real estate agent, you could also access the files of all the other 80 active real estate agents. In the next chapter we will assess the damage.

Assessing the damage

Image 4: We do a file listing on the SMB share  which houses these documents, we write the output to a file, because the request will time-out before the command has completed.
Image 4: We do a file listing on the SMB share which houses these documents, we write the output to a file, because the request will time-out before the command has completed.
Image 5:After patiently waiting for 25 minutes, we have the file list.
Image 5: After patiently waiting for 25 minutes, we have the file list.
Image 6: Analysing the file list. Its initial purpose was to group the files exposed by real estate agents & extension. After giving this some more thought, I decided to just group them by extension (privacy considerations)
Image 6: Analysing the file list.
Its initial purpose was to group the files exposed by real estate agents & extension. After giving this some more thought, I decided to just group them by extension (privacy considerations)

After analysing the output in image 5 with the python script in image 6, we know the following about the files that were exposed:
img_analasis_result

 
Again these documents are:

  • Passport copies
  • Employer statements
  • Bank statements
  • Pay slips
  • Annual statements

You get the idea. Stuff you wouldn’t want out in the open.
Additionally, the databases of all the 80 real estate agents were also exposed.
The data stored in these vary from agent to agent. For reference, I will provide you a screenshot of the form (with translated field names) I myself was required to fill out, whilst applying for an apartment.

Image 7: Translation in purple.
Image 7: Translation in purple.

 
Because it seemed unethical connect to all the 80 individual databases to do a row count, and the representative didn’t want to provide me with a number, I’m not able to tell you exactly how much data was in the +- 80 databases.

However, I won’t leave you with emptyhanded.

We know:

  1. In order to upload documents, you need to fill out the form first
  2. Exactly how many documents were uploaded

If we assume that all the users upload a minimum of 1 document and a maximum of 10 documents
So let’s list all the viable possibilities given the previous conditions and assumptions:

Image 8: @Press, Just ask CubicEyes for a number.
Image 8: @Press, Just ask CubicEyes for a number.

 

Conclusion/Prevention

Let’s talk about the mistakes that allowed this to happen.
The first one is very obvious, the upload controller allowed any filetype to be uploaded and code execution was not disabled in virtual directories, this allowed an attacker to take completely take over the subdomain of a specific real estate agent.
The second one is not as obvious as the first one, but equally disastrous.
The real estate agents weren’t isolated from one another, this means, once you have CRUD access through code execution on a single domain, you have CRUD access on all the domains.

To illustrate the importance of isolating your customers when hosting them on the same machine, I compared the amount of leaked data, had they had isolated their users, to the actual amount.

Image 9: Not trying to try-hard here, I just hope a few sysadmins will enable isolation after seeing this example.
Image 9: Not trying to try-hard here, I just hope a few sysadmins will enable isolation after seeing this example.

 
Some other things I have noticed:

  • HTTPS is not enforced/enabled by default nor is HSTS. An attacker on the same network as a user can downgrade an existing HTTPS connection to HTTP and as result, sniff the traffic. This is pretty bad news, because an attacker can mimic the cookie and read all the documents of a specific user.
  • The highly sensitive documents were protected by a GUID only. No authentication is needed.
    • Let’s say a blackhat found this, he would just get the filenames, the only thing needed to anonymously access the files and run 10 tor sockets to download the files under different IP’s. He would do this, because it would look far less suspicious.
    • Forgetting to turn off directory listing for instance would expose all the files
  • Stacktraces are enabled in some cases

Q&A

What did you do with the data?
When I do projects like this, I create a RAM disk where I store things like BURP sessions, Python data parsers to create the statistical information I provide in this disclosure. The contents of a RAM disk are lost when you power down the computer (assuming you don’t live in a freezer). I still have metadata like the file list, but this can’t be used to access the files anymore (sysadmins regenerated the GUIDS after I informed them)

Questions I asked them

How did you verify the data wasn’t obtained by anyone else?
The representative told me that they’ve done the following to verify this:

  1. Analysed all uploaded files on the media-server
  2. Cleaned and rebuild the application folders
  3. Verified the integrity of application files

They regard the chance of it being exploited previously as unlikely.

Are you going to inform the individual real estate agents that their clients data has been exposed?
The representative has told me that they will/have.

Are you going to inform the Dutch Data Protection Authority?
The representative says that they will, if they have to.

Manifest

Introduction

(All views expressed here are my own, and not my employer's.)

I have been notifying companies about security risks without making public disclosures since the age of 16. After many notifications, it has become more than apparent to me that many companies still don't seem to really care about protecting their client's data.

I think this is mainly because:
  1. Many organisations think that building a secure system is more expensive and will in most cases not translate in a higher net profit.
  2. There is little to no regulation that forces companies to build secure systems.
  3. There is little to no regulation that forces companies to build secure systems
  4. Many customers still don’t demand their data to be stored securely/or they assume that this is already the case.
  5. It's in most cases still not (properly) taught in computer science studies.
  6. Many organisations assume that the systems they build are secure, when this is not always the case.

Goal
What I try to achieve with my disclosures to raise public awareness and try to convince/help organisations to secure their systems and protect their user's privacy sensitive data.

Approach
I try to achieve all of this whilst staying ethical. But it if needed I’ll go a little further(collect metadata in order to assess the damage) than what some people in the InfoSec community might consider ethical. My disclosures are a means to force companies to fix their vulnerabilities in a timely fashion, and to take the necessary steps to inform their users of the security leak.

 

Author

Nelson Berg (Information Security Advisor @ Securify B.V)

Contact me

Follow me