Cyber Security.
25.11.22
It’s officially been over three months since The Missing Link became a CVE Numbering Authority (CNA) - and it’s fair to say we’ve been a little... quiet. It could be easy to assume it’s because we don’t have a lot going on at the moment, but nothing could be further from the truth!
Our silence on the CVE front isn’t because we’re on leave, bored, not taking our new responsibility seriously, or getting ready for the silly season. Instead, it’s something a lot more exciting. You see, we’ve hit the ground running since taking on our CNA status. Our specialist team has discovered and documented an insane 16 zero-day vulnerabilities from 3 very different products – and we’re not stopping there.
These discoveries have broken our own record and are a testament to the calibre and expertise of our world-class team, who work hard around the clock to ensure our clients and the wider community are safe from cybercrime.
While numbering CVEs is our mission, our talented team is the driving force getting us there. That’s why we wanted to put faces to the numbers on our security advisories page and introduce some of our Red Team members.
Specialist skills: Hacking over the age of 40
Zero-day discoveries: CVE-2022-39019, CVE-2022-39018, CVE-2022-39017, CVE-2022-39016
What is the nature of this vulnerability and why was its discovery so important?
This vulnerability essentially allowed an attacker that could leave comments within the application to perform a full account takeover of another user's account that visited the page. This was through a stored XSS which began by removing MFA and resetting the victim's password.
Is there anything about the vulnerability that made it unique?
Ultimately this was an attack chain of smaller vulnerabilities that could be leveraged to perform account takeover. This goes to show that even low and informational findings are important and should not be ignored as they can sometimes be leveraged as part of an attack chain.
If this zero-day were to be exploited, what sort of impact could it have had?
Being document collaboration software there is a high chance of sensitive document disclosure to unauthorised parties as well as the risk of administrative account takeover.
What techniques did you use to discover the vulnerability?
I have to have some secrets right?
Specialist skills: Application Security
Zero-day discovery: CVE-2022-39020, CVE-2022-3059
What is the nature of these vulnerabilities and why was their discovery so important?
There were quite a few vulnerabilities that were uncovered during our testing, these ranged from client-side to server-side vulnerabilities. More importantly these vulnerabilities affected a Learning Management System (LMS) application that is commonly used by schools and colleges across Australia.
Is there anything about the vulnerabilities that made them unique?
One of the vulnerabilities discovered within the LMS application was an unauthenticated SQL injection vulnerability. This vulnerability could allow an external attacker to obtain access to the application's back-end database without needing a username or password to login.
If these zero-days were to be exploited what sort of impact could they have?
The typical users of the application included students, parents and staff members. Apart from academic information, the application also stored personally identifiable information (PII) about its users in its database. If the PII were to be compromised, it would not only cause a reputational damage to the organisation but also a breach of privacy of its users.
What techniques did you use to discover the vulnerabilities?
A copy of the Web Application Hacker's Handbook.
Specialist skills: AI Hacking, Low-Level Web Attacks, Threat Emulation
Zero-day discoveries: CVE-2022-40296, CVE-2022-40295, CVE-2022-40294, CVE-2022-40293, CVE-2022-40292, CVE-2022-40291, CVE-2022-40290, CVE-2022-40289, CVE-2022-40288, CVE-2022-40287
What is the nature of these vulnerabilities and why was their discovery so important?
Financial applications commonly lack the visibility of other applications because they're usually only accessible internally. This can often lead to them being less secure if they are ever exposed to the internet, or if an internal network is compromised.
Is there anything about the vulnerabilities that made them unique?
Due to a couple of interesting circumstances, one non-exploitable issue significantly increased the likelihood of another vulnerability. I think this is a good reminder to always pay attention to the little things.
If these zero-days were to be exploited, what sort of impact could they have?
Due to how many vulnerabilities were found in the application. The likelihood of an attacker stumbling across one of them is definitely higher. And as a collective they can definitely be chained together to cause some pretty significant impact. Especially given it was in a financial application.
What techniques did you use to discover the vulnerabilities?
Persistence and good old-fashioned gumption.
Our Red Team is full of specialists like Michael, Nelson and Ed who have one goal: to challenge your organisation’s security infrastructure, and your IT teams’ response. They do this by simulating real-world attack scenarios to reach your critical accounts, credentials, secrets or any other goal set.
If you’d like to test whether your organisation is really secure, and not harbouring any critical vulnerabilities like we explored above, reach out and enquire about our Red Team services today.
Author
Jack Misiura