CVE-2017-13127…Why security teams should care

When I was at ISC 2015, I decided to run Sensepost’s MANA. I wanted to see what connections and creds that I could get. More a learning experience as I hadn’t yet used that tool in a large public environment. I had also wanted to see if small tweaks I had made worked to run it more efficiently.

No Cert Pining or HSTS/SSL Stripping

While running it, I noticed that MANA kept giving me creds and back-end server details for a large E-commerce site in China. Seems many conference users were utilizing the mobile app and website. As I looked into it more, I was able to session hijack from the cookies and log into users accounts. I was also able to MITM the traffic and using SSLStrip, able to see API calls, purchase data and payment info.

At the time, I was sitting next to a friend and showed him my findings. He also was shocked that I was able to bypass any of their security mechanisms that should have been in place to protect the data as it was in transit. He informed me that he knew one of the heads at the Company and they were also at ISC and would contact them to meet and discuss.

Demonstration to the security team

After meeting with one of the Security team heads, he called his team that was at the conference to watch my attack and asked me to explain what I did so they could see if they could find a way to solve the problem. Most of the team couldn’t exactly follow what was occurring as they didn’t seem to understand that SSL could be stripped and that I was able to see in plain text the contents passed. There was a blanket denial, they seemed to think that it was not possible even after seeing me do it in person which one of the team members accessing the app from their phone.

Advice to remediate the problem

For a month or so after the conference, the team head and I kept in contact as he was trying to learn what was occurring and ways to remediate the issue. I spent time going over the technicals of the attack, and methods such as HSTS and cert pinning to stop the SSL Stripping, better practices to encrypt the data and not rely only on SSL which seemed to be the general practice in China then.

We will solve the problem…soon, or well maybe not

I received assurances that these would be looked into and the problem would get fixed when the next version of the mobile app and the website was updated. Versions would come and go and I would notice none where fixed. Countless messages went back and forth to the contact person asking of the status and kept getting assurances they would look into and fix. I was asked to hold off on public disclosure.

Patience young grasshopper, patience

It has been two years since this occurred. I have kept in contact with the security team head through the time. He also seemed frustrated as it was never a priority. Their company mindset was “it hasn’t affected us enough to want to make a big change“. My patience to not disclose has worn off based on their attitude to not want to fix an issue that could have effects on user data. Chinese companies rarely seem to care unless it affects their profits in a significant way.

Disclosure

I hope someone at VIP.com’s security team or in their Security Resource Center reads this or sees the CVE details. For two years, every version of the VIP mobile application for both IOS and Android was still venerable to the attack vectors I showed the team in 2015. It is 2017, time to care for your user’s data and not just only care when it becomes a larger issue.

Timeline

8/2015 Findings made at ISC 2015

8/2015 Disclosure to VIP.com security team

9/2015 First follow-up to discuss methods to remediate

10/2015 Second follow-up to further discuss remediation

10/2015 Assurances from VIP team that they would fix

12/2015 Follow-up checking on status

Multiple times throughout 2016 Additional follow-up on status

8/2017 CVE applied for and public disclosure, #TrevorForget

Helping out–Enumeration of your target

Last week I saw a post on r/AskNetsec with a Redditor asking for help reaching out to a Hong Kong company who had all of their company data open to the internet (non-password protected directory on their server). I volunteered helping the Redditor as I understand Chinese.

The Redditor had trouble finding contact info for the company and after looking at the company name, I went on a hunt to see what data I could enumerate on the company.

Sun Zhu once said:

夫未战而庙算胜者,得算多也;未战而庙算不胜者,得算少也。

The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.

This holds true for pentesting or really any form of NetSec. You need to spend time learning everything you can about your target to help you strategically plan your attack. While I was doing this to be helpful, the enumeration of a company is a key first step in any pentest engagement.

I was quickly able to find an email, phone number, and a name of a contact for the company so the Redditor could contact them. I also reached out to the company contact with an email in Chinese in case they could not understand the Redditor. Hopefully this has protected a company from losing lots of corporate data and personally identifiable information of its employees and clients.