Friday, November 21, 2008

First Official Pentest - Uhaul

To just view how Uhaul got hacked in a rather ironic way, please skip past the next paragraph.

What reason did I have to look at Uhaul? Well, in college I had a base security class. In this class was someone who worked in security for Uhaul International. Upon hearing this I decided to check out Uhaul and see what I could find. After about two minutes of playing I managed to get an error from one of their login forms. The Uhaul guy was watching and was rather interested in seeing what else I could find, seemingly confident of their security. So, with his peeked interest, I got permission to pentest Uhaul International (as long as I did not mess up functionality).

My first step was to map out everything on the server, to see all of my points of entry. Cross-server exploit protection is not very great at the moment and can be bypassed depending on the situation. Also, WAP products do not do anything for cross-server exploits (that I am currently aware of). Now, I managed to map out just a few domains on the same ip and several sub-domains (thanks to the source and Google command, site:). After checking out the other domains, I noticed there was not a whole lot of dynamic content going on with these other domains. I looked around for a while, but did not find anything that could really be used to my advantage. So, I moved on to my main target,

After a bit of looking, I found something that could be interesting for me to toy with. This was a private forum system made specifically for Uhaul (or possibly made by Uhaul staff). I took a look around this and managed to find some holes in the implementation. This was a CSRF vulnerability that I could place in my avatar and execute on anyone looking at my post (PoC was a very annoying logout avatar). I also used my own exploit that has not been discovered by the public yet to make the paper look good. This exploit basically redirects users to my own page (no cookie stealer, best use would be for stealing competitor traffic and spreading spam) because of my off-site avatar.

After I extensively ran through how the forum worked and what I could do with it, I decided to look a bit further at some of the other sub-domains. Some of them had 301 redirects (the source on this info was rather revealing when I saw it) and others had nice fake error messages. Now, as I was looking around I was not finding very much. Just a simple low-level XSS on one of the sub-domain login pages. This was until I started looking at the servers. Now, all of the domains/sub-domains had the newest IIS server running, all except one. This is where the ironic part of this story comes in, the old IIS server was none other than Let me just say that the version was rather old and had code execution and we could view the source of any file. I proved two proofs of concepts that could take down Uhaul (internal DoS) and could view special files that happened to be on their server (LFI in a way).

I figured that because this was a couple month old pentest, it would not be a problem to publish this as everything has been reported and fixed properly (I wrote a report with both how to exploit and fix the exploits). I am even receiving a document that states I had helped Uhaul with security and it will be signed by the head of IT.
There were a lot more steps taken including looking at the other services (even those just Listening internally), but I only wrote here about the things I was able to find and exploit. I just wish they would have implemented my SSL recommendations, but you can not have everything I guess.

No comments: