Sometimes the developers are the weakest link

Like the title says, sometimes the careless developers are the weakest link and the reason an organization's network gets compromised.

In this particular assessment the team spent close to a month trying to find a way in via the organization's main website, email server, database servers, routers and firewalls. We were hitting well configured and security hardened systems and we were getting close to the finish date for our project. I am sure that had we have more time we would have found an exploitable vulnerability (1).

On the last week allotted to the assessment we changed our focus and we started pocking with the rest of the systems connected to the organization's network. We found several systems with web servers and SQL server installed in them. Most likely developers and engineers systems used for testing, development and debugging.

On one of those system we found an outdated version of phpBB, a very popular PHP-based forum. This version wasn't only outdated, it was left in its default state: default passwords, environment variables, forum-wide variables and, to our surprise, with full hard disk writing privileges. We could upload files with a little bit of script-foo (2).

We quickly coded two tools, one that would allow us to upload files easily by giving us a reverse shell and another one that would help scan the network from the inside once we had the shell.

Once we had the reverse shell connected we were able to access the hosting system at root level (or administrator for you Windows users). The next three days were spent searching and downloading confidential documents and placing our calling card (basically a small text file that said: we were here) in several key servers and workstation.

The network was flat inside, meaning that we can get everywhere inside the network and that made our work easier.

So, what can we learn from this?

Developers sometimes are careless. The install stuff they need for testing but disregard basic security hardening and measures. Worse yet, they sometimes forget to delete or uninstall these tools and software making not only the system vulnerable but the whole organization.

Please pay attention to your security expert.

Happy new year!


Footnotes:

(1) Nothing is secure 100%. If an attacker wants to really get in, has the means, the money and the time, he will find a way.

(2) You can search various places for vulnerabilities: Security Focus, Secunia, etc. In the past I found phpbbexploit to be a good source of vulnerabilities.