Concept Business Systems Ltd

Just 24hrs ago, we released a brief survey requesting feedback from BT's customers (http://conceptbs.com/case-studies/surveys/bt-customer-street)

The response has been overwhelming and far beyond expectations!

Thank you to everyone who has completed the survey so far.

On the 25th June 2009, Gordon Brown announced the launch of a "new" cyber security division in Cheltenham to help combat cyber terrorism.

He's quoted as saying: (source: http://news.bbc.co.uk/1/hi/uk_politics/8118729.stm)

"The more that we lead the world, as we are today in cyber security, the more we can protect citizens of our country."

"We want people to feel their finances are safe through the internet."

Disclaimer:

At no point have we made any attempt to access, alter or remove any confidential data contained within each site.  All of the images within this case study have been modified to ensure the safety of each site and their respective users.  It does however, clearly show that if someone were inclined, it would be very easy to launch a series of attacks due to flaws in (supposedly) secure web sites.

Who is Capgemini?
According to their web site, Capgemini is a "global leader in consulting, technology, outsourcing and local professional services", operating in over 30 countries.

What do they do?
One of the largest and most discussed contracts is with Her Majesty's Customs & Excise (HMRC), estimated to be worth over £8.5 billion. Capgemini are also responsible for the ill-fated Self Assessment Online facility, a service advertised as "safe, secure & available day or night"

--

On January 9th 2009, we published a PoC (proof of concept) which revealed that Capgemini's UK site was vulnerable to attack (details here).

Both images were published to a site called HMRCisShite, owned by Mr Ken Frost.

After a mere 30 minutes, it appeared that Capgemini had been made aware of this vulnerability (either by an avid viewer of Ken's site or by staff at HMRC) and had already started to patch out the bug. More on that later...

Alas, 4 months on and it appears that lessons have not been learned.

Released by: Paul Moore

This has now been resolved.

www.uk.capgemini.com (01483 764764)
Initial Threat Level:
Current Threat Level:

Summary:
User profile & various other fields are not properly sanatized before being output to screen.

Description:
Whilst registering with the Capgemini site, it is possible to inject arbitrary code in to profile fields.  Once viewed by an administrator, log in credentials could be obtained without the administrators knowledge.

In addition, the lost password facility is also vulnerable to the same type of attack.  With a mass-mail phishing attack, it would be possible to obtain confidential information without the users' knowledge.

www.hmrc.gov.uk
Initial Threat Level:
Current Threat Level:

(17/04/09) This has now been resolved.

Summary:
A critical directory traversal vulnerability has been discovered on Her Majesty's Customs & Excise web site.

Description:
http://search2.hmrc.gov.uk/kbroker/hmrc/atoz/atoz.jsp?letter=A
Text contained within the "letter" variable at the above location is not being sanitized before being executed.

This vulnerability allows hackers to traverse directories on the server and include files which wouldn't ordinarily be available.  For example, sites which require database access have configuration files which store authentication details for the database.  This data is typically stored in plain (unencrypted) format and can obviously be read by anyone.  Fortunately, the location of these files is hidden and access to them is usually limited by access control lists (ACL's).

However, entering arbitrary code in to the "letter" variable allows us to bypass any permissions and read virtually anything on the server.

If you replace the 'A' with '../' (not including the quotes), you're met with an error to say the file does not exist.
"The requested resource (/kbroker/hmrc/atoz/atoz/a2z-../.html) is not available"

If you now add another '../' to the end of the URI, you're met with this error.
"The requested resource (/kbroker/hmrc/atoz/atoz/.html) is not available"

Notice the difference between the two bold lines?  We're no longer looking in the "a2z-" directory... we're looking in "/atoz".  How far up the tree you go depends on how many "../" you use.

As you can see, the error contains ".html" which cannot be altered in the address bar.  This text is being concatenated behind the scenes... so the hacker is limited to HTML (web pages) only, right?  Wrong.  By adding the right series of escape codes, almost any file becomes available (ACL's aside).

Consider this directory structure...

- root
- - - web_files\index.php?letter=A
- - - web_files\a.html

- - - protected_files\my_passwords.txt
- - - protected_files\my_credit_card_number.txt

If you were to execute the top line (index.php?letter=A), the server would show the user the data within the file "a.html".  If I run (index.php?letter=../protected_files/my_passwords.txt), the server no longer looks within the current directory and allows us to see files elsewhere.  For obvious reasons, the example in italics has some code missing to prevent abuse of this PoC.