Nimbox Unauthenticated Direct Object Reference in Download Function – ‘Stealing the pie from the API‘

Nimbox Unauthenticated Direct Object Reference in Download Function – ‘Stealing the pie from the API‘

Introduction

At the end of July, I identified an unreported vulnerability within Nimbox’s secure file sharing product ‘vault’. The vulnerability allowed me to mass download all their customer’s data stored on the platform. The vulnerability was immediately reported to Nimbox as it effected their entire customer base. It was reported on the 26th of June 2016 effecting version 2.5.0 up to the latest version at the time, 2.5.1.936. It was then patched on the 27th of June 2016 with the release of version 2.5.1.937. I would like to credit Nimbox for their swift response to the issue.

Details of our advisory can be found here.

The Nimbox blog and hotfix can be found here and here.

Technical Detail

As detailed in the advisories above, the vulnerability takes advantage of an Unauthenticated Direct Object Reference in the Download Function of the ‘vault’ application.

“Nimbox is a secure file sharing, collaboration, backup and cloud storage service for managing, sharing and syncing files across your environment. Their ‘vault.nimbox’ service, used for secure file sharing was found to have an unauthenticated direct object reference vulnerability. Resulting in the ability to download all previously-shared customer data stored within https://vault.nimbox.co.uk.”

By exploiting known methods, it was possible to download any customer’s folder and its contents as a .zip file, as long as the content had been previously shared.

Proof of Concept

When viewing or accessing a folder and its contents within the vault, each folder has an ID which can be seen in the following URL:

https://vault.nimbox.co.uk/shares/folder/<validation_token>/?folder_id=<id>

Incrementing the folder_id value yielded an error stating the folder does not exist, whereas decrementing the value gives a 403 forbidden. This indicates to us that folders exist within our contained domain, we just can’t access them, yet.

Nimbox’s ‘vault’ application also contains a ‘download as a zip’ function, which allows clients to download the entire contents of their share instead of each file individually. This function makes use of three separate parameters when making its call to the API end point.

https://vault.nimbox.co.uk/1/files/share/<client_id>/<folder_id>/zip/<validation_token>

The first parameter is organisation A’s directory ID (Nimbox Customer) which increments iteratively with each new customer. The second is the sub-directory ID (i.e., Organisation A’s specific client’s or employee’s directory/share etc.) which increments iteratively with each new sub-directory created. The third is a validation token. The validation token is not tied to access control and it only validates the request to the API to authorise the download. Therefore, changing the sub-directory ID starting at 1 and working up incrementally, we can download all sub directories inside Organisation A’s directory. This is exemplified in following intruder attacker:

Set payload position to the folder_id parameter:

screenshot 1 intruder

Set Intruder to iterate through incrementing by 1 each time from 0 to 610:

screenshot 2 intruder 2

Analyze results, the most interesting parameter here is the Length as it indicates the size of the contents within each share:

screenshot 3 results

This can then be taken one step further to include both the directory ID and sub-directory ID. In turn working through every organisation and all the sub-directories owned by that organisation.

https://vault.nimbox.co.uk/1/files/share/1412/2/zip/f90a76b68b226b

These requests can be made without first authenticating to the service. All that is required is for the directory ID and/or sub directory ID to exist along with a valid token. This results in a mass download of all previously-shared customer data stored on https://vault.nimbox.co.uk. A token can be trivially obtained in multiple ways, either from brute forcing, having a link shared with you, capturing a link in transit, being a customer/user, or simply signing up for a free trial.

From this point you can unzip the file and retrieve all documents stored within the downloaded zip file. You can also work out based on the size of the response what folders have a large number of files in them. Otherwise just mass download all the shares. The following quick and dirty wget command will download the first 10 shares from the first 100 organisations and save each share as a .zip in /customer_data:

wget https://vault.nimbox.co.uk/1/files/share/{001..100}/{001..010}/zip/f90a76b68b226b -P customer_data/

Alternatively, you can then submit the following URL in a browser and download the file unauthenticated:

https://vault.nimbox.co.uk/1/files/share/1364/554/zip/f90a76b68b226b

NOTE: This can all be done completely unauthenticated and on mass.

Remediation

Nimbox issued a hotfix for this issue here and details about the steps they took can be found here. Anyone running the below version or previous are urged to upgrade immediately to the latest version:

Product Version Platform
Nimbox 2.5.0 – 2.5.1.936 vault.nimbox.co.uk

Conclusion

This shows how a common attack vector that has been in the OWASP top 10 for a number of years such as Insecure Direct Object Reference can still have a significant impact. The PoC also shows how using commonly available tools and techniques combined with a little bit of ingenuity, you can go from having nothing to gaining full access to all the customer data. User access control also plays a role here and highlights the need for a defence in depth approach.

Nimbox Unauthenticated Direct Object Reference in Download Function

Advisory Information

Title: Nimbox Unauthenticated Direct Object Reference in Download Function

Date Published: 05/08/2016

Advisory Summary

Nimbox is a secure file sharing, collaboration, backup and cloud storage service for managing, sharing and syncing files across your environment. Their ‘vault.nimbox’ service, used for secure file sharing was found to have an unauthenticated direct object reference vulnerability. Resulting in the ability to download all customer data stored within https://vault.nimbox.co.uk.

Vendor

Nimbox

Affected Software

Product Version Platform
Nimbox 2.5.0 – 2.5.1.936 vault.nimbox.co.uk

Description of Issue

Nimbox’s ‘vault’ application contains a ‘download as a zip’ function, which allows clients to download the entire contents of their share instead of each file individually. This function makes use of three separate parameters when making its call to the API end point.

https://vault.nimbox.co.uk/1/files/share/<client_id>/<folder_id>/zip/<validation _token>

By iterating through each value of client_id and folder_id, it was possible to enumerate valid content and download the corresponding folder.

These requests can be made without first authenticating to the service and all that is required to invoke the download is a validation token, which can be obtained through multiple means (the simplest of which was to create a trial account).

PoC

Further discussion and a proof of concept on this issue will be covered within a future 7 Elements blog post.

Timeline

Reported – 26th July 2016

Accepted – 26st July 2016

Patched – 27th July 2016

Advisory Published – 5th August 2016

The Defence Cyber Protection Partnership Cyber Security Model

Introduction

For projects starting from April 2016, all suppliers will be required to meet the Defence Cyber Protection Partnership (DCPP) Cyber Security Model (CSM). This will mean that in addition to Cyber Essentials (CE), all parties involved will also be required to meet corresponding governance requirements.

Following on from the earlier (1st January 2016) notification (discussed here), which specified that all MoD contractors and sub-contractors will be required to have Cyber Essentials or Cyber Essentials Plus. It is also important to be aware that this extends to all MoD procurement, suppliers and subcontractors, even if they are not working directly with/for the MoD. All suppliers will be required to have the relevant Cyber Essentials certificate in place at the latest by the contract start date, and then maintain compliance with the scheme by renewing annually.

This document outlines the key requirements under the MoD procurement and DCPP CSM in relation to contractors and sub-contactors within the defence community.

 

Key Points

There are four different risk categories for all MoD projects, very low, low, moderate and high, which have different certification requirements:

  • All contractors and sub-contractors on projects with a very lowrisk rating are required to have a CE certificate.
  • All contractors and sub-contractors on projects with low, moderateand high risk ratings are required to be CE+ certified (which includes gaining CE as part of the process).
  • All contractors and sub-contractors on projects with low, moderateand high risk ratings are required to implement additional security controls beyond CE and CE+.

Scheme Updates (April 2016)

The Defence Cyber Protection Partnership (DCPP) Cyber Security Model (CSM) is now live. This means that all MoD contract or sub-contracts must now be assigned a cyber risk profile as defined below, each will come with its own mandated set of requirements:

 

Not Applicable For contracts where it is assessed that there is no, or only a negligible, cyber risk. It is not expected that many contracts will fall in to this category.

Cyber Essentials recommended but not required

Very Low For contracts where a basic threat is faced (i.e. simple hacking, phishing or spyware) and where any attacker is likely to be opportunistic, unskilled and non-persistent. The sorts of contracts this will apply to are likely to be those covering commodity purchases or standard service provisions e.g. office supplies or the disposal of non-sensitive waste.

Cyber Essentials Only

Low For contracts where the threat may be slightly more targeted (i.e. involving spear phishing, whaling or ransomware and where attackers are semi-skilled but may not be persistent). It is likely to apply to contracts for basic parts or services but not where these could be linked to military capability. This profile is likely to apply primarily to contracts handling information classified as OFFICIAL, but may also occasionally apply to those involving small quantities of OFFICIAL information which have the handling instruction SENSITIVE.

Cyber Essentials Plus & 16 Additional Controls

Moderate For contracts subject to more advanced threats that are tailored and targeted with the objective of gaining access to specific assets or enacting denial of service. The attacker is likely to be persistent, organised and either be skilled or have access to skills e.g. cyber criminals or hacktivists. This will likely apply to contracts that involve handling greater volumes of, or more sensitive, personal information, and those involving larger quantities of OFFICIAL-SENSITIVE information.

Cyber Essentials Plus & 32 Additional Controls

High For contracts assessed as being subject to Advanced Persistent Threats (APT), which may be sustained over long periods and not exploited for months, or years after the initial attack. Attackers will be organised, highly sophisticated, well resourced and persistent. This will likely apply to contracts that are essential to support key military capability and those handling information classified at SECRET or above.

Cyber Essentials Plus & 43 Additional Controls

The risk assessment process will be conducted by the subject letting the contract (for example the MoD or a defence supplier sub-contracting elements of the work). All parties involved must meet the minimum requirements associated with the contracts assigned risk profile, otherwise they will not be eligible for the work.

Therefore, while the minimum requirement is only to achieve Cyber Essentials, it would be advisable to attain Cyber Essentials Plus. This provides the company with a demonstrable approach to information security and prepares for the eventuality that a contract will be assigned a more demanding risk profile.

 

Get in Touch

7 Elements are an accredited certification body for Cyber Essentials, more information on the scheme can be found here. As an independent technical information assurance consultancy, 7 Elements is well suited to assist your organisation in gaining a Cyber Essentials Certification.
As the scheme is designed to be available to all sizes of organisations, our pricing is cost effective.
To discuss your Cyber Essentials needs please contact us.

Additional Reading

What is the Cyber Essentials Scheme?:

https://www.7elements.co.uk/services/cyber-essentials/cyber-essentials-scheme/

MoD Industry Security Notice:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/494608/ISN_2016-01_Implementation_of_Cyber_Essentials_Scheme-O.pdf

MoD guidance:

https://www.gov.uk/government/publications/defence-cyber-protection-partnership-cyber-risk-profiles/overview-dcpp-and-cyber-security-controls

Further reading on the additional governance control requirements for each risk profile:

Very Low

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/497904/Jan-2016_Final_DCPP_VERY_LOW_Cyber_Risk_Profile_Requirements_-_Evidence_and_Guidance.pdf

Low

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/497899/Jan-2016_Final_DCPP_LOW_Cyber_Risk_Profile_Requirements_-_Evidence_and_Guidance.pdf

Moderate

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/497894/Jan-2016_Final_DCPP_MODERATE_Cyber_Risk_Profile_Requirements_-_Evidence_and_Guidance.pdf

High

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/497891/Jan-2016_Final_DCPP_HIGH_Cyber_Risk_Profile_Requirements_-_Evidence_and_Guidance.pdf

Cyber Essentials Questionnaire Guidance

Providing relevant and detailed answers along with supporting evidence is key to a successful Cyber Essentials submission. As such we have issued the following cyber essentials questionnaire guidance.

As a recommendation, we would suggest the following approach be used:

1. Use the comments field to provide narrative that supports the statement.

2. Where appropriate, use additional evidence to back up that assertion.

3. Additional evidence should be included within a separate folder and where possible the file name should reference the question to aid in easy navigation.

4. Where a policy statement is used to support an assertion, the policy should be included within the evidence folder. The comments section should clearly reference the exact location of the policy statement and where possible the relevant paragraph should be included. This should then be backed up with evidence of use, such as screenshots.

5. If you do not feel you fully comply with a certain question, then provide a detailed answer as to what the business does have in place and any mitigating reasons as to why it may not be or is not possible/feasible to fully comply with a particular Cyber Essentials requirement.

To illustrate this, we will use question 13 from the questionnaire.

Q: Is a standard build image used to configure new workstations, does this image include the policies and controls and software required to protect the workstation, and is the image kept up to date with corporate policies?

A robust response within the comments filed would be:

A gold build is used to deploy machines within the estate, each machine is built using the most up to date gold build and is then tested to confirm there were no issues during installation. Once this has been completed, the machine is then added to the Active Directory and all relevant GPO’s such as those pertaining to updates, permissions and password policies are applied. At this stage the machine is ready to be introduced to the network for use by an end user. Evidence of this process can be seen in the following screenshots and policy extracts:

IS Policy ‘Section 4, page 2’ “All IT assets will be built using the authorized gold build”.

Screenshot ‘Question13-a’ details a list of authorized software deployed as part of the gold build.

Screenshot ‘Question13-b’ Evidence of the machines within the Active Directory. 

 

For more information regarding our Cyber Essentials services, please visit the following page.

Securing Server Message Block (SMB) Against Null Session Enumeration

Null session functionality within the SMB protocol enables anonymous access to hidden administrative shares on a system. Once a user is connected to the a share through a null session they can enumerate information about the system and environment.

Information that can be gained includes (but not limited to):

  • Users and groups
  • Operating system information
  • Password policies
  • Privileges
  • Available shares

Easy to use tools are freely available that can automate the enumeration and gathering of this data, providing an attacker with a wealth of information that may aid in an internal attack. For example, the enumeration of identified user accounts in combination with details of the password policy in use, provides an attacker with the ability to conduct specific targeted password guessing attacks. Increasing the overall likelihood of success and resulting in account compromise.

Exposure to null sessions can be tested by issuing the following from a command line:

net use \\remote_IP_address\ipc$ ”” /u:””

In this example the ipc$ share is a common default share, often is use. Other options include admin$ and C$.

Taking action to disable null sessions can be an important step in hardening the overall security posture of an organisation. It should be noted that current operating systems limit access by default, with older operating systems providing configuration options to apply additional security controls.

In order to restrict or disable null sessions the following steps can be taken:

 

Local Based:

Edit the following registry key and then set the ‘Value‘ accordingly:

Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Value Name: RestrictAnonymous

Type: DWORD

Value: x

Setting the value to 2 disables anonymous access and therefore requires an authenticated account to communicate with the service.

Setting the value to 1 allows anonymous access but will deny enumeration of user accounts and admin shares.

Once the value has been changed, verify the changes a have taken affect by rebooting the devices and attempting to initiate a null session.

 

GPO Based:

This can also be achieved through group policy by setting the following:

Note: Disabling anonymous access could have a negative impact on functionality that relies on it. 7 Elements recommends that consideration be given to the potential impact, and testing should be carried in a non-production environment before making changes to production systems.

Day Two OWASP AppSec EU

So after a busy day at my graduation, I had the opportunity to fly out for day two of OWASP AppSec EU. An opportunity I took, naturally. Having been to a number of OWASP chapter meetings but never an AppSec conference, I was very much looking forward to it. I am happy to report that, with around 350 people from all over the globe and a variety of backgrounds, it didn’t disappoint!

IMG_20140625_120123

Below is a brief overview of the talks that I attended.

 

OpenSAMM Best Practices: Lessons from the Trenches

By Seba Deleersynder & Bart De Win

The first talk I made it too was on the OpenSAMM project. It began with discussing what the OpenSAMM framework is and the challenges faced with adoption. The talk then moved on to look at what has worked well and what hasn’t for organisations try to implement OpenSAMM. This included a look at the lessons learned so far throughout the continued development of the project. Discussion was had on how to try and allow companies to assess where they are in relation to maturity towards education and awareness levels. Overall, OpenSAMM looks to be a great project and all involved seem to be making real strides with it.

 

Making CSP Work For You

By Mark Goodwin

A surprise talk as the original talk did not happen. None the less, Mark delivered a great job standing in and taking over with an interesting talk on Content Security Policy and its current place in security for defending against attacks such as XSS. He then went on to discuss some unsafe functions typically found within applications that make them vulnerable. Such as Eval in JavaScript and the need for separation between code and data due to the two becoming confused with each other. The talk contained some nice practical examples and interesting statistics. One big statistic that stood out was that out of the top million websites only 300 currently use CSP. Showing that more can be done to raise the overall security posture for applications.

 

ActiveScan++: Augmenting manual testing with attack proxy plugins

By James Kettle

A nice talk on the Python plugin ActiveScan++ that James created for use within burp suite. The talk cover the benefits associated with implementing vulnerability scanners into intercepting proxies as well as their drawbacks. It looked at how automating attacks, host header injection/poisoning, cache poisoning, DNS rebinding and relative path overwrite could be done with some good practical examples. The talk finished off by looking at fuzzy point detection and its potential effectiveness. ActiveScan++ was launched with this talk too!

 

Metro down the tube. Security Testing Windows Store Apps

By Marion Mccune

As the name suggests this talk was focused on security testing Windows store applications and the direction Microsoft are heading with these applications. Discussed were the different kinds of frameworks and applications currently utilised by Microsoft. Additionally what security is and is not employed including a nice extract of which of the OWASP top 10 are actively tested for. Also covered was the prospect of universal applications that Microsoft are looking to employ meaning that one single app could be ran on anything from a 4” smart phone to a Xbox One on a 50” screen.

 

Can Application Security Training Make Developers Build Less Vulnerable Code?

By John Dickson

My final talk of the day was from John Dickson and focused around a study he carried out last year in North America. The study looked at assessing software developer’s depth of security knowledge. It was targeted at software developers and the results were very interesting with outcomes such as: High turnover in staff in relation to software developers typically between 20-30% per annum and in areas such as Silicon Valley it can be even higher. There for if you trained your developers 2 years ago, they aren’t the same developers you have right now, for a varying number of reasons.  Meaning your development team can be completely different every few years so training must be recurrent. Other results included looking at how many developers had been given training, unfortunately the specifics were not questioned i.e. how long ago was it, and what did it actually consist of/its intensity. Something I believe John is going to look at in the future when carrying out further surveys.

 IMG_20140625_065232

Aftermath/conclusion

Overall I thoroughly enjoyed my first time at OWASP AppSec EU with the 7 Elements team, the talks were good; stands were excellent as were some of the freebies! Unfortunately I missed the Automatic Detection of Inadequate Authorization Checks in Web Applications. Thankfully however there is a YouTube channel for the conference with all the talks so if you are interested I recommend checking that out! It was also nice to see such a large number developers attending.

 

I will leave you with one final statistic from the conference, 83% of software Developers know what XSS is but only 11% know how to remediate against it. Definition of “know” to be confirmed. But still shows that a lot of education is still required.