Researcher
discovers flaws in Telekom’s server
Ebrahim Hegazy, an Egyptian researcher, has found another
vulnerability that affected the Web servers of Deutsche Telekom, Germany's
biggest telecommunications provider.
He discovered the bug on the telekom.de website, on one of
the subdomains that displayed a generic landing page. The subdomain
umfragen.telekom.de translates to suggestions.telekom.de, and seems to be an
abandoned Web page left behind from previous site iterations.
According to the researcher, attackers could have gained
full control of the Deutsche Telekom server.
The researcher said that the vulnerability was the most
basic example of Remote Code Execution (RCE) vulnerability that allows
attackers to gain full control of a Web server just by pinging its ports and
open connections with malicious requests.
Having brute-forced the URL, Hegazy came across an
upload.php file. The researcher built a tool called Pemburu for pen testing.
He managed to find the URL, which the upload.php file sent
user-submitted data. His tool went through a large set of URL variations and
eventually discovered that the file sent data to umfragen2.telekom.de/upload.php.
This allowed Hegazy to take a closer look at the code.
He came across a mechanism that acquired user input from the
HTTP POST request without sanitizing it in any way and then attached the data
as parameters to the PHP system function.
This particular function is modeled after the system
function in C and allows PHP developers to execute shell commands from inside
their PHP app and retrieve the results. Generally, it's considered a good
practice not to use this function on any front-facing Web server.
He reported about the flaw to the telco's security team. The
flaw has been patched.
As per a report published in Softpedia said that
his research was carried out as part of the company's bug bounty program and
received a €2,000 / $2,150 reward.
0 comments:
Post a Comment
Don't Forget to Share and Comment