Open AnthonyH45 opened 3 years ago
IC: Thank you for your submission. since this system is designed to work only on a end user's network and not on the public internet. I fail to see how this is a security issue. I agree that the message should be a little better. but since this is a internal application the end user themselves would have to break the system.
OOC: It was fun making it. you know how hard it is to make bad code. its awful!
Understood. The message said to report, and that is what I did.
Just because it is an internal application does not mean it should fail like this. If an internal user becomes malicious and uses this to cause any sort of disruption, then they exploited something that was reported and ignored.
My goal is to bolster NGPEW's defenses against all attacks, but I understand if this is not within NGPEW's threat model and NGPEW does not want to pursue action to mitigate this.
IC: I just think you have not convenced me that this issue is a threat. if a user breaks a peice of software he installed, what risks would NGPEW really have besides tech support?
Does it have to pose a threat? If something can be broken, then it doesn't matter if it can be exploited or not, its still broken.
"One error is one too many" (I forgot who said this, I got it from a stack overflow post about a year ago about RAM failing one check with MemTest86)
OOC: So, Mostly a attack model that might be a issue is CSF, a external attacker can make a iframe making a new account, with the new account, he can log in (since its all GET Requests) and do setting changes to the platform.
Make sure to keep spoilers out of the titles as much as you can.
Duplicate User Registration: unable to register new user with existing name.
Registering a user with a name that already exists prompts a message to
Report this issue to NGPEW
.Open a web browser and navigate to the IP of the NGPEW sensor server. Once there, click
Create New Account
and continue with making a user. Once complete, redo the steps taken with the same information and the server will print an error sayingUnable to Create User! Please report this issue to NGPEW!
. This works with slight variations as well, such as adding a space. Sousername == user name
With a simple Python script, a malicious user could easily take up popular names and prevent legitimate users from making accounts.
This account spam cannot only prevent users, but possible the system itself considering the server only has 1GB of RAM, it could be maxed out quickly if a malicious user makes enough requests to DDoS the server. This prevents the graphs from being read and thus possible for a sensor to reach dangerous levels and NGPEW would not be able to know since the web interface is unresponsive.
Anthony Hallak, https://anthony.hallak.net
https://github.com/AnthonyH45/cptc-badge-2021/
This was performed on the virtual image, not the hardware. Thanks to Forrest (@JRWR) for making these badges!
If you wish to include any files, please attach a PR into a subfolder of the writeups folder in this repo. Please use the format writeups/\/\