The state of application security in SMB's

The state of application security in SMB's

For my first post I thought that I would begin with something I see just about every day.  Application security within SMB's. I'm sure this is also a problem with larger companies as well however with smaller customers the software company is always the bigger fish and doesn't want to change their ways.

I've seen some absolutely terrible ideas that software companies thought were the greatest thing since sliced bread. If you saw this with your own eyes you would have to laugh because otherwise you will be crying on a daily basis. So now for some story time

The updates from hell

I was completing a ticket for one of our main customers where a software provider wanted to disable their old AD accounts and standardize their accounts across all their clients (No worries, That's perfect. Standardization is good!). But the way they wanted me to create the accounts and the permissions they were asking for (Domain Admin) seemed a little bit off to me, so I decided to have a little bit of a look at what they were trying to do and investigate further.

The script they provided was a VBE script which is easily reversed by using another script (Such as this one). Upon decoding the script they had all of the usernames/passwords in plain text (Static credentials = bad idea!!). So I went to another one of our clients and asked them if they had received the same email regarding the changing of accounts and indeed they had. WITH EXACTLY THE SAME SCRIPT.

The company providing this is a very large software developer with a lot of clout in the industry (If you sell "another large company's" hardware you need to use it). So this is a pretty big deal that everyone is using the same password, however it's not too bad assuming there is no remote access. Unfortunately in the same email they have requested remote access to all of the servers that X app is installed on (And locked down to their IP address). But of course if you have a RDGateway/Citrix/VPN setup you can't restrict certain users to certain IP addresses (As far as I'm aware) so then anyone can potentially get in.

Ok so that's pretty bad, but to hack into all their clients (1000+) you would need their client list which they obviously hold pretty close to their chest! Right??? Unfortunately for them they decided that their update script (Which was a Powershell script that connected to an FTP server - With more plain text creds..) had to have their client list inside of it to determine which SQL scripts to run.. This text file was on all of their clients!!!

So just from their script, I had a list of all of their clients, with domain admin credentials and remote access to all of them. From their it's not to hard to find their remote access server (Citrix.company.com, remote.company.com etc).

Of course to them this was impossible to understand how it would ever happen and why any of their clients would go rouge and want to hack all their other clients. After voicing our concerns to our customers they went to the vendor and said "We aren't running this script - You need to fix all of the below concerns that our IT company raised below" which fell on deaf ears and nothing happened for ~8 months.

Our director just happened to run into another company who used the same software and they agreed for us to do a test of whether or not we could remotely login to their servers (As domain admin) and place a file on the server. We organised the test and within 10 minutes I had logged in and placed a file on the C:\ drive of their domain controller and logged back out again. This company was very unimpressed with the software provider and we sent a huge email chain which ended up getting to the CEO of the software provider who couldn't believe that this had happened. We ended up in a meeting with the CEO/CIO over the phone and had the CIO accusing us of basically trying to hack every bit of software that we received (Which is mostly true, I give them a quick glance).

After they spent a few days manually changing everyone's passwords and removing all of the scripts etc from the servers all was well in my universe again and I could sleep happy.

My 2 cents

Apart from the fact that hard coded credentials area stupid idea that shouldn't ever be used - This is a huge standard in the SMB world, even larger software companies have got them set everywhere! The pain is that without public disclosure and companies actually caring about security this will always will be case

Jack Stuart

test

View Comments