XSS and bypassing an Imperva WAF with JSFuck
We don’t have the best AV or malware protection on the planet. We went cheap and as Microsoft partner we decided to deploy System Centre Endpoint.
As part of the patch Tuesday – I use System Centre Configuration Manager to deploy my patches on our own internal IT system not our customers systems that we are paid large amounts of mega bucks to administer on a day to day basis.
Having a nose around system centre as you do, I notice that on of our servers, is at risk from the Endpoint Protection screen.
Not only is it as risk, but that VM is our Accountants VM, Used to store payroll and invoices and to do the internet banking that pays my
First thing this grumpy admin notices, yes system centre noticed and alerted inside the console. No one bothered to configure system centre alerts
to actually email out if there is a malware detection so it could be remediated by the admin staff.
Meh! I will fix that later, first… lets phone the financial director of the company who is the primary user of the VM. A windows 7 VM I might add. I inform him that the antivirus software product has picked up two malware types and asked for permission to login and investigate.
I login to this Windows 7 VM and discover endpoint had pick-up two Trojans… not good as this is a high risk/sensitive VM.
My first reaction is to Google the type/names of Trojans. Nothing special… right, I download and install a 3rd party AV product – Malwarebtyes – got this to run a quick check on the VM.
All clean-ish, 4 bits of PUP (potentially unwanted programs) all Advert and cookie related from browsing the internet. Not concerned I cleaned them up. Then I hit the clean button in Endpoint protection to get rid of them two annoying Trojans.
Easy done – box comes up – run full scans on from both AV products. All clean!! Hurray the Trojans are DEAD!
Now for damage assessment.
I phoned the finance director again and inform him the type of Trojans could of stolen his account details and to change Internet banking passwords (asked if he using two factor authentication and he was so that a good thing and made me smile – you have to ask these things right?).
I also enumerate the user accounts of everyone who had logged in to the box.
Then I write a carefully worded email saying that there is a the risk that their domain passwords and any passwords used on that box, websites etc could of been cached and compromised prior to the AV detecting the Trojans. I strongly recommended a full password change.
I as good dedicated grumpy administrator ensured there were read receipts on my email and all read parties (mostly directors) read it.
That was Thursday Morning.
I double check the box is still clean, by running both AV products with full scans. I check my email, no alerts from System Centre. I configured alerts Friday morning, as I eagerly waited for POETS day to arrive and had little else to do as it was Friday the 13th and the risk of breaking stuff was too high to do anything to anything.
I decided to check to see who took my advice and changed their passwords. These are directors of the company and pay my wages so this grumpy administrator can’t force them to do it! it is that old battle of rank/status overrides IT policy and best practices.
To get the information that I need from active directory – I executed the following Powershell script – quick and dirty as I know the usernames I’m looking for I can just use the scroll bar, why type extra script or put a where name -eq … I am a lazy grumpy admin.
get-aduser -filter * -properties passwordlastset |ft Name, passwordlastset
To my shock and horror.
Not one of the people who have logged in to that possible infected by a password stealing trojan box (expect me who did a full rotation of passwords) had changed their passwords.
It is 2015 – one of the directors password last changed on 24/09/2009 08:58:09. Yep – September 2009!
Even after a recommendation from the Grumpy IT Administrator to change their passwords – not one did!
The whole company doesn’t have a password rotation policy – a blaring risk – which this Grumpy IT Administrator has pointed out before!
If I modify Powershell command above, and use it to get the passwordneverexpires attribute – I can see lots of true’s being returned confirming every account, is set to not expire their passwords ever!.
get-aduser -filter * -properties passwordneverexpires |ft Name, passwordneverexpires
I don’t make up the policies and I inherited this internal system that I administer… I previously demonstrated to my peer and fellow administrator, how easy it was to configure fine grained password policy’s – with the intent to assign it to the administrators group. ( https://technet.microsoft.com/en-us/library/cc770394
(v=ws.10).aspx). This was an attempt to install good practice and security – after all I am an Ethical Hacker…..
oh…. don’t forget if you need this list or names or details to go hit people over the head with evidence by printing it off 1000 times to make a weighty murderous paper weapon which can be put in the shredder afterwards for easy disposal or emailing a list of shame to the whole GAL… you can use the |
export-csv <file path/name here> at the end of the PSH code at the cmd line.
But as ever, they don’t like change or common sense even after a Trojan infection in perhaps the most sensative VM we have! The one that does my wages!!!!! , this makes me GRUMPY
TLDR (Too Long Didn’t Read)
Found Virus, Fixed Virus, Informed everyone effected to change passwords – checked for password changes 5 days later – NO one changed their passwords after being told too, company has not it security policies and that makes me GRUMPY!!!