What is Misconfiguration?
Security misconfiguration is a vulnerability that normally happens when the application especially a web page because the developer didn’t configure the website properly and exposes it to insecure configuration options.
It’s a configuration weakness that normally existed within the software components or in user administration. A common scenario in the real-life world, the application might be installed with a default user account or configuration file such as phpinfo which the bad guys might take advantage of abusing the application or system. Another method is that the software will enable the services as remote administration functionality.
List of attacks that have been exploited by misconfiguration vulnerability
The attack that makes use of misconfiguration vulnerability that listed below:
- Brute force/credential stuffing
- Code injection
- Buffer overflow
- Command injection
- Cross-site scripting (XSS)
- Forceful browsing
Security misconfiguration attack scenario
The attack scenario should be as the step below:
- The bad guys will be able to obtain access to the organization’s internal network connection.
- Next, the bad guys will also try to do information gathering by scanning the network for any device especially if the device or application is using the default credentials.
- The bad guys will take over the server by accessing the vulnerable device by abusing the common credentials of the application
Demonstration of the attack
The demonstration can be found Previse Machine
For us to get escalation to root, we need to find the SUID file that we can use to abuse.
By typing the command “sudo -l” and we managed to be aware of /opt/scripts/access_backup.sh
While reading the file access_backup.sh, we know that we can run some commands from anywhere inside the machine.
I have created a gzip file that contains a reverse shell command (bash command) under /dev/shm directory
We need to give permission to execute the gzip file