Interview with Alexander Fuchs - Finder of a critical bug in NATO's research site (RTO/OTAN)
Today HITB will publish an exclusive interview with Alexander Fuchs alias f0x23. Alexander is a member of the Vulnerability-Lab research team & lives in germany. After his last publication & press articles we asked him some questions about the NATO - RTO OTAN (Research & Technologie Organisation) vulnerability he discovered some days ago.
Reporter: Can you tell us something about your work in the vulnerability laboratory team?
Alexander F.: I joined the vulnerability laboratory team 4 months ago. My first advisory was about a persistent XSS vulnerability (cross site scripting) on a big german television website. Last week i discovered a new vulnerability in the petition system of the whitehouse.gov. I also found some SQL Injections and local file include vulnerabilities in laposte.fr which is a french post service with 20 Billion € sales in 2007. Last month i detected a vulnerability in the exception-handling of the apple vendor website. I am glad to work with my team. We are a special constalation of real security researchers & exploiters.
Reporter: How long did you need to identify the vulnerability on the nato webserver?
Alexander F.: I first searched for subdomains on the NATO domain for a news article. As i found the Research and Technology site, it wasn't hard to find the vulernability. In about 10 minutes, I found the issue and the vulnerability was identified, then I discussed it with Benjamin Kunz Mejri, the founder of the vulernability-lab team. He did the notification stuff between the vendor website (nato) & our laboratory.
Reporter: What security priority (low;medium;high;critical) has the discovered vulnerability?
Alexander F.: The security risk of the file include vulnerabilities are estimated as critical, because it is possible to take over (control) the webserver. The NATO Research and Technology Organisation promotes and conducts co-operative scientific research and exchange of technical information amongst 26 NATO nations and 38 NATO partners. The largest such collaborative body in the world, the RTO encompasses over 3000 scientists and engineers addressing the complete scope of defence technologies and operational domains. On the vulnerable server runs also the webmail service of the Research and Technology Organisation.
Reporter: What does the successful exploitation of the vulnerability allows an attacker?
Alexander F.: If an attacker successfully exploit this vulnerability, then he'll get a full access to read all the files he wants to, and at this point there are a lot of possible attack scenarios. The most dangerous are infecting the server and clients with malwares, espionage the research and technology team or use the trusted communication for infiltration and manipulation.
Reporter: What type of vulnerabilities has been discovered on the advisory?
Alexander F.: The local file include vulernability was discovered on the advisory. The bug allows an attacker to read/request internal system/webserver files (exp. the system config of the webserver). The vulnerability also allows an remote attacker to run commands on the affected webserver.
Reporter: How the manufacturer or development team responds to the security report?
Alexander F.: First, the webmaster asked for more details about the security issue. Then he was grateful for the vulnerability-lab team for taking the time and effort to look at this vulnerability. The communication was very good and fast as it should be.
Reporter: How can the manufacturer fix the problem?
Alexander F.: To fix the security issue the manufacturer have to restrict request to allowed files and parse the input. It's always a good idea to check all inputs with a whitelist of expect inputs and take care about the major security issues in the webapplication by patching the systems and monitoring it. Thanks!
Reporter: The vulnerability has been fixed/patched by the development team?
Alexander F.: Yes, 24 hours after the submission arrived on the vendors website postbox.
Security Video: http://www.vulnerability-lab.com/get_content.php?id=318