Discussion
Usually I put the discussion part of the report at the bottom of the write-up. But today it’s different. As this critical CVSS 10 bug went unpatched for longer than 3.5 years after reporting it. I strongly suspect this bug has been there since 2005. This has put their employees at risk for leaking their credentials. Since people often reuse passwords they should be informed about this potential leak.
The bug described in this blog was discovered on the 23th of April 2020. The same day the bug was confirmed by the Ahold security team; a good thing to confirm a vulnerability as soon as the report comes in.
I falsely assumed that it would be fixed immediately after the confirmation. A hard lesson learned: always check yourself for fixes after one month and try to keep track of all the bugs you report by email.
On the 2nd of November 2023 (>3.5 years later) I received an email stating that the bug was fixed. To my surprise I discovered on the 9th of November 2023 it was not fixed but is still vulnerable.
This time I properly exploited the bug and smuggled out the /etc/passwd file from the server as a proof of concept. You will read about that in detail below.
However the full server should be considered compromised for at least 3.5 years (or even 18 years?). As everyone could execute any code on the server. No authentication required & easy to discover.
The vulnerable server acts as a central identity provider. It allows users to login and reset their password, supporting different Ahold companies as seen on the help page. Not good.
Recon
Ok. Enough introduction, time to hack!
When hacking a company we always try to find the most interesting and weakest asset possible. We want bang for bugs.
Btw. today we don’t hack for bucks as Ahold rewards a max 300 euros in gift cards (to put this in perspective, corporations like Shopify reward up to 200.000 dollars for RCE bugs), so today we do it solely to make the internet a bit safer.
With companies the size of Ahold Delhaize you have a big challenge to setup proper identity management systems. They acquire companies all the time and might need to work with old legacy systems. Systems that manage username, passwords and access levels of all employees.
If you compromise such a server it’s game over, as you could use this to perform lateral attacks and impersonate other users on different company assets.
So let’s hunt for those assets.
A good start is to try to figure out where employees login. Let me google that for you.
A quick look at the webdesign gives us 90s vibes, vibes we like as security researchers as it smells like legacy code and thus a high probability of security issues.
A quick lookup shows us that another name for this server is: ldap-ws-vip.aholdusa.com.
LDAP, or Lightweight Directory Access Protocol, is a protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. It’s commonly used for organizing and locating diverse items in a network, like users, groups, devices, and permissions, making it a central part of many organizations’ IT infrastructures.
As we want to discover all the interesting endpoints (urls) on this LDAP server we need to be sure we also capture the old legacy ones that are not actively linked anymore.
A great tool to use for this is https://github.com/tomnomnom/waybackurls made by TomNomNom.
The tool literally grabs all the archive.org data ever indexed of the supplied domain and displays you all the URLs / Endpoints it could find. This results in a lot of noise (also images and other files are showed), however when you filter the list on specific words you can quickly get a good result.
Those hits look like perl, a coding language used in the past to create websites, 90s baby! The extension.pl gives us the clue.
When visiting the page we see some form that one could submit.
Finding a Server Side Template Injection bug
The next step is to open this page in the Burp Browser so we can capture all the browser traffic.