Merge pull request #525 from bugcrowd/Data_not_encrypted_at_rest

Adding Additional Insecure OS Firmware Templates

submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/recommendations.md

@@ -0,0 +1,3 @@
+# Recommendation(s)
+
+It is recommended to encrypt all data at rest within the device to prevent the data from being viewable by a 3rd party attacker.

submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md

@@ -0,0 +1,22 @@
+# Data Not Encrypted at Rest (Non-Sensitive)
+
+## Overview of the Vulnerability
+
+The device stores non-sensitive data that is not encrypted at rest. Despite the data not being directly exploitable, its accessibility due to lack of encryption allows attackers with physical access to the device to retrieve this information. This exposure could facilitate reverse engineering efforts or aid in future exploitation attempts, indirectly compromising the system's security.
+
+## Business Impact
+
+While the data in question is classified as non-sensitive, its exposure still poses security risks. Unauthorized access to this data can provide attackers with insights into the device's operations or architecture, potentially leading to vulnerabilities being uncovered. This situation can undermine the security posture of the device, leading to increased susceptibility to targeted attacks, erosion of customer confidence, and potential reputational damage.
+
+## Steps to Reproduce
+
+1. Gain physical access to the device and remove the cover as seen in the images below.
+1. Locate the hard drive on the device, and remove it.
+1. Using a external hard drive caddy, mount the device.
+1. Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}

submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/recommendations.md

@@ -0,0 +1,3 @@
+# Recommendation(s)
+
+It is recommended to encrypt all data at rest within the device to prevent the data from being viewable by a 3rd party attacker.

submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md

@@ -0,0 +1,22 @@
+# Data Not Encrypted at Rest (Sensitive)
+
+## Overview of the Vulnerability
+
+The device stores sensitive data that is not encrypted at rest, compromising the confidentiality and integrity of the data. This oversight allows an attacker with physical access to the device to easily access and potentially compromise the sensitive data contained within, exposing personal information, secrets, or credentials.
+
+## Business Impact
+
+The absence of encryption for sensitive data at rest on the device poses a significant risk to data confidentiality and integrity. This vulnerability can lead to data breaches, unauthorized access to sensitive information, and potential financial and reputational damages to the organization. It undermines the trust of customers and partners and may result in non-compliance with regulatory requirements related to data protection and privacy.
+
+## Steps to Reproduce
+
+1. Gain physical access to the device and remove the cover as seen in the images below.
+1. Locate the hard drive on the device, and remove it.
+1. Using a external hard drive caddy, mount the device.
+1. Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}

submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/recommendations.md

@@ -0,0 +1,3 @@
+# Recommendation(s)
+
+It is recommended to implement robust deletion functions that not only reference to the data, but write over the existing data to prevent digital forensic methods of recovery.

submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/template.md

@@ -0,0 +1,21 @@
+# Failure to Remove Sensitive Artifacts from Disk
+
+## Overview of the Vulnerability
+
+During the deployment or configuration phases of the device, sensitive artifacts (which can include: configuration information, secrets, or credentials) are transferred to and stored on the device's storage medium. These artifacts are not adequately removed post-deployment or configuration. As a result, an attacker gaining access to the device could view these sensitive artifacts.
+
+## Business Impact
+
+The persistence of sensitive artifacts on the device's storage poses a significant risk to data confidentiality and system integrity. Unauthorized access to these artifacts can lead to security breaches, unauthorized system access, and the potential leakage of confidential information. The implications include not only immediate operational and financial losses but also long-term damage to the organization's reputation and trustworthiness, alongside potential regulatory non-compliance.
+
+## Steps to Reproduce
+
+1. Login to the device using the credentials supplied.
+2. Open the file found at: {{filepath}}
+3. You'll see that the file is a deployment script, viewing the variable, {{variable}} you'll see secrets used during deployment.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}

submissions/description/insecure_os_firmware/hardcoded_password/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives  an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network.
+When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network.
 
 A hard-coded password for a non-privileged user was identified in the source code of the application. An attacker could abuse the hard-coded password for a non-privileged user to gain access to aspects of the application they normally would not have access to. With this increased access, a malicious attacker could perform other attacks on the application, elevate their privileges, or gather sensitive data from within the application.
 

submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/kiosk_escape/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/kiosk_escape/recommendations.md

@@ -0,0 +1,3 @@
+# Recommendation(s)
+
+It is recommended to implement vigorous QA testing of applications prior to deployment. Additionally, robust error logging and catching should be performed within the application to prevent crashes and ensure that the application restarts in the event of a crash. A lower privileged accounts with minimal permissions should also be used to lower the impact of a potential kiosk escape.

submissions/description/insecure_os_firmware/kiosk_escape/template.md

@@ -0,0 +1,21 @@
+# Kiosk Escape or Breakout
+
+## Overview of the Vulnerability
+
+A kiosk escape or breakout occurs when an exploit allows users to bypass the software package serving as the frontend for an application on a system, gaining unauthorized access to the underlying operating system. This vulnerability varies in impact depending on the operating system and the level of hardening applied to the system. In cases where the system uses administrator-level access, the consequences can include defacement, installation of malicious software, or breaches of data integrity, potentially affecting stored customer data.
+
+## Business Impact
+
+This vulnerability can lead to unauthorized access, data breaches, and malicious activities, including the installation of unwanted software and alteration of stored data. Such incidents can result in significant financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised.
+
+## Steps to Reproduce
+
+1. Turn the {{hardware}} on and wait for the software to run.
+1. Constantly click on the bottom right of the touch screen, revealing the desktop.
+1. Observe that there is an administrator level user on the device.
+
+## Proof of Concept (PoC)
+
+The following screenshots demonstrate the process of escaping from the application's controlled environment to access the underlying operating system. This may include screenshots or a description of the exploit technique used, the access gained to system settings or files, and any unauthorized actions performed as a result:
+
+{{screenshot}}

submissions/description/insecure_os_firmware/local_administrator_on_default_environment/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/local_administrator_on_default_environment/recommendations.md

@@ -0,0 +1,3 @@
+# Recommendation(s)
+
+It is recommended to use a low privileged account with minimal permissions for embedded hardware and kiosks.

submissions/description/insecure_os_firmware/local_administrator_on_default_environment/template.md

@@ -0,0 +1,31 @@
+# Local Administrator on Default Environment
+
+## Overview of the Vulnerability
+
+The current configuration of the device uses a local administrator account as the default environment setting. This configuration inherently provides administrator-level access to the running processes and access, posing a significant security risk. If an attacker compromises the application or device, they can gain elevated privileges automatically, allowing for extensive control over the device's functions and data.
+
+## Business Impact
+
+Operating devices under local administrator accounts by default increases the risk of severe security breaches. An attacker with administrator-level access can disable security measures, install malicious software, and access or alter sensitive information. This could lead to operational disruptions, data breaches involving sensitive customer or business information, and significant financial and reputational damage to the organization. Furthermore, this practice may fail to comply with security standards and regulatory compliance requirements.
+
+## Steps to Reproduce
+
+1. Open the device and use a TTY Cable to connect to the header pins found in the screenshot below:
+{{screenshot}}
+1. Using a serial connection with the command below, connect to the device:
+{{command}}
+1. Press enter then type the command `id`.
+1. You'll see the response is `id=0` which is a local administrator account.
+
+or
+
+1. Plug in a keyboard and power on the device.
+2. On boot, spam the escape key until a new prompt appears, and click Exit.
+3. Now on the desktop, open a terminal and type the command: {{command}}.
+4. You'll see the response shows the user is a local administrator account.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}

submissions/description/insecure_os_firmware/overpermissioned_credentials_on_storage/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/overpermissioned_credentials_on_storage/recommendations.md

@@ -0,0 +1,3 @@
+# Recommendation(s)
+
+It is recommended to strictly scope the credentials that are provisioned to those that are required to operate basic resources.

submissions/description/insecure_os_firmware/overpermissioned_credentials_on_storage/template.md

@@ -0,0 +1,33 @@
+# Over-Permissioned Credentials on Storage
+
+## Overview of the Vulnerability
+
+The device contains a set of credentials stored on its storage medium that are over-permissioned for their intended use. While these credentials are designed to access a specific shared service, their excessive permissions allow for broader unauthorized access. If the device is compromised or falls into the hands of unauthorized user, these over-permissioned credentials could be used to access not only the intended service but also additional services and data that should be segregated.
+
+## Business Impact
+
+Storing over-permissioned credentials on the device presents a significant security risk, amplifying the potential damage from unauthorized access. Attackers could exploit these credentials to gain extensive control over the system's resources and sensitive data, including customer information and proprietary secrets. Such breaches can lead to financial losses, regulatory penalties, erosion of customer trust, and long-term reputational damage to the organization.
+
+## Steps to Reproduce
+
+1. Gain physical access to the device and remove the cover, as seen in the images below:
+{{screenshot}}
+1. Locate the hard drive on the device and remove it.
+1. Using a external hard drive caddy, remove the hard drive from the device's storage.
+1. Mount the device and extract the credentials from: {{filepath}}
+
+or
+
+1. Gain remote access to the device via SSH with the following credentials:
+{{credentials}}
+
+1. Browse to the file path {{filepath}} and open the file.
+1. On Line 32, you can see the variable: {{JWT}}
+1. Using the HTTP request below, send the request with the token:
+{{HTTP request}}
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}

submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/recommendations.md

@@ -0,0 +1,3 @@
+# Recommendation(s)
+
+It is recommended to use standard cryptographic libraries to reduce the likelihood of implementation vulnerabilities. It's also important to verify that the bootloader and encryption systems are up to date to avoid any known public exploits.

submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/template.md

@@ -0,0 +1,21 @@
+# Poorly Configured Disk Encryption
+
+## Overview of the Vulnerability
+
+The device uses a disk encryption to protect stored data from being accessed while at rest. However, due to a poor configuration of the encryption mechanism, an unauthorized attacker with physical access to the device can decrypt the disk's contents. This vulnerability could expose secrets, customer data, or other sensitive information stored on the device.
+
+## Business Impact
+
+A flaw in the disk encryption configuration significantly undermines the device's data security, posing a high risk to the confidentiality and integrity of stored data. If exploited, this vulnerability can lead to the exposure of sensitive information, potentially resulting in financial losses, damage to the organization's reputation, and erosion of customer trust. Furthermore, it may result in non-compliance with data protection regulations.
+
+## Steps to Reproduce
+
+1. Gain physical access to the device and start the boot process.
+2. Once the device has reached the boot menu and asks for a password, type `A` 257 times and press enter.
+3. The device will decrypt the disk and you can access its contents, including any sensitive data stored on the device.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}

submissions/description/insecure_os_firmware/poorly_configured_operating_system_security/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/insecure_os_firmware/poorly_configured_operating_system_security/recommendations.md

@@ -0,0 +1,3 @@
+# Recommendation(s)
+
+It is recommended to implement standards for operating systems (such as those outlined in the NIST or ASD hardening guidelines) that allow for the identification of known configuration issues, and the required changes to prevent them from being exploited further.