Sakura Samurai, a security research group has disclosed a security vulnerability by exploiting which they could access over 100,000 private employee records of United Nations Environmental Programme (UNEP).
During the research process Jackson Henry @JacksonHHax, Nick Sahler, John Jackson @johnjhacking and Aubrey Cottle @Kirtaner identified an endpoint that exposed Git Credentials.
The credentials gave them the ability to download the Git Repositories, identifying a ton of user credentials and PII. In total, the security research group has identified over 100K+ private employee records. They also discovered multiple exposed .git directories on UN owned web servers [ilo.org], the .git contents could then be exfiltrated with various tools such as “git-dumper”.
Exposed PII
Travel Records [Two Documents: 102,000+ Records]
Travel Records Included Employee ID Numbers, Names, Employee Groups, Travel Justification, Start and End Dates, Length of Stay, Approval Status, Destination and the Length of the stay.
HR Nationality Demographics [Two Documents: 7,000+ Records]
Included Employee Name, Employee Group, Employee ID Numbers, Person’s Nationality, Person’s Gender, Employee Pay Grade, Organization Work Unit Identification Number and Organization Unit Text Tags.
Generalized Employee Records [One document: 1,000+ Records]
Index Numbers, Employee Names, Employee Emails, Employee Work Subareas and Employee Org Units. Note: The column with the “Red number 1” represents the Employee’s specific work department and was blurred as some of the sub-units are smaller.
Project and Funding Source Records [One Document: 4,000+ Records]
Included Project Identification Number, Affected Areas, Grant and Co-financing amounts, Implementing Agencies, Countries, Funding Sources, Period of the Project and if the Project/Concept was approved.
Evaluation Reports [One Document: 283 Projects]
Overall descriptions of the Evaluations and Reports, Periods Conducted and a link to the report on the project.
Technical Assessment
In addition, on the lesser side of severity, the research team managed to take over a SQL Database and a Survey Management Platform belonging to the International Labour Organization – also in the UN’s VDP program scope.
However, it was of note that the ILO vulnerabilities were of little prominence as the Database and Survey Management platform were fairly abandoned in nature and contained hardly anything of use. Nonetheless, a Database takeover and admin account takeover on a platform is still Critical vulnerabilities.
The research team had performed subdomain enumeration of all of the domains in scope for the VDP offered by the UN. During their research, they began to fuzz multiple endpoints with tooling and initially discovered that an ilo.org subdomain had exposed .git contents.
Utilizing git-dumper [https://github.com/arthaud/git-dumper] the research team were able to dump the project folders hosted on the web application, resulting in the takeover of a MySQL database and of survey management platform due to exposed credentials within the code.
MySQL Credentials
Source: Sakura Samurai After the research team had taken over one of the International Labour Organization’s MySQL Databases and performed account takeover on the survey management platform, they began to enumerate other domains/subdomains.
Eventually, they found a subdomain on the United Nations Environment Programme that allowed us to discover GitHub credentials after a bit of fuzzing.
Ultimately, once they discovered the GitHub credentials, the research team were able to download a lot of private password-protected GitHub projects and within the projects, they found multiple sets of database and application credentials for the UNEP production environment.
In total, the research team found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases.
