arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
PhilSys fixes a Critical Vulnerability in their UAT Environment
4 min read

PhilSys fixes a Critical Vulnerability in their UAT Environment

PhilSys fixes a Critical Vulnerability in their UAT Environment

A few months ago, I discovered and reported two (2) vulnerabilities to PhilSys.

December 2020 - https://atom.hackstreetboys.ph/philsys-fixes-publicly-accessible-instances/

March 2021 - https://atom.hackstreetboys.ph/philsys-fixes-publicly-exposed-source-code/

On April 27, 2021, three (3) days before the official launch of PhilSys' Online Registration Website, I discovered a critical vulnerability in their UAT Environment.

Proof of Concept

People are sharing the PhilSys post (linked below) about the upcoming launch of their ONLINE REGISTRATION website.

https://www.facebook.com/PSAPhilSysOfficial/posts/955974368548443

As a security researcher and concerned data subject, I quickly checked the available subdomains of philsys.gov.ph using an online website and discovered the subdomain named register.philsys.gov.ph.

Using the information I gathered from previous vulnerabilities, I quickly discovered the new critical vulnerability affecting the live environment of PhilSys.

PhilSys’ online registration website uses Spring Boot Actuator and it was publicly accessible.

Spring Boot Actuator is mainly used to expose operational information about the running application — health, metrics, info, dumps, env, httptrace, etc. It uses HTTP endpoints or JMX beans to enable us to interact with it.

The main link to access PhilSys' actuator was https://register.philsys.gov.ph/preregistration/v1/actuator/. By default, all Actuator endpoints are placed under the /actuator path.

Actuator Links

Let's have a look at some available endpoints in the actuator of PhilSys.

  • auditevents - Exposes audit events information for the current application
  • beans - returns all available beans in our BeanFactory
  • health - summarizes the health status of our application
  • conditions - formerly known as /autoconfig, builds a report of conditions around autoconfiguration
  • configprops - allows us to fetch all @ConfigurationProperties beans
  • info - returns general information. It might be custom data, build information or details about the latest commit
  • loggers - enables us to query and modify the logging level of our application
  • threaddump - dumps the thread information of the underlying JVM
  • prometheus - returns metrics, but formatted to work with a Prometheus server
  • metrics - details metrics of our application. This might include generic metrics as well as custom ones.
  • scheduledtasks - provides details about every scheduled task within our application
  • mappings - displays a collated list of all @RequestMapping paths.
  • env - returns the current environment properties. Additionally, we can retrieve single properties.
  • heapdump - builds and returns a heap dump from the JVM used by our application
  • httptrace - displays HTTP trace information

The last three (3) endpoints contains sensitive information about the website application and its users.

1. env

Contents of env endpoint

In this endpoint, I discovered some domains, IP addresses, Database IP and port, Link of their GitHub repository, and other information.

2. heapdump

Contents of heapdump endpoint

In this endpoint, I discovered sensitive information such as secretKeys, passwords, database IP and port.

Since I have a copy of their whole source code from the vulnerability I reported last March 2021, I noticed that they never changed the exposed and potentially compromised passwords and secretKeys.

3. httptrace

Contents of httptrace

In this endpoint, I discovered sensitive information such as Authorization Token of users who registered for PhilSys, their IP address, the system's IP address, cookies, and user's PhilSys registration ID.

Since I can see the Authorization Token of the user and its registration ID, I copied these information and  was able to retrieve the information of the user.

Retrieval of the personal information of the user

So whenever a user registers for a PhilSys account, their HTTP requests containing authorization token and registration ID will be stored/logged in /actuator/httptrace endpoint.

Impact

This vulnerability could allow a malicious user to access sensitive system information and retrieve users' PII just by visiting the public links.

Attackers could also modify the config. Read more here: https://www.veracode.com/blog/research/exploiting-spring-boot-actuators

Additional Information

This kind of severe issue must be fixed immediately.

In fact, a company named LINE had a similar issues last year and they fixed it within 24 hours due to its severity, and they awarded reporters with $5,000 and $12,500 bounty.

LINE disclosed on HackerOne: Spring Actuator endpoints publicly...
Due to insufficient access controls, it was possible to access the Spring Boot Actuator endpoints /heapdump and /env. The /heapdump endpoint leaks data from the Java Virtual Machine, leading to...
LINE disclosed on HackerOne: Spring Actuator endpoints publicly...
Due to insufficient access control, it was possible to access the Spring Boot Actuator endpoints /heapdump and /env. @kazan71p identified two highly sensitive applications leaking information...

Responsible Disclosure

The following documents my communications related to the disclosure of the issues I identified in this report.

  • April 27, 2021 10:58 pm - I discovered the vulnerability.
  • April 27, 2021 11:19 pm - After creating a quick documentation, I reported it to PhilSys through via someone who is working with them.
  • April 28, 2021 12:35 am -  I confirmed that the issue has been fixed.
  • April 28, 2021 12:43 am - Someone relayed the thank you message from PhilSys.
  • April 28, 2021 3:00 am - Full Disclosure

Recommendation to PhilSys

  • Please do change the secretKeys and passwords...
  • Check for sensitive folders and files or open services and remove or close them before you deploy online.