Wednesday, March 6, 2013

0

How Soneri Online Banking System Website was hacked?

  • Wednesday, March 6, 2013
  • Nauman Ashraf
  • Yesterday, we reported that Soneri Bank's Online Banking System official website (www.soneribankonline.com.pk) - The biggest banking network in Pakistan was Hacked and Defaced. Our security team decided to research the security hole exploited by the hackers.

    After researching, we found that, Soneri Bank, The Biggest Banking Network of Pakistan is vulnerable to a very common exploit. Yes, WebDev IIS 6.0 vulnerability exists in the Soneri Bank Server with write permission on it. Details are below:

    This article is completely educational purpose only. Author does not take any responsibility of any damage/harm to the site.

    About WebDev Vulnerability:
    WebDAV is enabled on Soneri Bank Server and it has write permissions enabled on it.The PUT HTTP Method can be used create a test file within this directory and to execute commands on the server. The PUT method is a part of the WebDAV standard for remote content editing.

    A poorly configured Web server can mistakenly provide remote access to the PUT method without requiring any form of login. Even more.

    How hacker managed to create a file on the server or execute code on the server? POC with picture and details are below:

    We use HttpRequester Firefox Plugin to perform test. This tool is useful when doing web or REST development, or when you need to make HTTP requests that are not easily done via the browser (PUT/POST/DELETE).

    We write the Test content: Test by The Hackers Post, appended test.htm and executed PUT method. We got the following response.


    PUT http://soneribankonline.com.pk/test.htm
    Content-Type: text/xml
    Test By The Hackers Post

     -- response --
    201 Created
    Date:  Wed, 06 Mar 2013 07:26:29 GMT
    Server:  Microsoft-IIS/6.0
    X-Powered-By:  ASP.NET
    Location:  http://soneribankonline.com.pk/test.htm
    Content-Length:  0
    Allow:  OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

    Below is the ScreenShot of the response.



    By visiting the URL,


    This is how hacker manage to upload a html deface page on the server.

    We try to upload a asp Shell on the server using PUT request but its refuse the request and response was 403 Forbidden. Below is the screen shot



    The impact of this vulnerability
    Malicious users can execute arbitrary code on this system. Possible system compromise.

    How to fix this vulnerability
    Remove write permissions from this directory or disable WebDAV if it's not being used.


    I was shocked to see such a common and famous vulnerability exists in a Banking Software and allowed RCE (Remote Code Execution) and not properly configured. Questions arises, Where is Bank Security Team? Does the Bank have security Team? These are the questions still unanswered.

    0 Responses to “ How Soneri Online Banking System Website was hacked? ”

    Post a Comment

    Subscribe