In the previous episode
In the previous article, we talked about how the preparation for the attack was going on, how the site of Apple teachers was hacked, access to personal data of iCloud users and iOS sources was obtained. After reviewing Apple sites and web apps, a team of Sam Curry (Sam Curry), Brett Buerhaus (Brett Buerhaus), Ben Sadegipur (Ben Sadeghipour), Samuel Erb (Samuel Erb) and Tanner Barnes (Tanner Barnes) found 11 critical vulnerabilities, 29 – with a high degree of potential danger, 13 – medium critical and 2 – non-critical.
The hackers received a reward of $ 288,500 from Apple for a detailed bug report.
Hack DELMIA Apriso
While probing the domains associated with Apple, of which, by the way, there are more than seven thousand, hackers stumbled upon the DELMIA Apriso web application, various versions of which are designed to manage production processes and the finished goods warehouse. This application is not owned by Apple, but is used to distribute Apple products.
Researchers dig deeper into the authentication form and password reset mechanism for DELMIA Apriso, and at some point were surprised to find that they were logged into the system with the name
Thoughtful examination of this anomalous phenomenon has shown that in the DELMIA Apriso framework, in order to use functions on certain web pages, the user must be logged in to the system, and password reset is one such function. Since the very task of recovering a forgotten password logically contradicts the possibility of authorization, the developers built a crutch in the form of a public account of an "Apple user without a password", which seems to be logged into the system, but it seems not. Unfortunately, this "pseudo-accounting" did not give any privileges to the user.
The hackers sent an HTTP request to the OAuth endpoint to generate a Bearer token to explore the web application API. And it worked unexpectedly! The technical account, whose permissions were to be limited to the ability to reset the password, was able to generate a Bearer with access to the API version of the web application. It remains only to google the documentation for this very API.
Smoking the manuals allowed Curry and the company to discover more than 5,000 API calls that did not require additional authorization except for the token already received. Many of these calls were useless to the intruders, but some offered the ability, for example, to change employee salary dates, create and cancel shipments from a warehouse, edit inventory information, and perform hundreds of other warehouse operations.
For example, one of the API functions has an eloquent name
APL_CreateEmployee_SO… You can send the application a GET request to perform the operation:
GET /Apriso/HttpServices/api/platform/1/Operations/operation HTTP/1.1
And get an HTTP response from it in the following format: