Row, row, row your boat: Pwning ship’s VSAT for fun and profit.

Some background:

Recently a very close friend asked me to do a penetration test on the company that she works for. It is a maritime company so the pen-test would be fun AND dangerous so why the heck not, I thought. I had also recently read the article from Ken Munro on OSINT from ship satcoms (https://www.pentestpartners.com/security-blog/osint-from-ship-satcoms/) and thought that the results could provide some additional slides for his presentation.

I found that vessels were connected to the internet by using Navarino Infinity (https://navarino.gr/portfolio/infinity) which is exposing a web interface. The web interface was not available directly as the root was returning a 404.I downloaded Infinity’s android app and found out that the app was connecting to an internal URL. When this URL was added as the http host header, you were presented with Infinity’s login screen over the internet. Success!

After a lot of testing and verification, 3 vulnerabilities were found (2 of them really critical). This was also quite tricky as you cannot use any tool that consumes a lot of bandwidth while a ship is at sea as it is deadly expensive so you have to keep it at a minimum.

Blind Sql injection:

I could see from the source that there was a script that was being used by the users to add more credit to their cards (or do some other stuff that I could not understand).That script was jq.php and after some quick tests I found out that it was prone to a blind sql injection attack which could be exploited to extract all data from underlying postgresql databases.

Poc:

/jq.php?action=loadtransactions&rows=5 returns in 1 second
/jq.php?action=loadtransactions&rows=5; pg_sleep(10) returns in 11 seconds

/jq.php?action=loadtransactions&rows=5; pg_sleep(15) returns in 17 seconds

Session fixation:

I also found that there was a phpsessid URL passed around as a URL parameter and this parameter was not changed after login. Thus phishing attacks become a plausible vector allowing you to login as the user or even worse chain it with the previous vulnerability to login as any user. This would also bypass 2-factor authentication that is available on certain installations of Navarino Infinity.

Improper handling of authentication / access control

As no proper pen test can be considered complete without some keyboard hitting, I randomly found out that if you change the class part in the URL to a class other than main but keep the function name as authenticate or validateAuthentication it will run that class’s main function and return some sensitive data (nothing critical) with no authentication at all. Even worse if the class does not exist it will run main class main function and show the map with the areas of interests (but NO vessels). In general any AJAX request that would be done by those pages would fail with an authentication required error.

Poc:

/index.php/logs/authenticate/
/index.php/admin/validateAuthentication/

/index.php/foo/authenticate/
/index.php/users/validateAuthentication/

After finishing the report I contacted Navarino who gave a quick response and acknowledged the vulnerabilities. They fixed everything and pushed a hotfix in less that 30 days in all installations which is impressive considering that there are over 6000 vessels (from what is stated in their website) we are talking about. That’s how security incidents should be handled by companies who have internet connected devices.

Maritime is getting into the connected era really quickly and this can cause problems to anyone who can not adapt and evolve. Ignoring reports by not answering or going black after acknowledging should not be an acceptable choice for any company let alone companies that handle satcom for vessels!