Fermilab Hack, April/May 2021

Members of Sakura Samurai accessed user information, internal ticketing systems, proprietary application code, and heaps of other internal communication information, including but not limited to: proprietary software, pii, credentials (including sso uids), project details and attachments, schema, infrastructure configuration, and IP addresses.

Credits

All of the following hackers had a specific role to play during the research process. We ask for proper attribution in any media coverage.

Sakura Samurai Members

Robert Willis

John Jackson

Jackson Henry

I thought hacking into a program that deals with space and time would be interesting, especially after binge watching the old television series Fringe. Fermilab is America’s particle physics and accelerator laboratory that seeks to solve the mysteries of matter, energy, space and time. It seemed like a great target. After finding they had a vulnerability disclosure program, I was sold, and decided to begin testing.

Participants in the research included myself (Robert Willis) as the lead, and fellow Sakura Samurai members John Jackson & Jackson Henry.

Most of the findings were done through manual means, although some basic tools used included nmap, amass, and dirsearch. 

The targets were initially gathered after enumerating subdomains for Fermilab using amass. Afterwards, open directories were found using dirsearch. Nmap was used to find open ports and to enumerate services.

During the research, we identified multiple entry points, one being an unrestricted subdomain which allowed us access to an internal ticketing system that revealed project data and other various sensitive information, including credentials. The unrestricted subdomain allowed us to see over 4,500 tickets, ranging in a multitude of ticketing categories. In addition, it was noted that many of the tickets were for open issues and a lot of the tickets have a massive amount of project and configuration data/communication information. In addition, many of the tickets had file attachments with sensitive information.

Open Project/System Tickets

Credentials to operate the trolley for one of the projects were identified as well. We also noted that we could click on any user assigned to a ticket and see their email address, work title, and any tickets that they have opened, resolved, or been assigned to.

Internal User Profile Data

Trolley Credentials

On another server, we identified a part of the Web Application that gave us unfettered access to see all of the users registered within the different security workgroups of the organization, full names, emails, assigned login groups, and user ids. In addition, we were able to access documents within this application.

While we avoided downloading or opening documents, we noted a lot of internal communication highlighting Fermilab’s internal processes, infrastructure setup, application usage, etc. We believe this could be severe in the hands of a threat actor – and based on the security that was observed, it’s highly probable. 

DocDB Users, Full Email, UIDs, Assigned Workgroup, Assigned Login Group

Another entry point was an FTP server allowing a user to login as an “Anonymous” “FTP” user, requiring no legitimate password. The server contained heaps of data for internal applications.

Directory listing after FTP login

There were many proprietary applications and files we had access to, which included the Configuration Data for Fermilab’s NoVa Project, NoVa being an experiment that is helping scientists determine the role neutrinos played in the evolution of the cosmos. 

Example of FNAL Project Configuration Data [N0vA: NuMI Off-axis νe Appearance Project

Searching further, Tomcat credentials were then found. They were tested to prove that they were valid. After verifying them, we stopped to ethically continue the research. Knowing the target was Fermilab, we didn’t want to accidentally cause the creation of a black hole by touching the wrong thing.

Tomcat Credentials Exposed in tar.gz

Switching to another server, we found that we were able to gain unauthenticated access to 5,795 documents, as well as 53,685 file entries

Documents Available in DB

One of Fermilabs’ subdomains was identified as an internal Electronic Logbook system used to communicate project data and analysis logbook entries. Using the “Words” filter query, we were able to identify service passwords and the IPs the services were hosted on. It’s never a good idea to put IPs and their credentials in an open log book.

Exposed Logbook Entries

It was very interesting seeing how easy it was to get access to restricted data that included credentials, proprietary applications, and files — especially at a U.S. government entity that is doing advanced research.

Check out our website

https://sakurasamurai.org

By Robert Willis (rej_ex)

I'm an infosec, cybersecurity professional who enjoys continuously learning and hacking. I also collect and make comics books. I role with my crew -- Sakura Samurai. Follow me on Twitter @rej_ex.

Leave a comment

Your email address will not be published. Required fields are marked *