From Security Misconfiguration to Gaining Access of SMTP server

Hello Guys!

In this article i want to show you how simple a security misconfiguration can compromise a company, even if that flaw is in their testing environment.

Summary:

I can send emails through any mail software (such as glock easymail) using SMTP settings provided by Amazon Simple email Service. With this, i can use any name such as ‘support@company.com.br’ or ‘admin@company.com.br’.

What is ‘Security Misconfiguration’ ?

Let’s get right to the point. Based on OWASP:

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

How did i Discover:

I started with the recognition and mapping all domains of the company, as it was a large company, there were 84 domains to be analyzed, so i started to map each domain separately, accessing them and navigating manually to try to understand how the application works.

After visiting all of them, i noticed one subdomain was with the same application as the main website. Then i noticed that the subdomain were a test base, probably the company used to send new updates before they actually go to the main website.

Here is the problem:

Sometimes the developers leave enabled in the test base several features that, in production, would never be exposed for obvious reasons. Based on this principle, i decided to run a Dirb https://company.com.br/’ to check if there were any open directory.

Bingo!

The phpinfo function was active on that subdomain. Basically, phpinfo is a useful PHP function for returning compiled information about the PHP environment on your server. This sould never be active, at least not publicly.

phpinfo() function

Then i started to check the content that was exposed. As you can see in the image above, i had all the information needed to exploit several applications like postgres, mysql, smtp and many others. I decided to test their SMTP server settings.

So i downloaded the first software that i found on google and configured it according to the information from php function itself.

Setting up the smtp server
Setting up SMTP Server

I sent a test to myself saying “your password needs to be changed”, note, the most interesting thing is: It’s highlighted ‘sent by Amazon SeS’:

Email received

never think that a low level fault can not produce good results. Always check all domains, including with the same tools as you used in the main domain, each domain represents a wide range of flaws.

That’s it, friends. Hope you liked it!

find me at linkedin .