News Document Title:
====================
Interview with Alexander Fuchs - NATO RTO/OTAN Vulnerability


Release Date:
=============
2011-12-02


Laboratory Article:
===================
Last week Alexander Fuchs alias f0x23 had a nice interview with HackInTheBox after his last penetrationtests and security audits.

HITB Security News (HackInTheBox) published an exclusive interview with Alexander Fuchs (22) alias f0x23.  Alexander is a member 
of the Vulnerability-Lab research team and lives in germany near Düsseldorf (DUS). After his last publication and press articles we 
asked him some questions about the NATO – RTO OTAN (Research and Technologie Organisation) vulnerability he discovered some days ago.

Reporter: Can you tell us something about your work in the vulnerability laboratory team?
Alexander F.: I joined the vulnerability laboratory team 4 months ago. My first advisory was about a persistent XSS vulnerability 
(cross site scripting) on a big german television website. Last week i discovered a new vulnerability in the petition system of the 
whitehouse.gov. I also found some SQL Injections and local file include vulnerabilities in laposte.fr which is a french post service 
with 20 Billion € sales in 2007. Last month i detected a vulnerability in the exception-handling of the apple vendor website. I am 
glad to work with my team. We are a special constalation of real security researchers and exploiters.

Lab Profile:  http://www.vulnerability-lab.com/show.php?user=f0x23

Reporter:  How long did you need to identify the vulnerability on the nato webserver?
Alexander F.: I first searched for subdomains on the NATO domain for a news article. As i found the Research and Technology site, it 
wasn’t hard to find the vulernability. In about 10 minutes, I found the issue and the vulnerability was identified, then I discussed 
it with Benjamin Kunz Mejri, the founder of the vulernability-lab team. He did the notification stuff between the vendor website 
(nato) and our laboratory.

Reporter:  What security priority (low;medium;high;critical) has the discovered vulnerability?
Alexander F.: The security risk of the file include vulnerabilities are estimated as critical, because it is possible to take over 
(control) the webserver. The NATO Research and Technology Organisation promotes and conducts co-operative scientific research and 
exchange of technical information amongst 26 NATO nations and 38 NATO partners. The largest such collaborative body in the world, 
the RTO encompasses over 3000 scientists and engineers addressing the complete scope of defence technologies and operational domains. 
On the vulnerable server runs also the webmail service of the Research and Technology Organisation.

Reporter:  What does the successful exploitation of the vulnerability allows an attacker?
Alexander F.: If an attacker successfully exploit this vulnerability, then he’ll get a full access to read all the files he wants to, 
and at this point there are a lot of possible attack scenarios. The most dangerous are infecting the server and clients with malwares, 
espionage the research and technology team or use the trusted communication for infiltration and manipulation.

Reporter:  What type of vulnerabilities has been discovered on the advisory?
Alexander F.: The local file include vulernability was discovered on the advisory. The bug allows an attacker to read/request internal 
system/webserver files (exp. the system config of the webserver). The vulnerability also allows an remote attacker to run commands on 
the affected webserver.

Reporter:  How the manufacturer or development team responds to the security report?
Alexander F.: First, the webmaster asked for more details about the security issue. Then he was grateful for the vulnerability-lab team 
for taking the time and effort to look at this vulnerability. The communication was very good and fast as it should be.

Reporter:   How can the manufacturer fix the problem?
Alexander F.: To fix the security issue the manufacturer have to restrict request to allowed files and parse the input. It’s always a 
good idea to check all inputs with a whitelist of expect inputs and take care about the major security issues in the webapplication by 
patching the systems and monitoring it. Thanks!

Reporter:   The vulnerability has been fixed/patched by the development team?
Alexander F.: Yes, 24 hours after the submission arrived on the vendors website postbox.


Advisory: 		http://www.vulnerability-lab.com/get_content.php?id=307
Video: 			http://www.vulnerability-lab.com/get_content.php?id=318

Dev News:		http://www.vulnerability-lab.com/dev/?p=320
Original Article:	http://news.hitb.org/content/critical-bug-nato-research-technologie-rtootan-0