How I Discovered a Critical Vulnerability in an Internet Service Provider’s Software

Introduction

As a Security Researcher, I focus on finding and responsibly reporting security vulnerabilities to enhance the safety of systems worldwide. Not long ago, I identified a critical SQL injection vulnerability in Synnefo Internet Management Software (IMS), a platform used by over 350+ Internet Service Providers (ISPs) across six countries.

The vulnerability allowed attackers to not only access sensitive data but also escalate the attack to achieve Remote Code Execution (RCE), enabling full control over the server. With millions of users relying on the services provided through this platform, the potential impact of this vulnerability was significant.

This article delves into how the vulnerability was discovered, its potential consequences, and how it was resolved. I hope this helps developers and security professionals learn while following responsible disclosure practices.

The Vulnerability

Synnefo IMS is an essential tool for ISPs, enabling them to manage internet distribution, billing, bandwidth allocation, and user accounts. The platform’s wide adoption and critical role in ISP operations made the discovery of this vulnerability especially concerning.

The vulnerability stemmed from the application’s failure to properly sanitize user inputs before incorporating them into SQL queries. Specifically, the application dynamically constructed database queries based on user inputs, without employing secure practices such as prepared statements or parameterized queries. This flaw allowed malicious actors to inject arbitrary SQL commands, posing a severe risk to the confidentiality, integrity, and availability of the ISP and user data.

Furthermore, the elevated database access gained through the SQL injection could be leveraged to execute arbitrary commands on the server, escalating the vulnerability into a Remote Code Execution (RCE) scenario. This significantly amplified the potential impact, allowing attackers to take full control of the system.

Discovery Process

Some time ago, I purchased a new internet connection for my home. While paying my monthly bill, I discovered an IDOR (Insecure Direct Object Reference) vulnerability on my local ISP’s website. This flaw allowed me to view the billing details of other local customers, exposing sensitive information such as their names, phone numbers, and addresses. I immediately decided to report this issue to my local ISP.

While gathering more information for my report, I came across a reference to “Synnefo” on the website. A quick Google search led me to the Synnefo IMS platform, and I realized that this software was the backbone for managing ISP operations on a much larger scale. This suggested that the issue I discovered could potentially affect a much broader audience than just the users of my local ISP.

I promptly reported my findings to Synnefo. While investigating further, I noticed unusual behaviour in Synnefo IMS when providing specific characters as input in data entry fields. This observation led me to suspect the presence of unsanitized inputs being passed directly to the backend database.

Using manual testing techniques and responsible methodologies, I confirmed the presence of a critical SQL injection vulnerability. The application failed to validate or sanitize user inputs before constructing its database queries, leaving it exposed to malicious payloads. Exploiting this vulnerability granted me access to the database with DBA (Database Administrator) privileges, providing full read and write access to the entire database. This elevated access allowed me to manipulate data, which further enabled me to scale the attack into a full remote code execution (RCE) scenario. Given the nature of the software and its widespread adoption, this vulnerability had the potential to cause severe damage, allowing attackers to compromise sensitive data and execute arbitrary commands on affected systems, impacting ISPs and millions of users worldwide.

Impact

The consequences of this vulnerability were far-reaching. Exploiting this could have allowed attackers to:

• Access ISP databases containing sensitive user information. This includes names, emails, phone numbers, addresses, passwords stored in plaintext, IP logs, credentials of ISP operators, etc.
• Extract or modify billing records and usage logs. I even managed to get the Razorpay secret keys which could have allowed an attacker to fake any transaction.
• Disrupt internet services by tampering with key operational data.
• Compromise the personal data of millions of end-users globally.
• Deploy malicious software (backdoors) to maintain persistent access, allowing them to execute future attacks or move laterally within the network, compromising additional systems.

Given that Synnefo IMS serves over 350 ISPs across six countries, the exploitation of this vulnerability could have had cascading effects, disrupting internet services for millions of users and potentially exposing sensitive information on a massive scale.

Affected Versions

I was assigned CVE-2023–37777 for this vulnerability, which affects Synnefo Internet Management Software (IMS) version 2023 and below. Users are advised to update to the latest version released by Synnefo.

The Fix

After identifying the vulnerability, I immediately reported it to Synnefo and later to CERT-IN. I took some time and found a couple more security issues which were also reported to Synnefo. The company promptly acknowledged the issues and took action to mitigate the risk.

This involved:

• Implementing the fix for the reported issues.
• Conducting a thorough security review of the application by a third-party vendor to identify and address similar vulnerabilities.
• Releasing an updated version of the software to all ISPs using the platform, ensuring that systems were protected against exploitation.

Coordinated Disclosure Timeline

1. Discovery: 10 Nov 2022
2. Report Submission: 04 Dec 2022
3. Acknowledgement: 17 Apr 2023
4. Fix Deployment: 5 Sept 2023
5. CVE Assignment: 12 July 2023 (CVE-2023–37777)

Lessons Learned

The discovery of CVE-2023–37777 underscores the importance of secure coding practices, particularly when dealing with user inputs and database queries. Here are some key takeaways:

1. Always validate and sanitize user inputs before processing them.
2. Use prepared statements or parameterized queries to prevent SQL injection vulnerabilities.
3. Conduct regular security audits to identify and fix vulnerabilities before attackers exploit them.
4. Encourage and support responsible disclosure programs to improve the security of your applications.

Closing Thoughts

I would like to thank Synnefo and CERT-IN for their swift action in addressing this vulnerability. Their cooperation ensured that a potentially critical issue was resolved promptly, safeguarding the data and operations of hundreds of ISPs and millions of users.

As ethical hackers, our responsibility goes beyond finding vulnerabilities; it’s about collaborating with vendors to create a safer digital ecosystem. I hope this article serves as an educational resource and inspires others to prioritize security in software development.

Although I discovered this issue nearly two years ago, I’m sharing it here as my first blog post on Medium. For now, I’m keeping it less technical due to the sensitive nature of the vulnerability and its impact. I might write a more detailed technical post in the future, covering this and other bugs I found in Synnefo.

Over the past three years, I’ve discovered critical security vulnerabilities in major companies like Google, AWS, LinkedIn, Razorpay, PayTM, and others. If you’d like to read about those write-ups, let me know in the comments, and I’ll be happy to write about them here on Medium.

Thank you for reading. I’d love to hear your thoughts, feedback or any questions you may have. Feel free to leave a comment below or reach out directly. Your feedback helps me improve and share more valuable insights with the community :)