Experts found gained access to the Git Repositories of the United Nations

Researchers obtained gained access to the Git Repositories belonging to the United Nations, exposing staff records and credentials.

The research group Sakura Samurai was able to access the repositories of the United Nations as part of the Vulnerability Disclosure Program and a Hall of Fame operated by the organization.

The group, composed of Jackson Henry, Nick Sahler, John Jackson, and Aubrey Cottle, has identified an endpoint that exposed Git Credentials. Then the group used the credentials to access the Git Repositories and download their content, including 100K+ private records for the United Nations Environmental Programme (UNEP) employees.

“The credentials gave us the ability to download the Git Repositories, identifying a ton of user credentials and PII. In total, we identified over 100K+ private employee records. We also discovered multiple exposed .git directories on UN owned web servers [ilo.org], the .git contents could then be exfiltrated with various tools such as “git-dumper”.” reads the post published by the experts.

The list of exposed PII includes:

• Travel Records [Two Documents: 102,000+ Records]
• HR Nationality Demographics [Two Documents: 7,000+ Records]
• Generalized Employee Records [One document: 1,000+ Records]
• Project and Funding Source Records [One Document: 4,000+ Records]
• Evaluation Reports [One Document: 283 Projects]

The team of experts also performed subdomain enumeration of the United Nations domains covered by the program. Probing multiple endpoints with fuzzing tools the team discovered that an ilo.org subdomain had an exposed .git contents. Then they used the git-dumper to dump the project folders hosted on the web application.

“During our research, we began to fuzz multiple endpoints with tooling and initially discovered that an ilo.org subdomain had an exposed .git contents. Utilizing git-dumper [https://github.com/arthaud/git-dumper] we were able to dump the project folders hosted on the web application, resulting in the takeover of a MySQL database and of survey management platform due to exposed credentials within the code.” continues the research team.

The experts took over one of the International Labour Organization’s MySQL Databases and performed an account takeover on the survey management platform, then they enumerated the domains/subdomains.

The team found a subdomain on the United Nations Environment Programme and using a fuzzing technique they discovered the github credentials.

Once discovered the GitHub credentials, they downloaded the projects in the repositories, some of them were containing multiple sets of database and application credentials for the UNEP production environment.

“In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects.” conclude the experts.

In January 2020, an internal confidential report from the United Nations that was leaked to The New Humanitarian revealed that dozens of servers of the organization were “compromised” at offices in Geneva and Vienna. One of the offices that were hit by a sophisticated cyber attack is the U.N. human rights office, the hackers were able to compromise active directory and access a staff list and details like e-mail addresses. According to the report, attackers did not access passwords.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, United Nations)

[adrotate banner=”5″]

[adrotate banner=”13″]