// c0mrade // 6-13-12 Hello, world. I'm officially a white-hat. Major Airlines are affected by a major exploit. Among those affected include: American Airlines United Airlines Vietnam Airlines Sabre Airlines Here's what I have access to: =>Internal Access to both airports. =>Booking Flights, Ticketing Info, Hotel Booking, etc. =>Card Swaps. =>Employee Info, etc =>Flight Info, Passenger info, etc. =>Multiple vulnerabilities among the software they're running. The vulnerability was simple. Amongst those vulnerable, all were exploited. How did I do this? Simple: => We found an exploit which enabled the right for us to download all the attachments on the site. => Amongst the things we found was an Application system used for the Airports. => We tested the software for vulnerabilities. => Pew! We got past the Employee-Log in. Furthermore, the piece of software was mildly outdated. I setup a file to pull any file it can get to. I got some coffee and came back. It pulled tons of information. I found this important to an extent as nobody else has ever been there. Picture 1: http://i50.tinypic.com/ev73fs.png Picture 2: http://i47.tinypic.com/ofo5rp.png Picture 3: http://i48.tinypic.com/ibicmv.png I couldn't do much in the beginning as everything was local. I then got access to a configuration system which mildly accepted the file type, ".properties" - I found around four files pertaining to it, these being: editor.properties, pm.properties, qik.properties, and taconfig.properties. I had the ability to switch the key system from !local to !remote. Meaning, I could have logged card swaps, passenger info, and much, much more. Insight: Protocol: DNS => hsspconfig.sabre.com => ACCESS.SABRE.COM ======================= ! 151.193.141.254:54483 ! American Airlines (h00lyshit) ! taconfig.key = XSTBCKA001 ======================= Host Name - sabre:hssup:uii_host Line IATA: 000000 Pool Name: VNOCCNBA ======================= This will be getting reported to all major airlines very soon. I'm just addressing the public first so they know what happened.