The article examines various aspects of the 1C system, including its architecture, key systems, possible negative consequences of attacks, such as loss of financial funds and leakage of personal data.
Based on existing experience, domain controllers are key systems for a typical organization, and the criterion for identifying a potential computer attack with negative consequences for the organization is gaining unauthorized access to the domain administrator account.
However, to improve the quality of penetration testing, it makes sense to consider other key systems and related approaches to scenario building. A good example of a key system different from domain controllers is 1C:Enterprise.
Regarding the specified key system, the following negative consequences of computer attacks for the Organization can be identified:
loss (theft) of funds
breach of confidentiality (leakage) of personal data
The criteria for confirming the possibility of computer attacks leading to negative consequences for the Organization in this case may be:
obtaining administrative access to the server that ensures the functioning of the 1C:Enterprise system;
obtaining access to a valid administrative account to the 1C:Enterprise system.
Next, a number of computer attack scenarios regarding 1C:Enterprise will be considered, as well as examples of confirmation of the possibility of implementing these attacks in practice.
1C: The enterprise is designed for automation, management and accounting in the Organization of various types of activities and types of financing. 1C: The enterprise consists of a technological platform (core) and application solutions (configurations) developed on its basis, for example:
1С:Бухгалтерія
1С:Документообіг
1С:Зарплата та управління персоналом
1C:ERP Управління підприємством
All 1C application solutions have the same interface and are subject to general principles of operation. Moreover, solutions can work together and share data.
Also, the technological platform contains a special environment for creating and finalizing applied solutions. This part of the platform is called configurator. The configurator is used by programmers to configure and update programs.
In the 30 years since the creation of the 1C platform, many versions of it have been released. At the moment, the latest version of the platform starts with the identifier 8.3, so it is considered that it is used everywhere.
Thousands of users can work simultaneously on the 1C:Enterprise 8.3 platform. A cluster architecture is used to provide scalability, load balancing and fault tolerance.
In the first approximation, we note that using different clients it is possible to connect to a cluster of servers, which in turn ensures interaction with different DBMS. Thus, it is the cluster of 1C servers that is the key system when building attack scenarios against the 1C:Enterprise system.
It is possible to find clusters of 1C:Enterprise servers as a result of searching for the following ports:
1540/tcp (rds) is the port of the working server
1541/tcp (rds2) is the port of cluster 1C
1545
80/tcp (http) – port for connecting through a web service (can be closed if 1C web clients are not used)
General command for searching for 1C server clusters:
nmap -p1540,1541,1545 'subnet/mask'
You should also not forget to pay attention to DNS names that contain “1C” in the name. If we are talking about a domain, then you can search for information about 1C in the account comments (see Cypher requests to BloodHoud below).
MATCH (c:Computer) WHERE ANY (x IN c.description WHERE toUpper(x) CONTAINS '1С') RETURN c MATCH (c) WHERE toUpper(c.name) CONTAINS '1C' RETURN c.name
One of the main shortcomings, which is often encountered, is that by default there is no password for accessing the 1C server cluster management console. Let’s consider several practical ways of using this drawback. Suppose that a cluster of servers is detected. It is quite simple to try to connect to the detected cluster and see if there is no password. To connect, you will need the “1C Server Administration” utility: you need the appropriate “Enterprise” version for the 1C cluster.
If port 1545 is open (rare), then you can determine the version of the 1C client using the rasoff utility, otherwise you can always try to connect with an arbitrary 1C client and get an error with information about the version in use.
Next, you need to find and install the client of the appropriate version. Well, for this you need to have paid access to the 1C portal, but you can also look here.
Also, it’s a good idea to look at files distributed using group policies, such as PingCastle. In this case, you can find public network folders from where you can immediately take the necessary clients, including for other 1C clusters, if there are several of them in the Organization.
Let’s say the client installer with the required version was received. Then, during installation, you need to additionally add the administration module (see below).
Before starting the console for the first time, it must be registered using the “Administration Utility Registration” script. After completion, you can run the specified utility:
Next, the 1C server cluster should be specified in the utility interface. This requires the IP address and port found out earlier during the reconnaissance:
In the absence of a password, when connecting to the specified cluster of 1C servers, a similar picture will be obtained:
If there are password requirements, the following window will open:
Next, we will continue to consider the case when the password is missing. After connecting to the 1C server cluster using the administration utility, you can:
find out the names of information databases, and in some cases, when trying to connect to them, get a list of account identifiers (useful when choosing passwords)
identify test databases that can be entered without a password and fill in “useful” external processing
create a new information base with a configuration that emulates the command line and thus obtain the possibility of remote code execution on the 1C cluster with the rights of the user from whom the corresponding service is launched
The best post-exploitation option is to create a new information base, because then there is no overwriting of previously existing data. And here the general procedure is as follows:
In particular, you can use your virtual machine to prepare a PostgresSQL database on a controlled server
Create a new information base on the 1C cluster using the installed PostgresSQL database
Download the configuration with the “payload” load
Next, we will consider each of these steps in detail.
Note: if there is still no desire to create a new database and you want to use the existing database, it is important to remember that any download of a new configuration involves overwriting the old data. Therefore, it is better to pre-negotiate with the administrator to download the new configuration to the test outdated unnecessary information base. In addition, you should make a backup copy of the database, as well as make sure that there are no active user sessions.
This review was preceded by a description of the 1C platform architecture. Creating an information infrastructure requires a database under management, and 1C can work with various databases, including MSSQL. However, because of the free distribution model, PostgresSQL is more convenient to use.
In a good way, any PostgresSQL distribution can be easily installed, but even with such a simple process, small problems can appear. When I installed the Windows version of PostgresSQL that I got from the official site, I ran into some encoding-related errors. Maybe everything would be different in Linux, but in the end I decided to install the PostgresSQL distribution, specially designed for work with 1C.
IPv6 was disabled before installation
and the “Secondary login to the system” service is included
After successful installation, you can start creating the information base directly:
The data of the created DBMS should be specified in the parameters:
Now in the client, you can configure the connection to the created information base:
As a result, the created connection settings will be saved and added to the general list:
For further operation, it remains to download a special information base that contains the payload. The following configuration by Crowd can be used as an example.
Thus, it will be possible to remotely execute the code of the 1C cluster with the rights of the user from whom the corresponding service is launched:
There are different options. First of all, you need to determine what rights and permissions the account running the command has. In fact, such accounts may even have rights at the domain administrator level. This can be checked in BloodHound.
Most often, you should not count on such luck. A more workable option is to check for SeImpersonatePrivilege, which is sufficient for local elevation (see PrintSpoofer). Next, having locally elevated the rights, you can search for sessions of administrative accounts and try to imperialize them.
Also, sometimes the account from which the 1C service is launched can have the privilege of unlimited delegation.
As an alternative post-exploitation option, you can download a new external treatment, for example by authorship Levatein.
Similar processing will be useful if the cluster is running on a Linux-based operating system. The content of the 1CV8Clst.lst file, usually located at the path C:\Program Files\1cv8\srvinfo\reg_xxxx\, is of special interest during post-operation of the 1C cluster:
This file stores the identifiers and encrypted passwords of the DBMS administrative accounts used by the 1C cluster.
An important feature is that the encryption key and initialization vector are publicly known and permanent. This makes it easy to get passwords in the clear.
To decrypt passwords, you can use the following link:
Obtained accounts can be used for further promotion and remote execution of code on servers that ensure the operation of the DBMS:
Recommendation: create a 1C cluster administrator and restrict access to the 1C cluster administration console using a password.
Organizations can access the 1C server group using the WEB server. The designated WEB server can also be accessed from the Internet. This is useful if you need to provide remote access to a large number of employees or if you need to use mobile clients. Access to such a WEB server can only be from the inside. In any case, with a 1C web server, existing accounts can be attacked using brute force attacks.
You can detect the 1C WEB server using the utility gowitness .
For successful authentication, you need to know:
the name of the information base
account id
password
First, if the name of the information base is unknown, it must be selected, for example, using the 1C-Finder dictionaries from Kraud.
Also, if the user has activated the “Show in selection list” option, their ID will be displayed when they try to connect to the discovered database. This way you can get a partial list of account names, which is not always complete:
You can download the entire list of available identifiers at the following URL:
http://<server-IP-or-DNS>:<port>/<db_name>/en_US/e1cib/users
Account data are transferred to the 1C WEB server by a POST request to the URL of the following type:
http://<server-IP-or-DNS>:<port>/<db_name>/en_US/e1cib/login?version=8.3.XX.XXXX&cred=base64(идентификатор)08base64(пароль)
08- acts as a separator between the identifier and the password
Thus, a traditional phaser can use the POST method to collect valid accounts from a given URL; tools such as Burp Suite, patator and ffuf can be used to automate selection. In 1C, passwords are case-insensitive.
In other words, “password” and “password” are equivalent. In addition, 1C often does not have a strict enough password policy. In many cases, administrators do not enable checking the complexity of users’ passwords, do not set the number of authentication failures, or how long they will be locked out if the maximum number of authentication failures is exceeded.
In addition, knowing a specific password typical for the Organization, you can, on the contrary, try to match it with an identifier, for example, taking as a basis the list of postal addresses obtained with the help of this site.
Sometimes, when the password is successfully selected, it turns out that it is outdated and you need to enter a new password:
It should also be remembered that the password for some accounts can be completely empty. Recommendation: Use a strong password policy.
It is often enough to check the capture of the domain containing the specified cluster to see if the 1C cluster is captured, but since this is trivial, consider the case where the 1C cluster is not present in the domain. Let’s assume that access to the backup copy of the information base is carried out in some way.
Suppose, for example, that you have domain administrator rights and such a copy is found in open form in the backup system that is part of the specified domain.
1C bases can be stored in the following two formats: 1c and dt.
In the first case, the 1Cv8.1CD file can be opened immediately using the Tool_1CD utility. Next, select the v8users table on the left and select a cell from the DATA column in the account line of interest. In the data window, hashes from case-dependent and independent versions of passwords will be encoded using base64 SHA-1.
After decoding the SHA-1 hash, you can perform an offline password selection. Moreover, there are also rainbow tables for SHA-1.
Below, for clarity, is an example of choosing a series of passwords using the Crackstation site. -m 100 corresponds to HashcatSHA-1 dictionary offline traversal.
Alternatively, you can download the educational version of 1C (requires registration by phone number on the official website) and try to import the downloaded database locally. The latest version of 1C may require a password to enter the database. I can’t say for sure because I haven’t tried, but in this case it seems that if you rewrite the hash of the admin password, you can access the information stored in 1C, including the hashes of other accounts.
If the data is stored in dt format, you can use a utility to convert it to 1cd format. After conversion, the task is reduced to the previously considered one.
Note: The public domain version of pfDTTools does not allow conversion at this time. The author of the utility was going to publish a closed release containing this feature in the near future.
RECOMMENDATION: Conduct an inventory of controlled information resources regarding the storage of backup copies of 1C in an open format in places accessible to ordinary users (network folders, storage, file servers). For example, use cryptographic containers and store backup copies of 1C in a secure format, isolated from the main network.