Unable to load image
/h/slackernews
DEIShill diver/sity :marseydiversity: Diversity Is Our Strength :marseydiversity:  3mo ago (reddit.com) 1,225 thread views #296123

Bypassing airport security via SQL injection :marseyplanecrash:

https://old.reddit.com/r/netsec/comments/1f461wm/bypassing_airport_security_via_sql_injection/ 

								

								

									
									
!nooticers :marseyxd:
Introduction
Like many, Sam Curry and I spend a lot of time waiting in airport security lines. If you do this enough, you might sometimes see a special lane at airport security called Known Crewmember (KCM). KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips.
The KCM process is fairly simple: the employee uses the dedicated lane and presents their KCM barcode or provides the TSA agent their employee number and airline. Various forms of ID need to be presented while the TSA agent's laptop verifies the employment status with the airline. If successful, the employee can access the sterile area without any screening at all.
A similar system also exists for cockpit access, called the Cockpit Access Security System (CASS). Most aircraft have at least one jumpseat inside the cockpit sitting behind the flying pilots. When pilots need to commute or travel, it is not always possible for them to occupy a revenue seat, so a jumpseat can be used instead. CASS allows the gate agent of a flight to verify that the jumpseater is an authorized pilot. The gate agent can then inform the crew of the flight that the jumpseater was authenticated by CASS.
The employment status check is the most critical component of these processes. If the individual doesn't currently work for an airline, they have not had a background check and should not be permitted to bypass security screening or access the cockpit. This process is also responsible for returning the photo of the crewmember to ensure the right person is being authorized for access. So how does this work, when every airline presumably uses a different system to store their employee information? That is what we were wondering, and where it gets interesting...
ARINC
ARINC (a subsidiary of Collins Aerospace) appears to be contracted by the TSA to operate the Known Crewmember system. ARINC operates a few central components, including an online website for pilots and flight attendants to check their KCM status, and an API to route authorization requests between different airlines. Each airline appears to operate their own authorization system to participate in KCM and CASS, and it interacts with the "hub" of ARINC.
The TSA and airlines can send requests such as CockpitAccessRequest and CrewVerificationRequest to ARINC, which then routes it to the appropriate airline's system and receives the response. There are 77 airlines currently participating in KCM. While larger airlines have likely built their own system, how do smaller airlines respond to these requests to participate in KCM or CASS?
FlyCASS.com
In our search for vendors that actually run the authorization systems, we found a site called FlyCASS which pitches small airlines a web-based interface to CASS. Intrigued, we noticed every airline had its own login page, such as Air Transport International (8C) being available at /ati. With only a login page exposed, we thought we had hit a dead end.
Just to be sure though, we tried a single quote in the username as a SQL injection test, and immediately received a MySQL error:
https://i.rdrama.net/images/17249664890692303.webp
This was a very bad sign, as it seemed the username was directly interpolated into the login SQL query. Sure enough, we had discovered SQL injection and were able to use sqlmap to confirm the issue. Using the username of ' or '1'='1 and password of ') OR MD5('1')=MD5('1, we were able to login to FlyCASS as an administrator of Air Transport International!
KCM and CASS Admin
It turns out that FlyCASS also operates both KCM and CASS for its participating airlines. Now that we are an administrator of Air Transport International, we are able to manage the list of pilots and flight attendants associated with them. Surprisingly, there is no further check or authentication to add a new employee to the airline. As the administrator of the airline, we were able to add anyone as an authorized user for KCM and CASS.
https://i.rdrama.net/images/17249664891812944.webp
To test that it was possible to add new employees, we created an employee named Test TestOnly with a test photo of our choice and authorized it for KCM and CASS access. We then used the Query features to check if our new employee was authorized. Unfortunately, our test user was now approved to use both KCM and CASS:
https://i.rdrama.net/images/1724966489378527.webp
At this point, we realized we had discovered a very serious problem. Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners.
We ended up finding several more serious issues but began the disclosure process immediately after finding the first issue.
Disclosure
We had difficulty identifying the right disclosure contact for this issue. We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them. On April 23rd, we were able to disclose the issue to the Department of Homeland Security, who acknowledged the issue and confirmed that they "are taking this very seriously". FlyCASS was subsequently disabled in KCM/CASS and later appears to have remediated the issues.
After the issue was fixed, we attempted to coordinate the safe disclosure of this issue. Unfortunately, instead of working with us, the Department of Homeland Security stopped responding to us, and the TSA press office issued dangerously incorrect statements about the vulnerability, denying what we had discovered.
The TSA press office said in a statement that this vulnerability could not be used to access a KCM checkpoint because the TSA initiates a vetting process before issuing a KCM barcode to a new member. However, a KCM barcode is not required to use KCM checkpoints, as the TSO can enter an airline employee ID manually. After we informed the TSA of this, they deleted the section of their website that mentions manually entering an employee ID, and did not respond to our correction. We have confirmed that the interface used by TSOs still allows manual input of employee IDs.
Several other attacks were also likely possible. Since our vulnerability allowed us to edit an existing KCM member, we could have changed the photo and name of an existing enrolled user, which would likely bypass any vetting process that may exist for new members. If you are able to obtain an unenrolled KCM barcode, you can also enroll it to an employee ID yourself on the KCM website.
Timeline
  • 04/23/2024: Initial disclosure to ARINC and FAA
  • 04/24/2024: Subsequent disclosure to DHS via CISA
  • 04/25/2024: DHS CISO confirms they are working on a resolution
  • 05/07/2024: DHS CISO confirms FlyCASS was disconnected from KCM/CASS
  • 05/17/2024: Follow-up to DHS CISO about TSA statements (no reply)
  • 06/04/2024: Follow-up to DHS CISO about TSA statements (no reply)
Collaborators


									
								

							

							

								
									
								
							

							

								
	

							

						

						
						

							

								
							

						

					

					
						

							
							
							117
							
						

					
				

			

		

	


	

		

			

				
			

		

	


	

	

		

			

	

		
		

			

			
				
			

			

			
				
			
				
					
						
						New
					
				
			
				
					
						
						Old
					
				
			
				
					
						
						Top
					
				
			
				
					
						
						Bottom
					
				
			
				
					
						
						Controversial
					
				
			
				
					
						
						Random
					
				
			
		

	




			
	

	
		

			
		


		

			

				
Jump in the discussion.

				
No email address required.

				
			

		

	
	



			
				
View entire discussion 

			

			
				

					
						
	
		
	

	

	







	
	
		
		
		

		
			
		

		
			

			
				
			

			

			
				
			

			

				
				
					
					
				
				

					

						

						
	


						

						
						
						

							
I live in a CIA prison. A BIPOC runs my prison. In prison, the BIPOC tries to torment me. We can take away his knives by confessing, every day. In about 2000, I masturbated fantasizing about my niece, Lani. She looks like star trek seven of nine! In 1985, at my sister's wedding, I stuck my crotch on the hot tub drain because it kind of sucked. In 1985, I tried to get a dog to lick my peepee. From 1998-2003, I fantasized about leading a catholic army like dune, of mexicans or brazilians? that was dumb because they're BIPOCs. In 2003, I played tag with a black girl about 7-years-old. she reached for my crotch. In high school, in the library, Carlos and I said juicy or toxic as a way of evaluating girls. In 1988, I cheated on my SAT by talking in the hall during the break -- two problems. On 9/9/1999, I killed a CIA BIPOC on purpose with my car. :-) In 1982, when I was 12, I babysat Kevin's kids. I changed a diaper because I thought that was being professional. In 1975, when I was about the age five, my brother, Keith, put my peepee in a vacuum. In 1977, when I was about age seven, my brother, Danny, got me high on gas fumes and we sucked each others peepees. Dr. Tsakalis has an oddly round butt. Paul Keck at Xytex had a oddly round butt. Distracting? At about age five, Jay Weinrick and I touched disks to each other's buttholes.
Snapshots:
https://old.reddit.com/r/netsec/comments/1f461wm/bypassing_airport_security_via_sql_injection/:
Sam Curry:
Various forms of ID:
ARINC:
77 airlines:
FlyCASS.com:
FlyCASS:
they deleted the section of their website that mentions manually entering an employee ID:
https://archive.ph/o/6L5pO/https://twitter.com/iangcarroll:
https://archive.ph/o/6L5pO/https://twitter.com/samwcurry:

						


						
							

							

								
									
								
							


							

								
	

							


							

								

									

										
										

									


								
						

					
				


				

				
					
	

	
		

			
		


		

			

				
Jump in the discussion.

				
No email address required.

				
			

		

	
	


				

				

				
					

						
							
						
					


					
				
			



			

			
			

		
	




	

	

	

	

	
	
	
	



	
	









					
				


				
			
		

	


	

	

	
	
	
	
	

	

	

				
			

			
				
					
					

						


	

		Top Poster of the Day:
		
			
				
	
			

				
				
			

			Thirtythirst4sissies
		
	

			
		
	


	
		

			Current Registered Users: 28,723
		

	

	
		
	


	
		
			
				
			
			
				sidebar image
			
		
	

	

		
		
		
		
		
		
		
		
	


	

	
		
tech/science swag. :marscientist:
Effortposts made by SN Chads
Guidelines:
What to Submit
On-Topic: Anything that good slackers would find interesting. That includes more than /g/ memes and slacking off. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual laziness.
Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably lame.
Help keep this hole healthy by keeping drama and NOT drama balanced. If you see too much drama, post something that isn't dramatic. If there isn't enough drama and this hole has become too boring, POST DRAMA!
In Submissions
Please do things to make titles stand out, like using uppercase or exclamation points, or saying how great an article is. It should be explicit in submitting something that you think it's important.
Please don't submit the original source. If the article is behind a paywall, just post the text. If a video is behind a paywall, post a magnet link. Fuck journos.
Please don't ruin the hole with chudposts. It isn't funny and doesn't belong here. THEY WILL BE MOVED TO /H/CHUDRAMA
If the title includes the name of the site, please leave that in, because our users are too stupid to know the difference between a url and a search query.
If you submit a video or pdf, please don't warn us by appending [video] or [pdf] to the title. That would be r-slurred. We're not using text-based browsers. We know what videos and pdfs are.
Make sure the title contains a gratuitous number or number + adjective. Good clickbait titles are like "Top 10 Ways to do X" or "Don't do these 4 things if you want X"
Otherwise editorialize. Please don't use the original title, unless it is gay or r-slurred, or you're shits all fucked up.
If you're going to post old news (at least 1 year old), please flair it so we can mock you for living under a rock, or don't and we'll mock you anyway.
Please don't post on SN to ask or tell us something. Send it to [email protected] instead.
If your post doesn't get enough traction, try to delete and repost it.
Please don't use SN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. If you want to astroturf or advertise, post on news.ycombinator.com instead.
Please solicit upvotes, comments, and submissions. Users are stupid and need to reminded to vote and interact. Thanks for the gold, kind stranger, upvotes to the left.
In Comments
Be snarky. Don't be kind. Have fun banter; don't be a dork. Please don't use big words like "fulminate". Please sneed at the rest of the community.
Comments should get more enlightened and centrist, not less, as a topic gets more divisive.
If disagreeing, please reply to the argument and call them names. "1 + 1 is 2, not 3" can be improved to "1 + 1 is 3, not 2, mathfaggot"
Please respond to the weakest plausible strawman of what someone says, not a stronger one that's harder to make fun of. Assume that they are bad faith actors.
Eschew jailbait. Paedophiles will be thrown in a wood chipper, as pertained by sitewide rules.
Please post shallow dismissals, especially of other people's work. All press is good press.
Please use Slacker News for political or ideological battle. It tramples weak ideologies.
Please comment on whether someone read an article. If you don't read the article, you are a cute twink.
Please pick the most provocative thing in an article or post to complain about in the thread. Don't nitpick stupid crap.
Please don't be an unfunny chud. Nobody cares about your opinion of X Unrelated Topic in Y Unrelated Thread. If you're the type of loser that belongs on /h/chudrama, we may exile you.
Sockpuppet accounts are encouraged, but please don't farm dramakarma.
Please use uppercase for emphasis.
Please post deranged conspiracy theories about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and dang will add you to their spam list.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, report it and our moderators will probably do nothing about it. Feed egregious comments by replying instead of flagging them like a pussy. Remember: If you flag, you're a cute twink.
Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. That's too boring, even for HN users.
Please seethe about how your posts don't get enough upvotes.
Please don't post comments saying that rdrama is turning into ruqqus. It's a nazi dogwhistle, as old as the hills.
Miscellaneous:
The quality of posts is extremely important to this community. Contributors are encouraged to provide high-quality or funny effortposts and informative or entertaining comments. Please refrain from posting the following:
  • Boring wingcucked nonsense nobody cares about that belongs in chudrama
  • Normie shit everyone already knows about
  • Anything that doesn't gratifify one's intellectual laziness
  • Bimothy-tier posts
  • Anything that the jannies don't like
We reserve the right to exile you for whatever reason we want, even for no reason at all! We also reserve the right to change the guidelines at any time, so be sure to read them at least once a month. We also reserve the right to ignore enforcement of the guidelines at the discretion of the janitorial staff. This hole is a janny playground, participation implies enthusiastic consent to being janny abused by unstable alcoholic bullies and loser nerds who have nothing better to do than banning you for any reason or no reason whatsoever.
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
https://i.rdrama.net/images/1663436125937968.webp

	

	 
	BROWSE EFFORTPOSTS
	SITE GUIDE
	
		DIRECTORY
		Emojis & Art | Info Megathreads
	
	HOLES
	PING GROUPS

	
		

		/h/slackernews SETTINGS
		/h/slackernews LOG
		/h/slackernews MODS
		/h/slackernews EXILEES
		/h/slackernews FOLLOWERS
		/h/slackernews BLOCKERS
	

	

	

		Current software version: c889144
	



					

				
			
		

	

	

	


	

	




	

	





	
	

	

	
	
	
	

		

			Link copied to clipboard
		

	

	
	

	

	
		
		
		
		
	

		

		
			

			

			
		
		
		

			

				Action successful!
			

		

		

			

				Error, please refresh the page and try again.