Security News > 2021 > May > Here's how we got persistent shell access on a Boeing 747 – Pen Test Partners

Here's how we got persistent shell access on a Boeing 747 – Pen Test Partners
2021-05-21 11:50

Researchers from infosec biz Pen Test Partners established a persistent shell on an in-flight entertainment system from a Boeing 747 airliner after exploiting a vulnerability dating back to 1999.

"With every directory traversal attack the target program is required to be on the same drive as the webserver. In our case we needed the system32 folder to be on the same drive as the IIS install." This was apparently easy enough in the lab but it was not spelled out in the blog post as to whether this was how the NT4 IFE system was configured aboard the 747.

The second exploit PTP used to gain persistent shell access was a 20-year-old remote code execution vuln, CVE-1999-1011.

PTP described it as using "a package called Microsoft Data Access Components which allows direct access into the database objects through IIS.".

Using the exploits PTP found to pwn an in-flight 747 would be impossible in practice.

Though PTP declined to reveal more details when we asked about the system and particular aircraft involved, we were told the IFE system is now no longer in use in any 747 still flying today.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/05/21/boeing_747_ife_windows_nt4_shell_access/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
1999-07-19 CVE-1999-1011 Permissions, Privileges, and Access Controls vulnerability in Microsoft products
The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands.
network
low complexity
microsoft CWE-264
critical
10.0