Full Disclosure: DICA IMS Privilege Escalation Exploit (CVE-D33Z-NUTZ)

Postmortem of the Myanmar Investment Commission release from Distributed Denial of Secrets

Following up on the release of a huge trove of publicly available financial information from Myanmar’s Directorate of Investment and Company Administration (DICA) scraped by freedom-of-information hacktivist @donk_enby, the whistleblower site Distributed Denial of Secrets has made publicly available a collection of 3,339 confidential documents from the Myanmar Investment Commission, related to 3,293 investment proposals/approvals.

In this blog post, we will go over our complementary red-team engagement on DICA’s Investment Monitoring System that led our team to discover multiple vulnerabilities that could (and did) allow an attacker to exfiltrate highly confidential information.

Directorate of Investment and Company Administration (DICA) Investment Monitoring System (IMS)

In the initial stages, we discovered a user enumeration API endpoint that listed the emails of all the users with access to the monitoring system. We used this to develop a simple password spraying script, which combined with the data from the well-known “Compilation of Many Breaches” gained us an initial foothold to a regular user account with access to the Yangon Region Investment Committee part of the system, due to password re-use.

Data returned by the User enumeration API endpoint

From there, we continued reverse engineering the API which led to the discovery of a Privilege Escalation exploit that allowed us to create a new user account and assign it administration privileges with roles to access all the investment data from the Myanmar Investment Commission.

API response for the user account created by the Privilege Escalation exploit

At this point we proceeded to follow our standard responsible disclosure procedure, by posting a screenshot of what we found on Twitter, falling out of our chairs laughing and uploading all their shit to Distributed Denial of Secrets.

Confidential: Decision of the Myanmar Investment Commission on the permit for importation, storage, distribution and sales of LPG by using pipeline jetty under the name of CECA Gold Company Limited

Amongst other things, the confidential information that is now public directly relates to the finances behind the displacement and genocide of the Rohingya people - with details of foreign investments in the mining and petroleum industry linked to war crimes and crimes against humanity.

Map of China’s trans Myanmar oil and gas pipelines transporting gas from a field run by Posco

We hope that our work here can serve as a giant three-fingered salute in solidarity with the people of Myanmar, to support their fight against tyranny.

My message to the Tatmadaw and the Junta? They can all Sugondese.

Bofa Deez Nutz (she/her), Cyber Jihad Operative, Anonymous (we/us)