RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Similar documents
RBS NetGain Enterprise Manager Web Interface Multiple Vulnerabilities of 9

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

RBS Axis Products Management Web Interface Multiple Vulnerabilities of 9

RBS of 6

RBS Asante VMS ActiveXCoat ActiveX Control ConnectToVMS() Method Heap Buffer Overflow of 7

RBS S Pocketnet Tech MediaViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities of 14

RBS EverFocus Electronics Corp EPlusOcx ActiveX Control Multiple Stack Buffer Overflows of 10

Cross-Site Request Forgery in Cisco SG220 series

RiskSense Attack Surface Validation for Web Applications

Security Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities

Neat tricks to bypass CSRF-protection. Mikhail

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

C1: Define Security Requirements

Penetration Test Report

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

RBS Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service.

HP 2012 Cyber Security Risk Report Overview

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

SECURITY TESTING. Towards a safer web world

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Application Security Approach

CSWAE Certified Secure Web Application Engineer

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

EasyCrypt passes an independent security audit

SANS ICS Europe 2018 Munich, Germany

WEB SECURITY p.1

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Chrome Extension Security Architecture

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Multiple vulnerabilities in Vectra Cognito

Web Security: Vulnerabilities & Attacks

Web Application Threats and Remediation. Terry Labach, IST Security Team

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Exploiting and Defending: Common Web Application Vulnerabilities

Lab 5: Web Attacks using Burp Suite

Copyright

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Application vulnerabilities and defences

Microsoft Security Management

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CIS 4360 Secure Computer Systems XSS

Test Harness for Web Application Attacks

Robust Defenses for Cross-Site Request Forgery Review

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Solutions Business Manager Web Application Security Assessment

Compliance with OWASP ASVS L1:

CyberArk Privileged Threat Analytics

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Certified Secure Web Application Engineer

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Engineering Your Software For Attack

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

the SWIFT Customer Security

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Web Application Whitepaper

Application security : going quicker

COMP9321 Web Application Engineering

VULNERABILITY ADVISORY

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Training for the cyber professionals of tomorrow

10 FOCUS AREAS FOR BREACH PREVENTION

CSRF in the Modern Age

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Hunting Security Bugs

Aguascalientes Local Chapter. Kickoff

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web Application Penetration Testing

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Application Security GVSAGE Theater

Cyber security tips and self-assessment for business

Web Application Vulnerabilities: OWASP Top 10 Revisited

IoT & SCADA Cyber Security Services

Presentation Overview

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

haltdos - Web Application Firewall

Security Testing White Paper

Development*Process*for*Secure* So2ware

RSA INCIDENT RESPONSE SERVICES

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Curso: Ethical Hacking and Countermeasures

RSA INCIDENT RESPONSE SERVICES

Biting the Hand that Feeds You

Secure Programming Techniques

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Transcription:

RBS-2018-004 NetGain Enterprise Manager Multiple Vulnerabilities 2018-03-22 1 of 11

Table of Contents Vendor / Product Information 3 Vulnerable Program Details 3 Credits 3 Impact 3 Vulnerability Details 3 /u/jsp/log/del_do.jsp filename Parameter Path Traversal Remote File Deletion 3 Multiple CSRF Vulnerabilities 4 Missing Access Restrictions On Heap Memory Dump Files 5 /u/jsp/common/download.jsp filename Parameter Reflected XSS 5 /u/jsp/rest/ngmo.jsp name Parameter Stored XSS 6 Multiple Access Control Vulnerabilities 7 REST API 8 Windows Agent Insecure Default Permissions Local Privilege Escalation 9 Solution 9 References 10 Timeline 10 About Risk Based Security 11 Company History 11 Solutions 11 2018-03-22 2 of 11

Vendor / Product Information NetGain Systems is a Singapore-based company that develops NetGain Enterprise Manager - a web-based IT infrastructure monitoring and management solution. The product is one of four solutions sold to over 500 companies worldwide. Vulnerable Program Details Details for tested products and versions: Vendor: NetGain Product: NetGain Enterprise Manager Version: 7.2.806 build 1116, 10.0.6 build 50, and 10.0.8 build 51 NOTE: Other versions than the one listed above are likely affected. Credits Sven Krewitt, Risk Based Security Twitter: @RiskBased Impact NetGain Enterprise Manager provides a web-based management interface for configuring and viewing all monitored network devices and applications. This web interface is affected by multiple vulnerabilities that allow cross-site request forgery and cross-site scripting attacks, gain access to sensitive API and functions, and disclose sensitive information. Vulnerability Details /u/jsp/log/del_do.jsp filename Parameter Path Traversal Remote File Deletion Input passed via the filenames parameter to the /u/jsp/log/del_do.jsp endpoint is not properly sanitized, allowing to traverse outside of a restricted path. According to the web/web-inf/web.xml file that is included in the application, the related 2018-03-22 3 of 11

servlet class is org.apache.jsp.u.jsp.log.del_005fdo_jsp. <servlet-mapping> <servlet-name>org.apache.jsp.u.jsp.log.del_005fdo_jsp</servlet-name> <url-pattern>/u/jsp/log/del_do.jsp</url-pattern> </servlet-mapping> The class file is found in ngjsp.jar within the subdirectory web/lib. Surprisingly, not only the del_005fdo_jsp.class file was included in the jar file under org/apache/jsp/u/jsp/log, but also del_005fdo_jsp.java, which made decompilation unnecessary. try { String filenames = StringUtils.trimToEmpty(request.getParameter("filenames")); String logfile_dir = SysConfig.getProperty("server_logfile_dir"); if (StringUtils.isEmpty(logfile_dir)) { logfile_dir = getinternallogdir(); } if(stringutils.isnotempty(filenames)){ String[] files = StringUtils.split(filenames, ","); [1] File f = null; for (int i=0; i<files.length; i++) { f = new File(logfile_dir + File.separator +files[i]); System.out.println("deleting file:"+ logfile_dir+files[i]); f.delete(); [2] } } result = true; } catch (Exception e) { e.printstacktrace(); result = false; } Input passed via the filenames parameter is checked for commas that separate multiple files [1]. For each file, a new file handler is initiated and the related file is removed from the file system via delete() [2]. As no sanitization is performed, path traversal sequences e.g.../ can be part of the filename, resulting in the deletion of arbitrary files on the system. The above analysis is based on version 7.2.806 build 1116, but the vulnerability also impacts version 10.0.6 build 50 and 10.0.8 build 51. Multiple CSRF Vulnerabilities The web-based management interface does not require multiple steps, explicit confirmation, or a unique token when performing sensitive actions. By tricking a user into visiting a malicious website or following a specially crafted link, an attacker can e.g. create users and roles, change 2018-03-22 4 of 11

user account and SMTP settings, or trigger heap memory dumps. In addition, it is possible to use a cross-site request forgery (CSRF) attack to access a command injection vulnerability in the ping command. The CSRF vulnerabilities have been confirmed in version 7.2.806 build 1116 and 10.0.6 build 50. They affect the following endpoints: /u/jsp/tools/exec.jsp /u/jsp/security/user_save_do.jsp /u/jsp/security/role_save_do.jsp /u/jsp/settings/heapdumps.jsp /u/jsp/notify/settings_save_do.jsp ping Command Execution User Manipulation Role Creation Heap Memory Dump Creation SMTP Settings Manipulation Missing Access Restrictions On Heap Memory Dump Files The application supports the creation of heap memory dump files for debugging purposes via the /u/jsp/settings/heapdumps.jsp endpoint. Specifying a GET parameter of dumpnow=1 results in a heap dump file being stored in the root web directory. If an attacker can guess the creation time of a heap dump file, it can be downloaded by directly accessing it. If this issue is exploited via a CSRF attack, the creation time can be determined quite precisely. /u/jsp/common/download.jsp filename Parameter Reflected XSS An XSS vulnerability exists because the /u/jsp/common/download.jsp script does not properly sanitize input to the filename GET parameter before returning it to users. If a victim clicks on a specially crafted link, a context-dependent attacker can execute arbitrary script code 2018-03-22 5 of 11

in a the victim s browser session within the trust relationship between their browser and the NetGain EM web interface. GET //u/jsp/common/download.jsp?filename=xxx');%20alert('xss HTTP/1.1 Host: 192.168.210.135:8081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=DABE48E9661C0537AAD88493E0326679 Connection: close /u/jsp/rest/ngmo.jsp name Parameter Stored XSS The /u/jsp/rest/ngmo.jsp endpoint allows to perform various operations in the backend. When saving SNMP device credentials, input passed via the name parameter is not properly sanitized before returning it to users. This allows a context-dependent attacker to execute arbitrary script code in a the victim s browser session within the trust relationship between their browser and the NetGain EM web interface. POST /u/jsp/rest/ngmo.jsp HTTP/1.1 Host: 192.168.210.135:8081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=utf-8 2018-03-22 6 of 11

Referer: http://192.168.210.135:8081/u/index.jsp Content-Length: 143 Connection: close op=savedevicecredential&id=667&type=snmp_community&name=%3cimg+src%3d%22%22+onmouseo ver%3djavascript%3aalert(location)%3e&snmp_community=public This request stores a XSS payload in an SNMP device credential entry in the backend. Viewing this entry in the web interface does not immediately trigger the XSS payload. It requires a victim to directly access /u/jsp/rest/ngmo.jsp?op=devicecredentials. Multiple Access Control Vulnerabilities Multiple endpoints in the web interface are improperly access restricted, allowing remote attackers to access sensitive functionality. Some of the issues can be used in combination with other vulnerabilities. /u/jsp/log/del_do.jsp /u/jsp/notify/settings_do.jsp /u/jsp/notify/settings_save_do.jsp Log file deletion via the filenames parameter Disclosure of SMTP settings Manipulation of SMTP settings 2018-03-22 7 of 11

REST API In the NetGain EM-FreeEdition/web/u/jsp/rest/do.jsp script, access to backend modules is implemented using the following function: function add_ng_module(module_name, methods) { var module = { do: function(op, params, success, err) { return ng_backend(module_name, '/u/jsp/rest/'+module_name+'.jsp', op, params, success, err); } }; Some API functions are accessible via the /u/jsp/rest/ngmo.jsp and /u/jsp/rest/ngadmin.jsp endpoints, which are similarly affected by a lack of access controls. This allows access to critical functionality without authentication to access sensitive information or manipulate stored data. Example information disclosure: POST /u/jsp/rest/ngadmin.jsp HTTP/1.1 Host: 192.168.210.135:8081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.210.135:8081/u/index.jsp Content-Length: 11 Cookie: JSESSIONID= Connection: close op=getusers Response: [{"email":"","name":"admin","disable":"email address or Mobile is empty","sms":"","displayname":"admin"},{"email":"","name":"xxx","disable":"email address or Mobile is empty","sms":"","displayname":"xxx"},{"email":"","name":"yyy","disable":"email address or Mobile is empty","sms":"","displayname":"yyy"}] Example data manipulation: POST /u/jsp/rest/ngmo.jsp HTTP/1.1 Host: 192.168.210.135:8081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 2018-03-22 8 of 11

Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=utf-8 Referer: http://192.168.210.135:8081/u/index.jsp Content-Length: 143 Connection: close op=savedevicecredential&id=667&type=snmp_community&name=%3cimg+src%3d%22%22+onmouseo ver%3djavascript%3aalert(location)%3e&snmp_community=public This request allows to conduct the stored XSS attack (see above) without prior authentication. The analysis is based on version 7.2.806 build 1116, but the vulnerability also impacts version 10.0.6 build 50 and 10.0.8 build 51. It is expected that this missing access controls affect various other backend operations. Windows Agent Insecure Default Permissions Local Privilege Escalation NetGain Enterprise Manager includes a Windows Agent that installs with insecure default permissions for the C:\NetGain_Agent\ directory. Installation e.g. inherits insecure permissions for the Authenticated Users group, allowing members of this group to modify files within the directory and subdirectories. By either specifying a new process or simply changing the CommandLine parameter in the C:\NetGain_Agent\bin\XYNTService.ini configurations settings file, it is possible to execute arbitrary files on the system with SYSTEM privileges. Solution We are not currently aware of a solution for these vulnerabilities. RBS has contacted the vendor prior to disclosing the details, but the vendor failed to respond to requested status updates. The vulnerability details are published according to the communicated disclosure deadline without a patch being available. References RBS: 1 RBS-2018-004 VulnDB: 175921, 175855, 175858, 175859, 175860, 175861, 175863, 175866, 175868, 175865, 175878, 175879, 175882, 175923 1 https://www.riskbasedsecurity.com/research/rbs-2018-004.pdf 2018-03-22 9 of 11

Timeline 2017-11-30 Vulnerability discovered. 2017-12-14 Vendor responds to investigate the report. 2018-02-05 RBS requests status update due to upcoming disclosure date. 2018-03-01 Alert sent to RBS VulnDB clients 2018-03-22 Publication of this vulnerability report. 2018-03-22 10 of 11

About Risk Based Security Risk Based Security offers clients fully integrated security solutions, combining real-time vulnerability and threat data, as well as the analytical resources to understand the implications of the data, resulting in not just security, but the right security. Company History Risk Based Security, Inc. (RBS) was established to support organizations with the technology to turn security data into actionable information and a competitive advantage. We do so by enhancing the research available and providing a first of its kind risk identification and evidence-based security management service. As a data driven and vendor neutral organization, RBS is able to deliver focused security solutions that are timely, cost effective, and built to address the specific threats and vulnerabilities most relevant to the organizations we serve. We not only maintain vulnerability and data breach databases, we also use this information to inform our entire practice. Solutions VulnDB - Vulnerability intelligence, alerting, and third party library tracking based on the largest and most comprehensive vulnerability database in the world. Available as feature-rich SaaS portal or powerful API. Vendor evaluations including our Vulnerability Timeline and Exposure Metrics (VTEM), Cost of Ownership ratings, Code Maturity, and Social Risk Scores. Cyber Risk Analytics - Extensive data breach database including interactive dashboards and breach analytics. Clients are able to gather and analyze security threat and data breach information on businesses, industries, geographies, and causes of loss. It also allows monitoring of domains for data breaches and leaked credentials as well as implementing a continuous vendor management program with our PreBreach data. YourCISO - Revolutionary service that provides organizations an affordable security solution including policies, vulnerability scans, awareness material, incident response, and access to high quality information security resources and consulting services. Vulnerability Assessments (VA) and Pentesting - Regularly scheduled VAs and pentests help an organization identify weaknesses before the bad guys do. Managing the most comprehensive VDB puts us in a unique position to offer comprehensive assessments, combining the latest in scanning technology and our own data. Detailed and actionable reports are provided in a clear and easy to understand language. Security Development Lifecycle (SDL) - Consulting, auditing, and verification specialized in breaking code, which in turn greatly increases the security of products. 2018-03-22 11 of 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback